Fix Docker TLS config

2025-04-10 22:00:13 +00:00 · 2019-12-14 02:18:42 +01:00 · 2019-12-14 02:18:42 +01:00 · 0e393ee980
commit 0e393ee980
parent 39459f42fc
4 changed files with 29 additions and 12 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -148,6 +148,7 @@ func (cfg *Config) validateDockerProvider(key int, dock model.PrdDocker) error {
 	}

 	if err := mergo.Merge(&dock, model.PrdDocker{
+		TLSVerify:      true,
 		SwarmMode:      false,
 		WatchByDefault: false,
 		WatchStopped:   false,
--- a/internal/model/providers.go
+++ b/internal/model/providers.go
@ -14,10 +14,8 @@ type PrdDocker struct {
 	ID             string `yaml:"id,omitempty" json:",omitempty"`
 	Endpoint       string `yaml:"endpoint,omitempty" json:",omitempty"`
 	ApiVersion     string `yaml:"api_version,omitempty" json:",omitempty"`
-	CAFile         string `yaml:"ca_file,omitempty" json:",omitempty"`
-	CertFile       string `yaml:"cert_file,omitempty" json:",omitempty"`
-	KeyFile        string `yaml:"key_file,omitempty" json:",omitempty"`
-	TLSVerify      string `yaml:"tls_verify,omitempty" json:",omitempty"`
+	TLSCertsPath   string `yaml:"tls_certs_path,omitempty" json:",omitempty"`
+	TLSVerify      bool   `yaml:"tls_verify,omitempty" json:",omitempty"`
 	SwarmMode      bool   `yaml:"swarm_mode,omitempty" json:",omitempty"`
 	WatchByDefault bool   `yaml:"watch_by_default,omitempty" json:",omitempty"`
 	WatchStopped   bool   `yaml:"watch_stopped,omitempty" json:",omitempty"`
--- a/internal/provider/docker/container.go
+++ b/internal/provider/docker/container.go
@ -19,7 +19,7 @@ func (c *Client) listContainerImage(elt model.PrdDocker) []model.Image {
 		Str("id", elt.ID).
 		Logger()

-	cli, err := docker.NewClient(elt.Endpoint, elt.ApiVersion, elt.CAFile, elt.CertFile, elt.KeyFile)
+	cli, err := docker.NewClient(elt.Endpoint, elt.ApiVersion, elt.TLSCertsPath, elt.TLSVerify)
 	if err != nil {
 		sublog.Error().Err(err).Msg("Cannot create Docker client")
 		return []model.Image{}
--- a/pkg/docker/client.go
+++ b/pkg/docker/client.go
@ -2,18 +2,22 @@ package docker

 import (
 	"context"
+	"net/http"
+	"path/filepath"

 	"github.com/docker/docker/client"
+	"github.com/docker/go-connections/tlsconfig"
+	"github.com/pkg/errors"
 )

 // Client represents an active docker object
 type Client struct {
-	context context.Context
-	Api     *client.Client
+	ctx context.Context
+	Api *client.Client
 }

 // NewClient initializes a new Docker API client with default values
-func NewClient(endpoint string, apiVersion string, caFile string, certFile string, keyFile string) (*Client, error) {
+func NewClient(endpoint, apiVersion, tlsCertsPath string, tlsVerify bool) (*Client, error) {
 	var opts []client.Opt
 	if endpoint != "" {
 		opts = append(opts, client.WithHost(endpoint))
@ -21,8 +25,22 @@ func NewClient(endpoint string, apiVersion string, caFile string, certFile strin
 	if apiVersion != "" {
 		opts = append(opts, client.WithVersion(apiVersion))
 	}
-	if caFile != "" && certFile != "" && keyFile != "" {
-		opts = append(opts, client.WithTLSClientConfig(caFile, certFile, keyFile))
+	if tlsCertsPath != "" {
+		options := tlsconfig.Options{
+			CAFile:             filepath.Join(tlsCertsPath, "ca.pem"),
+			CertFile:           filepath.Join(tlsCertsPath, "cert.pem"),
+			KeyFile:            filepath.Join(tlsCertsPath, "key.pem"),
+			InsecureSkipVerify: !tlsVerify,
+		}
+		tlsc, err := tlsconfig.Client(options)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create tls config")
+		}
+		httpCli := &http.Client{
+			Transport:     &http.Transport{TLSClientConfig: tlsc},
+			CheckRedirect: client.CheckRedirect,
+		}
+		opts = append(opts, client.WithHTTPClient(httpCli))
 	}

 	cli, err := client.NewClientWithOpts(opts...)
@ -37,7 +55,7 @@ func NewClient(endpoint string, apiVersion string, caFile string, certFile strin
 	}

 	return &Client{
-		context: ctx,
-		Api:     cli,
+		ctx: ctx,
+		Api: cli,
 	}, err
 }