Alternative implementation of tls for docker

Alternative to #854
pull/18777/head
Toshio Kuratomi 10 years ago committed by Matt Clay
parent c9b33d5de2
commit 3284359894

@ -106,18 +106,41 @@ options:
- URL of the host running the docker daemon. This will default to the env
var DOCKER_HOST if unspecified.
default: ${DOCKER_HOST} or unix://var/run/docker.sock
docker_tls_cert:
use_tls:
description:
- Path to a PEM-encoded client certificate to secure the Docker connection.
- Whether to use tls to connect to the docker server. "no" means not to
use tls (and ignore any other tls related parameters). "encrypt" means
to use tls to encrypt the connection to the server. "verify" means to
also verify that the server's certificate is valid for the server
(this both verifies the certificate against the CA and that the
certificate was issued for that host. If this is unspecified, tls will
only be used if one of the other tls options require it.
choices: [ "no", "encrypt", "verify" ]
version_added: "1.9"
tls_client_cert:
description:
- Path to the PEM-encoded certificate used to authenticate docker client.
If specified tls_client_key must be valid
default: ${DOCKER_CERT_PATH}/cert.pem
docker_tls_key:
version_added: "1.9"
tls_client_key:
description:
- Path to a PEM-encoded client key to secure the Docker connection.
- Path to the PEM-encoded key used to authenticate docker client. If
specified tls_client_cert must be valid
default: ${DOCKER_CERT_PATH}/key.pem
docker_tls_cacert:
version_added: "1.9"
tls_ca_cert:
description:
- Path to a PEM-encoded certificate authority to secure the Docker connection.
This has no effect if use_tls is encrypt.
default: ${DOCKER_CERT_PATH}/ca.pem
version_added: "1.9"
tls_hostname:
description:
- A hostname to check matches what's supplied in the docker server's
certificate. If unspecified, the hostname is taken from the docker_url.
default: Taken from docker_url
version_added: "1.9"
docker_api_version:
description:
- Remote API version to use. This defaults to the current default as
@ -531,34 +554,66 @@ class DockerManager(object):
else:
docker_url = 'unix://var/run/docker.sock'
docker_tls_cert = module.params.get('docker_tls_cert')
if not docker_tls_cert and env_cert_path:
docker_tls_cert = os.path.join(env_cert_path, 'cert.pem')
docker_tls_key = module.params.get('docker_tls_key')
if not docker_tls_key and env_cert_path:
docker_tls_key = os.path.join(env_cert_path, 'key.pem')
docker_tls_cacert = module.params.get('docker_tls_cacert')
if not docker_tls_cacert and env_cert_path:
docker_tls_cacert = os.path.join(env_cert_path, 'ca.pem')
docker_api_version = module.params.get('docker_api_version')
if not docker_api_version:
docker_api_version=docker.client.DEFAULT_DOCKER_API_VERSION
tls_config = None
if docker_tls_cert or docker_tls_key or docker_tls_cacert:
# See https://github.com/docker/docker-py/blob/d39da11/docker/utils/utils.py#L279-L296
docker_url = docker_url.replace('tcp://', 'https://')
verify = docker_tls_cacert is not None
tls_client_cert = module.params.get('tls_client_cert', None)
if not tls_client_cert and env_cert_path:
tls_client_cert = os.path.join(env_cert_path, 'cert.pem')
tls_client_key = module.params.get('tls_client_key', None)
if not tls_client_key and env_cert_path:
tls_client_key = os.path.join(env_cert_path, 'key.pem')
tls_ca_cert = module.params.get('tls_ca_cert')
if not tls_ca_cert and env_cert_path:
tls_ca_cert = os.path.join(env_cert_path, 'ca.pem')
if tls_ca_cert:
tls_hostname = module.params.get('tls_hostname')
if tls_hostname is None:
parsed_url = urlparse(docker_url)
if ':' in parsed_url.netloc:
tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')]
else:
tls_hostname = parsed_url
if not tls_hostname:
tls_hostname = True
# use_tls can be one of four values:
# no: Do not use tls
# encrypt: Use tls. We may do client auth. We will not verify the server
# verify: Use tls. We may do client auth. We will verify the server
# None: Only use tls if client auth is specified. We may do client
# auth. We will not verify the server.
use_tls = module.params.get('use_tls')
if use_tls == 'no':
tls_config = None
else:
# If this stays True, we'll do encryption. If something overrides
# it, then we'll have a TLSConfig obj instead
tls_config = True
params = {}
# Setup client auth
if tls_client_cert and tls_client_key:
params['client_cert'] = (tls_client_cert, tls_client_key)
# We're allowed to verify the connection to the server
if use_tls == 'verify':
if tls_ca_cert:
params['ca_cert'] = tls_ca_cert
params['verify'] = True
params['assert_hostname'] = tls_hostname
else:
params['verify'] = True
params['assert_hostname'] = tls_hostname
tls_config = docker.tls.TLSConfig(
client_cert=(docker_tls_cert, docker_tls_key),
ca_cert=docker_tls_cacert,
verify=verify,
assert_hostname=False
)
if params or use_tls == 'encrypt':
# See https://github.com/docker/docker-py/blob/d39da11/docker/utils/utils.py#L279-L296
docker_url = docker_url.replace('tcp://', 'https://')
tls_config = docker.tls.TLSConfig(**params)
self.client = docker.Client(base_url=docker_url,
version=docker_api_version,
@ -1357,9 +1412,11 @@ def main():
memory_limit = dict(default=0),
memory_swap = dict(default=0),
docker_url = dict(),
docker_tls_cert = dict(),
docker_tls_key = dict(),
docker_tls_cacert = dict(),
use_tls = dict(default=None, choices=['no', 'encrypt', 'verify']),
tls_client_cert = dict(required=False, default=None, type='str'),
tls_client_key = dict(required=False, default=None, type='str'),
tls_ca_cert = dict(required=False, default=None, type='str'),
tls_hostname = dict(required=False, type='str', default=None),
docker_api_version = dict(),
username = dict(default=None),
password = dict(),
@ -1382,7 +1439,10 @@ def main():
net = dict(default=None),
pid = dict(default=None),
insecure_registry = dict(default=False, type='bool'),
)
),
required_together = (
['tls_client_cert', 'tls_client_key'],
),
)
check_dependencies(module)

Loading…
Cancel
Save