From 7c261b39545a445b80b3f40b837a3e1da5389d58 Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <toshio@fedoraproject.org>
Date: Thu, 12 Mar 2015 11:07:22 -0700
Subject: [PATCH] Implement comments from @smashwilson:

* if tls_ca_cert is set then use tls to verify the server
* take tls_hostname from the environment variable DOCKER_TLS_HOSTNAME
  if it's not specified in the playbook

https://github.com/ansible/ansible-modules-core/pull/926#issuecomment-78542210
---
 lib/ansible/modules/cloud/docker/docker.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/lib/ansible/modules/cloud/docker/docker.py b/lib/ansible/modules/cloud/docker/docker.py
index 32be89cafff..8525483f397 100644
--- a/lib/ansible/modules/cloud/docker/docker.py
+++ b/lib/ansible/modules/cloud/docker/docker.py
@@ -546,6 +546,7 @@ class DockerManager(object):
 
         env_host = os.getenv('DOCKER_HOST')
         env_cert_path = os.getenv('DOCKER_CERT_PATH')
+        env_docker_hostname = os.getenv('DOCKER_TLS_HOSTNAME')
 
         docker_url = module.params.get('docker_url')
         if not docker_url:
@@ -573,11 +574,14 @@ class DockerManager(object):
         if tls_ca_cert:
             tls_hostname = module.params.get('tls_hostname')
             if tls_hostname is None:
-                parsed_url = urlparse(docker_url)
-                if ':' in parsed_url.netloc:
-                    tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')]
+                if env_docker_hostname:
+                    tls_hostname = env_docker_hostname
                 else:
-                    tls_hostname = parsed_url
+                    parsed_url = urlparse(docker_url)
+                    if ':' in parsed_url.netloc:
+                        tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')]
+                    else:
+                        tls_hostname = parsed_url
             if not tls_hostname:
                 tls_hostname = True
 
@@ -585,8 +589,9 @@ class DockerManager(object):
         # no: Do not use tls
         # encrypt: Use tls.  We may do client auth.  We will not verify the server
         # verify: Use tls.  We may do client auth.  We will verify the server
-        # None: Only use tls if client auth is specified.  We may do client
-        #   auth.  We will not verify the server.
+        # None: Only use tls if the parameters for client auth were specified
+        #   or tls_ca_cert (which requests verifying the server with
+        #   a specific ca certificate)
         use_tls = module.params.get('use_tls')
         if use_tls == 'no':
             tls_config = None
@@ -601,7 +606,7 @@ class DockerManager(object):
                 params['client_cert'] = (tls_client_cert, tls_client_key)
 
             # We're allowed to verify the connection to the server
-            if use_tls == 'verify':
+            if use_tls == 'verify' or (use_tls is None and tls_ca_cert):
                 if tls_ca_cert:
                     params['ca_cert'] = tls_ca_cert
                     params['verify'] = True