docker_image TLS
Check commit enables using tls when using the docker_image module. It also removes the default for docker_url which doesn't allow us to check for DOCKER_HOST which is a more sane default. This allows you to use docker_image on OSX but more documentation is needed.
This commit is contained in:
parent
c8a7c25468
commit
75a61ae6e1
1 changed files with 88 additions and 3 deletions
|
@ -118,6 +118,7 @@ Remove image from local docker storage:
|
||||||
'''
|
'''
|
||||||
|
|
||||||
import re
|
import re
|
||||||
|
import os
|
||||||
from urlparse import urlparse
|
from urlparse import urlparse
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
@ -161,11 +162,90 @@ class DockerImageManager:
|
||||||
self.name = self.module.params.get('name')
|
self.name = self.module.params.get('name')
|
||||||
self.tag = self.module.params.get('tag')
|
self.tag = self.module.params.get('tag')
|
||||||
self.nocache = self.module.params.get('nocache')
|
self.nocache = self.module.params.get('nocache')
|
||||||
docker_url = urlparse(module.params.get('docker_url'))
|
|
||||||
|
# Connect to the docker server using any configured host and TLS settings.
|
||||||
|
|
||||||
|
env_host = os.getenv('DOCKER_HOST')
|
||||||
|
env_docker_verify = os.getenv('DOCKER_TLS_VERIFY')
|
||||||
|
env_cert_path = os.getenv('DOCKER_CERT_PATH')
|
||||||
|
env_docker_hostname = os.getenv('DOCKER_TLS_HOSTNAME')
|
||||||
|
|
||||||
|
docker_url = module.params.get('docker_url')
|
||||||
|
if not docker_url:
|
||||||
|
if env_host:
|
||||||
|
docker_url = env_host
|
||||||
|
else:
|
||||||
|
docker_url = 'unix://var/run/docker.sock'
|
||||||
|
|
||||||
|
docker_api_version = module.params.get('docker_api_version')
|
||||||
|
|
||||||
|
tls_client_cert = module.params.get('tls_client_cert', None)
|
||||||
|
if not tls_client_cert and env_cert_path:
|
||||||
|
tls_client_cert = os.path.join(env_cert_path, 'cert.pem')
|
||||||
|
|
||||||
|
tls_client_key = module.params.get('tls_client_key', None)
|
||||||
|
if not tls_client_key and env_cert_path:
|
||||||
|
tls_client_key = os.path.join(env_cert_path, 'key.pem')
|
||||||
|
|
||||||
|
tls_ca_cert = module.params.get('tls_ca_cert')
|
||||||
|
if not tls_ca_cert and env_cert_path:
|
||||||
|
tls_ca_cert = os.path.join(env_cert_path, 'ca.pem')
|
||||||
|
|
||||||
|
tls_hostname = module.params.get('tls_hostname')
|
||||||
|
if tls_hostname is None:
|
||||||
|
if env_docker_hostname:
|
||||||
|
tls_hostname = env_docker_hostname
|
||||||
|
else:
|
||||||
|
parsed_url = urlparse(docker_url)
|
||||||
|
if ':' in parsed_url.netloc:
|
||||||
|
tls_hostname = parsed_url.netloc[:parsed_url.netloc.rindex(':')]
|
||||||
|
else:
|
||||||
|
tls_hostname = parsed_url
|
||||||
|
if not tls_hostname:
|
||||||
|
tls_hostname = True
|
||||||
|
|
||||||
|
# use_tls can be one of four values:
|
||||||
|
# no: Do not use tls
|
||||||
|
# encrypt: Use tls. We may do client auth. We will not verify the server
|
||||||
|
# verify: Use tls. We may do client auth. We will verify the server
|
||||||
|
# None: Only use tls if the parameters for client auth were specified
|
||||||
|
# or tls_ca_cert (which requests verifying the server with
|
||||||
|
# a specific ca certificate)
|
||||||
|
use_tls = module.params.get('use_tls')
|
||||||
|
if use_tls is None and env_docker_verify is not None:
|
||||||
|
use_tls = 'verify'
|
||||||
|
|
||||||
|
tls_config = None
|
||||||
|
if use_tls != 'no':
|
||||||
|
params = {}
|
||||||
|
|
||||||
|
# Setup client auth
|
||||||
|
if tls_client_cert and tls_client_key:
|
||||||
|
params['client_cert'] = (tls_client_cert, tls_client_key)
|
||||||
|
|
||||||
|
# We're allowed to verify the connection to the server
|
||||||
|
if use_tls == 'verify' or (use_tls is None and tls_ca_cert):
|
||||||
|
if tls_ca_cert:
|
||||||
|
params['ca_cert'] = tls_ca_cert
|
||||||
|
params['verify'] = True
|
||||||
|
params['assert_hostname'] = tls_hostname
|
||||||
|
else:
|
||||||
|
params['verify'] = True
|
||||||
|
params['assert_hostname'] = tls_hostname
|
||||||
|
elif use_tls == 'encrypt':
|
||||||
|
params['verify'] = False
|
||||||
|
|
||||||
|
if params:
|
||||||
|
# See https://github.com/docker/docker-py/blob/d39da11/docker/utils/utils.py#L279-L296
|
||||||
|
docker_url = docker_url.replace('tcp://', 'https://')
|
||||||
|
tls_config = docker.tls.TLSConfig(**params)
|
||||||
|
|
||||||
self.client = docker.Client(
|
self.client = docker.Client(
|
||||||
base_url=docker_url.geturl(),
|
base_url=docker_url.geturl(),
|
||||||
version=module.params.get('docker_api_version'),
|
version=module.params.get('docker_api_version'),
|
||||||
timeout=module.params.get('timeout'))
|
timeout=module.params.get('timeout'),
|
||||||
|
tls=tls_config)
|
||||||
|
|
||||||
self.changed = False
|
self.changed = False
|
||||||
self.log = []
|
self.log = []
|
||||||
self.error_msg = None
|
self.error_msg = None
|
||||||
|
@ -244,7 +324,12 @@ def main():
|
||||||
tag = dict(required=False, default="latest"),
|
tag = dict(required=False, default="latest"),
|
||||||
nocache = dict(default=False, type='bool'),
|
nocache = dict(default=False, type='bool'),
|
||||||
state = dict(default='present', choices=['absent', 'present', 'build']),
|
state = dict(default='present', choices=['absent', 'present', 'build']),
|
||||||
docker_url = dict(default='unix://var/run/docker.sock'),
|
use_tls = dict(default=None, choices=['no', 'encrypt', 'verify']),
|
||||||
|
tls_client_cert = dict(required=False, default=None, type='str'),
|
||||||
|
tls_client_key = dict(required=False, default=None, type='str'),
|
||||||
|
tls_ca_cert = dict(required=False, default=None, type='str'),
|
||||||
|
tls_hostname = dict(required=False, type='str', default=None),
|
||||||
|
docker_url = dict(),
|
||||||
docker_api_version = dict(required=False,
|
docker_api_version = dict(required=False,
|
||||||
default=DEFAULT_DOCKER_API_VERSION,
|
default=DEFAULT_DOCKER_API_VERSION,
|
||||||
type='str'),
|
type='str'),
|
||||||
|
|
Loading…
Reference in a new issue