Add ctr flags for configuring default TLS credentials.
Signed-off-by: John Millikin <jmillikin@stripe.com>
This commit is contained in:
John Millikin
parent
4cbf59db82
commit
b8ccdcb07d
@ -66,6 +66,18 @@ var (
|
|||||||
// compatible with "/etc/docker/certs.d"
|
// compatible with "/etc/docker/certs.d"
|
||||||
Usage: "Custom hosts configuration directory",
|
Usage: "Custom hosts configuration directory",
|
||||||
},
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "tlscacert",
|
||||||
|
Usage: "path to TLS root CA",
|
||||||
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "tlscert",
|
||||||
|
Usage: "path to TLS client certificate",
|
||||||
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "tlskey",
|
||||||
|
Usage: "path to TLS client key",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
// ContainerFlags are cli flags specifying container options
|
// ContainerFlags are cli flags specifying container options
|
||||||
|
|||||||
@ -20,7 +20,9 @@ import (
|
|||||||
"bufio"
|
"bufio"
|
||||||
gocontext "context"
|
gocontext "context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/containerd/console"
|
"github.com/containerd/console"
|
||||||
@ -85,12 +87,11 @@ func GetResolver(ctx gocontext.Context, clicontext *cli.Context) (remotes.Resolv
|
|||||||
if clicontext.Bool("plain-http") {
|
if clicontext.Bool("plain-http") {
|
||||||
hostOptions.DefaultScheme = "http"
|
hostOptions.DefaultScheme = "http"
|
||||||
}
|
}
|
||||||
|
defaultTLS, err := resolverDefaultTLS(clicontext)
|
||||||
if clicontext.Bool("skip-verify") {
|
if err != nil {
|
||||||
hostOptions.DefaultTLS = &tls.Config{
|
return nil, err
|
||||||
InsecureSkipVerify: true,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
hostOptions.DefaultTLS = defaultTLS
|
||||||
if hostDir := clicontext.String("hosts-dir"); hostDir != "" {
|
if hostDir := clicontext.String("hosts-dir"); hostDir != "" {
|
||||||
hostOptions.HostDir = config.HostDirFromRoot(hostDir)
|
hostOptions.HostDir = config.HostDirFromRoot(hostDir)
|
||||||
}
|
}
|
||||||
@ -99,3 +100,38 @@ func GetResolver(ctx gocontext.Context, clicontext *cli.Context) (remotes.Resolv
|
|||||||
|
|
||||||
return docker.NewResolver(options), nil
|
return docker.NewResolver(options), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func resolverDefaultTLS(clicontext *cli.Context) (*tls.Config, error) {
|
||||||
|
config := &tls.Config{}
|
||||||
|
|
||||||
|
if clicontext.Bool("skip-verify") {
|
||||||
|
config.InsecureSkipVerify = true
|
||||||
|
}
|
||||||
|
|
||||||
|
if tlsRootPath := clicontext.String("tlscacert"); tlsRootPath != "" {
|
||||||
|
tlsRootData, err := ioutil.ReadFile(tlsRootPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "failed to read %q", tlsRootPath)
|
||||||
|
}
|
||||||
|
|
||||||
|
config.RootCAs = x509.NewCertPool()
|
||||||
|
if !config.RootCAs.AppendCertsFromPEM(tlsRootData) {
|
||||||
|
return nil, fmt.Errorf("failed to load TLS CAs from %q: invalid data", tlsRootPath)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
tlsCertPath := clicontext.String("tlscert")
|
||||||
|
tlsKeyPath := clicontext.String("tlskey")
|
||||||
|
if tlsCertPath != "" || tlsKeyPath != "" {
|
||||||
|
if tlsCertPath == "" || tlsKeyPath == "" {
|
||||||
|
return nil, errors.New("flags --tlscert and --tlskey must be set together")
|
||||||
|
}
|
||||||
|
keyPair, err := tls.LoadX509KeyPair(tlsCertPath, tlsKeyPath)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrapf(err, "failed to load TLS client credentials (cert=%q, key=%q)", tlsCertPath, tlsKeyPath)
|
||||||
|
}
|
||||||
|
config.Certificates = []tls.Certificate{keyPair}
|
||||||
|
}
|
||||||
|
|
||||||
|
return config, nil
|
||||||
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user