If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via

tiborvass · tiborvass · commit 5ab86d7fd42a · 2014-11-07T17:51:50.000-05:00
a TLS endpoint instead of plain HTTP.

This is done by setting GUNICORN_OPTS to some default value, expecting
the following files to be present:

* /ssl/ca.crt
* /ssl/registry.cert
* /ssl/registry.key

Signed-off-by: Tibor Vass &lt;teabee89@gmail.com&gt;
diff --git a/docker_registry/run.py b/docker_registry/run.py
@@ -9,6 +9,7 @@
 import logging
 import os
 import sys
+import ssl
 
 from .server import env
 
@@ -84,7 +85,11 @@ def run_gunicorn():
         else:
             logger.warn('You asked we drop priviledges, but we are not root!')
 
-    args += env.source('GUNICORN_OPTS')
+    gunicorn_opts = env.source('GUNICORN_OPTS')
+    if len(gunicorn_opts) == 0 and len(env.source('REGISTRY_TLS_VERIFY')) > 0:
+        gunicorn_opts = ['--certfile','/ssl/registry.cert','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.crt','--ssl-version', ssl.PROTOCOL_TLSv1]
+
+    args += gunicorn_opts
     args.append('docker_registry.wsgi:application')
     # Stringify all args and call
     os.execl(*[str(v) for v in args])
