From b965b4ed012b0917afba018eddf2380366cdb530 Mon Sep 17 00:00:00 2001 From: alin-o <33296641+alin-o@users.noreply.github.com> Date: Tue, 30 Jun 2020 20:12:34 +0300 Subject: [PATCH 1/4] docker_api https fix for secured docker The certificate path is also needed when docker daemon mode is `tlsverify` see https://docs.docker.com/engine/security/https/#connecting-to-the-secure-docker-port-using-curl --- app/functions.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/app/functions.sh b/app/functions.sh index 44e8442b..01d5f24e 100644 --- a/app/functions.sh +++ b/app/functions.sh @@ -201,6 +201,14 @@ function docker_api { else scheme="http://${DOCKER_HOST#*://}" fi + + if [[ -v DOCKER_TLS_VERIFY && -v DOCKER_CERT_PATH && ! -z "$DOCKER_TLS_VERIFY" ]]; then + curl_opts+=(--cert ${DOCKER_CERT_PATH}/cert.pem) + curl_opts+=(--key ${DOCKER_CERT_PATH}/key.pem) + curl_opts+=(--cacert ${DOCKER_CERT_PATH}/ca.pem) + scheme="https://${DOCKER_HOST#*://}" + fi + [[ $method = "POST" ]] && curl_opts+=(-H 'Content-Type: application/json') curl "${curl_opts[@]}" -X "${method}" "${scheme}$1" } From 644338fbb42a516e7dfab21fa913715df49f1c1b Mon Sep 17 00:00:00 2001 From: Alin Date: Tue, 30 Jun 2020 20:22:28 +0300 Subject: [PATCH 2/4] CI --- .gitlab-ci.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 00000000..416e7194 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,24 @@ +# This file is a template, and might need editing before it works on your project. +docker-build-master: + # Official docker image. + image: docker:latest + stage: build + before_script: + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY + script: + - docker build -t "$CI_REGISTRY_IMAGE" . + - docker push "$CI_REGISTRY_IMAGE" + only: + - master + +docker-build: + # Official docker image. + image: docker:latest + stage: build + before_script: + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY + script: + - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" . + - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" + except: + - master From 75bb9ec97aa5736f01648bf955fb87ac74c6895d Mon Sep 17 00:00:00 2001 From: Alin Date: Sat, 4 Jul 2020 13:23:39 +0300 Subject: [PATCH 3/4] docker secure connection documentation --- docs/Container-configuration.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/Container-configuration.md b/docs/Container-configuration.md index ff5d1e50..2721c5d9 100644 --- a/docs/Container-configuration.md +++ b/docs/Container-configuration.md @@ -24,3 +24,11 @@ You can also create test certificates per container (see [Test certificates](./L * `REUSE_PRIVATE_KEYS` - Set it to `true` to make `simp_le` reuse previously generated private key for each certificate instead of creating a new one on certificate renewal. Recommended if you intend to use [HPKP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) (please not however that HPKP has been deprecated by Google's Chrome and that its use is therefore not recommended). * `DHPARAM_BITS` - Change the size of the Diffie-Hellman key generated by the container from the default value of 2048 bits. For example `--env DHPARAM_BITS=1024` to support some older clients like Java 6 and 7. + +## Optional docker host configuration +* `DOCKER_HOST` - set the host for docker. Must include the scheme (`unix://`, `http://` or `https://`) + +If the docker host daemon socket is [protected](https://docs.docker.com/engine/security/https/): + +* `DOCKER_TLS_VERIFY` - set it to value `1` if the docker host requires client TLS authentication +* `DOCKER_CERT_PATH` - path to TLS client certificates for the docker host. This folder should contain `cert.pem`, `key.pem` and `ca.pem` files. See [Create a CA, server and client keys with OpenSSL](https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl) \ No newline at end of file From 891f691b51dcf976e5163e23f5f782f3f93cfe15 Mon Sep 17 00:00:00 2001 From: alin-o <33296641+alin-o@users.noreply.github.com> Date: Sat, 4 Jul 2020 13:35:34 +0300 Subject: [PATCH 4/4] Delete .gitlab-ci.yml --- .gitlab-ci.yml | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 416e7194..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,24 +0,0 @@ -# This file is a template, and might need editing before it works on your project. -docker-build-master: - # Official docker image. - image: docker:latest - stage: build - before_script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - script: - - docker build -t "$CI_REGISTRY_IMAGE" . - - docker push "$CI_REGISTRY_IMAGE" - only: - - master - -docker-build: - # Official docker image. - image: docker:latest - stage: build - before_script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - script: - - docker build --pull -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" . - - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" - except: - - master