provider/docker: authentication via values instead of files (#10151)
* Docker authentication via values * Rename parameters to ca_material, cert_material, and key_material. Add environment variables.
This commit is contained in:
parent
a9456998f0
commit
c1a9a0c766
|
@ -1,6 +1,7 @@
|
||||||
package docker
|
package docker
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
dc "github.com/fsouza/go-dockerclient"
|
dc "github.com/fsouza/go-dockerclient"
|
||||||
|
@ -10,21 +11,32 @@ import (
|
||||||
// Docker API compatible host.
|
// Docker API compatible host.
|
||||||
type Config struct {
|
type Config struct {
|
||||||
Host string
|
Host string
|
||||||
|
Ca string
|
||||||
|
Cert string
|
||||||
|
Key string
|
||||||
CertPath string
|
CertPath string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewClient() returns a new Docker client.
|
// NewClient() returns a new Docker client.
|
||||||
func (c *Config) NewClient() (*dc.Client, error) {
|
func (c *Config) NewClient() (*dc.Client, error) {
|
||||||
// If there is no cert information, then just return the direct client
|
if c.Ca != "" || c.Cert != "" || c.Key != "" {
|
||||||
if c.CertPath == "" {
|
if c.Ca == "" || c.Cert == "" || c.Key == "" {
|
||||||
return dc.NewClient(c.Host)
|
return nil, fmt.Errorf("ca_material, cert_material, and key_material must be specified")
|
||||||
|
}
|
||||||
|
|
||||||
|
return dc.NewTLSClientFromBytes(c.Host, []byte(c.Cert), []byte(c.Key), []byte(c.Ca))
|
||||||
}
|
}
|
||||||
|
|
||||||
// If there is cert information, load it and use it.
|
if c.CertPath != "" {
|
||||||
ca := filepath.Join(c.CertPath, "ca.pem")
|
// If there is cert information, load it and use it.
|
||||||
cert := filepath.Join(c.CertPath, "cert.pem")
|
ca := filepath.Join(c.CertPath, "ca.pem")
|
||||||
key := filepath.Join(c.CertPath, "key.pem")
|
cert := filepath.Join(c.CertPath, "cert.pem")
|
||||||
return dc.NewTLSClient(c.Host, cert, key, ca)
|
key := filepath.Join(c.CertPath, "key.pem")
|
||||||
|
return dc.NewTLSClient(c.Host, cert, key, ca)
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there is no cert information, then just return the direct client
|
||||||
|
return dc.NewClient(c.Host)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Data ia structure for holding data that we fetch from Docker.
|
// Data ia structure for holding data that we fetch from Docker.
|
||||||
|
|
|
@ -17,6 +17,28 @@ func Provider() terraform.ResourceProvider {
|
||||||
Description: "The Docker daemon address",
|
Description: "The Docker daemon address",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
"ca_material": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("DOCKER_CA_MATERIAL", ""),
|
||||||
|
ConflictsWith: []string{"cert_path"},
|
||||||
|
Description: "PEM-encoded content of Docker host CA certificate",
|
||||||
|
},
|
||||||
|
"cert_material": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("DOCKER_CERT_MATERIAL", ""),
|
||||||
|
ConflictsWith: []string{"cert_path"},
|
||||||
|
Description: "PEM-encoded content of Docker client certificate",
|
||||||
|
},
|
||||||
|
"key_material": &schema.Schema{
|
||||||
|
Type: schema.TypeString,
|
||||||
|
Optional: true,
|
||||||
|
DefaultFunc: schema.EnvDefaultFunc("DOCKER_KEY_MATERIAL", ""),
|
||||||
|
ConflictsWith: []string{"cert_path"},
|
||||||
|
Description: "PEM-encoded content of Docker client private key",
|
||||||
|
},
|
||||||
|
|
||||||
"cert_path": &schema.Schema{
|
"cert_path": &schema.Schema{
|
||||||
Type: schema.TypeString,
|
Type: schema.TypeString,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
|
@ -43,6 +65,9 @@ func Provider() terraform.ResourceProvider {
|
||||||
func providerConfigure(d *schema.ResourceData) (interface{}, error) {
|
func providerConfigure(d *schema.ResourceData) (interface{}, error) {
|
||||||
config := Config{
|
config := Config{
|
||||||
Host: d.Get("host").(string),
|
Host: d.Get("host").(string),
|
||||||
|
Ca: d.Get("ca_material").(string),
|
||||||
|
Cert: d.Get("cert_material").(string),
|
||||||
|
Key: d.Get("key_material").(string),
|
||||||
CertPath: d.Get("cert_path").(string),
|
CertPath: d.Get("cert_path").(string),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -57,6 +57,9 @@ The following arguments are supported:
|
||||||
for connecting to the Docker host via TLS. If this is blank, the
|
for connecting to the Docker host via TLS. If this is blank, the
|
||||||
`DOCKER_CERT_PATH` will also be checked.
|
`DOCKER_CERT_PATH` will also be checked.
|
||||||
|
|
||||||
|
* `ca_material`, `cert_material`, `key_material`, - (Optional) Content of `ca.pem`, `cert.pem`, and `key.pem` files
|
||||||
|
for TLS authentication. Cannot be used together with `cert_path`.
|
||||||
|
|
||||||
~> **NOTE on Certificates and `docker-machine`:** As per [Docker Remote API
|
~> **NOTE on Certificates and `docker-machine`:** As per [Docker Remote API
|
||||||
documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),
|
documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),
|
||||||
in any docker-machine environment, the Docker daemon uses an encrypted TCP
|
in any docker-machine environment, the Docker daemon uses an encrypted TCP
|
||||||
|
|
Loading…
Reference in New Issue