Allow to connect to TLS enabled Docker endpoint

cd3315f5 · Kamil Trzcinski · d7221f22 · cd3315f5 · cd3315f5 · cd3315f5
Commit cd3315f5 authored 10 years ago by Kamil Trzcinski
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+v 0.2.1
+- Added repo slug to build path
+- 
 v 0.2.0
 - Added delete and verify commands
 - Limit build trace size (1MB currently)

--- a/common/config.go
+++ b/common/config.go
@@ -15,6 +15,7 @@ import (

 type DockerConfig struct {
 	Host                   string   `toml:"host" json:"host"`
+	CertPath               *string  `toml:"tls_cert_path" json:"tls_cert_path"`
 	Hostname               string   `toml:"hostname" json:"hostname"`
 	Image                  string   `toml:"image" json:"image"`
 	Privileged             bool     `toml:"privileged" json:"privileged"`

--- a/docs/advanced-configuration.md
+++ b/docs/advanced-configuration.md
@@ -59,6 +59,7 @@ Configuration uses TOML format described here: https://github.com/toml-lang/toml
    [runners.docker]
      host = ""
      hostname = ""
+      tls_cert_path = "/Users/ayufan/.boot2docker/certs"
      image = "ruby:2.1"
      privileged = false
      disable_cache = false
@@ -75,6 +76,7 @@ Configuration uses TOML format described here: https://github.com/toml-lang/toml
    This defines the Docker Container parameters:
    * `host` - specify custom Docker endpoint, by default *DOCKER_HOST* environment is used or *"unix:///var/run/docker.sock"*
    * `hostname` - specify custom hostname for Docker container
+    * `tls_cert_path` - when set it will use ca.pem, cert.pem and key.pem from that folder to make secure TLS connection to Docker (useful in boot2docker)
    * `image` - use this image to run builds
    * `privileged` - make container run in Privileged mode (insecure)
    * `disable_cache` - disable automatic

--- a/executors/docker/executor_docker.go
+++ b/executors/docker/executor_docker.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -268,19 +269,44 @@ func (s *DockerExecutor) createServices() ([]string, error) {
 }

 func (s *DockerExecutor) connect() (*docker.Client, error) {
-	endpoint := s.Config.Docker.Host
-	if len(endpoint) == 0 {
-		endpoint = os.Getenv("DOCKER_HOST")
-	}
-	if len(endpoint) == 0 {
-		endpoint = "unix:///var/run/docker.sock"
-	}
-	client, err := docker.NewClient(endpoint)
-	if err != nil {
-		return nil, err
-	}
+	endpoint := "unix:///var/run/docker.sock"
+	tlsVerify := false
+	tlsCertPath := ""
+
+	if s.Config.Docker.Host != "" {
+		// read docker config from config
+		endpoint = s.Config.Docker.Host
+		if s.Config.Docker.CertPath != nil {
+			tlsVerify = true
+			tlsCertPath = *s.Config.Docker.CertPath
+		}
+	} else if host := os.Getenv("DOCKER_HOST"); host != "" {
+		// read docker config from environment
+		endpoint = host
+		tlsVerify, _ = strconv.ParseBool(os.Getenv("DOCKER_TLS_VERIFY"))
+		tlsCertPath = os.Getenv("DOCKER_CERT_PATH")
+	}
+
+	if tlsVerify {
+		client, err := docker.NewTLSClient(
+			endpoint,
+			filepath.Join(tlsCertPath, "cert.pem"),
+			filepath.Join(tlsCertPath, "key.pem"),
+			filepath.Join(tlsCertPath, "ca.pem"),
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		return client, nil
+	} else {
+		client, err := docker.NewClient(endpoint)
+		if err != nil {
+			return nil, err
+		}

-	return client, nil
+		return client, nil
+	}
 }

 func (s *DockerExecutor) createContainer(image *docker.Image, cmd []string) (*docker.Container, error) {