Skip to content

Commit

Permalink
provider/docker: authentication via values instead of files (hashicor…
Browse files Browse the repository at this point in the history
…p#10151)

* Docker authentication via values

* Rename parameters to ca_material, cert_material, and key_material. Add environment variables.
  • Loading branch information
mkuzmin authored and Gustavo Mateus committed Dec 6, 2016
1 parent fd146ee commit 774ab1f
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 8 deletions.
28 changes: 20 additions & 8 deletions builtin/providers/docker/config.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package docker

import (
"fmt"
"path/filepath"

dc "github.com/fsouza/go-dockerclient"
Expand All @@ -10,21 +11,32 @@ import (
// Docker API compatible host.
type Config struct {
Host string
Ca string
Cert string
Key string
CertPath string
}

// NewClient() returns a new Docker client.
func (c *Config) NewClient() (*dc.Client, error) {
// If there is no cert information, then just return the direct client
if c.CertPath == "" {
return dc.NewClient(c.Host)
if c.Ca != "" || c.Cert != "" || c.Key != "" {
if c.Ca == "" || c.Cert == "" || c.Key == "" {
return nil, fmt.Errorf("ca_material, cert_material, and key_material must be specified")
}

return dc.NewTLSClientFromBytes(c.Host, []byte(c.Cert), []byte(c.Key), []byte(c.Ca))
}

// If there is cert information, load it and use it.
ca := filepath.Join(c.CertPath, "ca.pem")
cert := filepath.Join(c.CertPath, "cert.pem")
key := filepath.Join(c.CertPath, "key.pem")
return dc.NewTLSClient(c.Host, cert, key, ca)
if c.CertPath != "" {
// If there is cert information, load it and use it.
ca := filepath.Join(c.CertPath, "ca.pem")
cert := filepath.Join(c.CertPath, "cert.pem")
key := filepath.Join(c.CertPath, "key.pem")
return dc.NewTLSClient(c.Host, cert, key, ca)
}

// If there is no cert information, then just return the direct client
return dc.NewClient(c.Host)
}

// Data ia structure for holding data that we fetch from Docker.
Expand Down
25 changes: 25 additions & 0 deletions builtin/providers/docker/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,28 @@ func Provider() terraform.ResourceProvider {
Description: "The Docker daemon address",
},

"ca_material": &schema.Schema{
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("DOCKER_CA_MATERIAL", ""),
ConflictsWith: []string{"cert_path"},
Description: "PEM-encoded content of Docker host CA certificate",
},
"cert_material": &schema.Schema{
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("DOCKER_CERT_MATERIAL", ""),
ConflictsWith: []string{"cert_path"},
Description: "PEM-encoded content of Docker client certificate",
},
"key_material": &schema.Schema{
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("DOCKER_KEY_MATERIAL", ""),
ConflictsWith: []string{"cert_path"},
Description: "PEM-encoded content of Docker client private key",
},

"cert_path": &schema.Schema{
Type: schema.TypeString,
Optional: true,
Expand All @@ -43,6 +65,9 @@ func Provider() terraform.ResourceProvider {
func providerConfigure(d *schema.ResourceData) (interface{}, error) {
config := Config{
Host: d.Get("host").(string),
Ca: d.Get("ca_material").(string),
Cert: d.Get("cert_material").(string),
Key: d.Get("key_material").(string),
CertPath: d.Get("cert_path").(string),
}

Expand Down
3 changes: 3 additions & 0 deletions website/source/docs/providers/docker/index.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ The following arguments are supported:
for connecting to the Docker host via TLS. If this is blank, the
`DOCKER_CERT_PATH` will also be checked.

* `ca_material`, `cert_material`, `key_material`, - (Optional) Content of `ca.pem`, `cert.pem`, and `key.pem` files
for TLS authentication. Cannot be used together with `cert_path`.

~> **NOTE on Certificates and `docker-machine`:** As per [Docker Remote API
documentation](https://docs.docker.com/engine/reference/api/docker_remote_api/),
in any docker-machine environment, the Docker daemon uses an encrypted TCP
Expand Down

0 comments on commit 774ab1f

Please sign in to comment.