mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
use an encrypted client certificate to connect to a docker daemon
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
This commit is contained in:
parent
7180f887ea
commit
603dd8b3b4
2 changed files with 23 additions and 1 deletions
|
@ -20,6 +20,7 @@ import (
|
|||
dopts "github.com/docker/docker/opts"
|
||||
"github.com/docker/go-connections/sockets"
|
||||
"github.com/docker/go-connections/tlsconfig"
|
||||
"github.com/docker/notary/passphrase"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/spf13/cobra"
|
||||
"golang.org/x/net/context"
|
||||
|
@ -153,9 +154,30 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
|
|||
|
||||
var err error
|
||||
cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
|
||||
if tlsconfig.IsErrEncryptedKey(err) {
|
||||
var (
|
||||
passwd string
|
||||
giveup bool
|
||||
)
|
||||
passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
|
||||
|
||||
for attempts := 0; tlsconfig.IsErrEncryptedKey(err); attempts++ {
|
||||
// some code and comments borrowed from notary/trustmanager/keystore.go
|
||||
passwd, giveup, err = passRetriever("private", "encrypted TLS private", false, attempts)
|
||||
// Check if the passphrase retriever got an error or if it is telling us to give up
|
||||
if giveup || err != nil {
|
||||
return errors.Wrap(err, "private key is encrypted, but could not get passphrase")
|
||||
}
|
||||
|
||||
opts.Common.TLSOptions.Passphrase = passwd
|
||||
cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cli.defaultVersion = cli.client.ClientVersion()
|
||||
|
||||
if opts.Common.TrustKey == "" {
|
||||
|
|
|
@ -33,7 +33,7 @@ func TestNewEnvClient(t *testing.T) {
|
|||
envs: map[string]string{
|
||||
"DOCKER_CERT_PATH": "invalid/path",
|
||||
},
|
||||
expectedError: "Could not load X509 key pair: open invalid/path/cert.pem: no such file or directory. Make sure the key is not encrypted",
|
||||
expectedError: "Could not load X509 key pair: open invalid/path/cert.pem: no such file or directory",
|
||||
},
|
||||
{
|
||||
envs: map[string]string{
|
||||
|
|
Loading…
Reference in a new issue