If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via

a TLS endpoint instead of plain HTTP.

This is done by setting GUNICORN_OPTS to some default value, expecting
the following files to be present:

* /ssl/ca.crt
* /ssl/registry.cert
* /ssl/registry.key

Signed-off-by: Tibor Vass <[email protected]>

Author: tiborvass

docker_registry/run.py

@@ -9,6 +9,7 @@
 import logging
 import os
 import sys
+import ssl
 
 from .server import env
 
@@ -84,7 +85,16 @@ def run_gunicorn():
         else:
             logger.warn('You asked we drop priviledges, but we are not root!')
 
-    args += env.source('GUNICORN_OPTS')
+    gunicorn_opts = env.source('GUNICORN_OPTS')
+    if not gunicorn_opts and env.source('REGISTRY_TLS_VERIFY'):
+        gunicorn_opts = ['--ssl-version', ssl.PROTOCOL_TLSv1]
+        for k, v in {'--certfile':'/ssl/registry.cert', '--keyfile':'/ssl/registry.key', '--ca-certs':'/ssl/ca.crt'}.iteritems():
+            if not os.path.isfile(v):
+                print("could not find %s" % (v))
+                sys.exit(1)
+            gunicorn_opts.append(k, v)
+
+    args += gunicorn_opts
     args.append('docker_registry.wsgi:application')
     # Stringify all args and call
     os.execl(*[str(v) for v in args])