Enable TLS by default if /ssl directory is present.

tiborvass · tiborvass · commit a7a1a0495187 · 2014-11-06T20:16:57.000-05:00
Generates needed keys and certs.
If only one element in the key/cert pair is present, nothing is
overriden; instead, the user is asked to either remove the existing
element, or put the missing one back.

Uses TLSv1, since TLSv1.1 nor TLSv1.2 are available in the current
version of python 2.7.

Usage: docker run -d -p 5000:5000 -v /etc/docker/certs.d:/ssl registry

There are no breaking changes, since the /ssl directory is not present
by default.

Signed-off-by: Tibor Vass &lt;teabee89@gmail.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -12,13 +12,18 @@ FROM ubuntu:14.04
 RUN apt-get update \
 # Install pip
     && apt-get install -y \
+        curl \
         python-pip \
 # Install deps for backports.lmza (python2 requires it)
         python-dev \
         liblzma-dev \
         libevent1-dev \
     && rm -rf /var/lib/apt/lists/*
 
+# get generate_cert
+RUN curl -L -o /usr/local/bin/generate_cert https://github.com/SvenDowideit/generate_cert/releases/download/0.1/generate_cert-0.1-linux-amd64/ && \
+    chmod +x /usr/local/bin/generate_cert
+
 COPY . /docker-registry
 COPY ./config/boto.cfg /etc/boto.cfg
 
@@ -37,4 +42,4 @@ ENV SETTINGS_FLAVOR dev
 
 EXPOSE 5000
 
-CMD ["docker-registry"]
+CMD ["/docker-registry/run.sh"]
diff --git a/run.sh b/run.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+export ${REGISTRY_HOST:=localhost}
+
+x=0
+for f in /ssl/ca.{key,cert}; do
+	[[ -f $f ]] && x=$((x + 1)) || break
+done
+case "$x" in
+0)
+	generate_cert -cert=/ssl/ca.cert -key=/ssl/ca.key
+	;;
+1)
+	echo "Only one of /ssl/ca.key and /ssl/ca.cert was found. Make sure both are either present or absent." && exit 1
+	;;
+esac
+
+x=0
+for f in /ssl/registry.{key,crt}; do
+	[[ -f $f ]] && x=$((x + 1)) || break
+done
+case "$x" in
+0)
+	generate_cert -cert=/ssl/ca.cert -key=/ssl/ca.key && generate_cert -host="$REGISTRY_HOST" -ca=/ssl/ca.cert -ca-key=/ssl/ca.key -cert=/ssl/registry.crt -key=/ssl/registry.key
+	;;
+1)
+	echo "Only one of /ssl/registry.key and /ssl/registry.crt was found. Make sure both are either present or absent." && exit 1
+	;;
+esac
+
+# --ssl-version 3 == ssl.PROTOCOL_TLSv1
+[[ -d /ssl ]] && export ${GUNICORN_OPTS:="['--certfile','/ssl/registry.crt','--keyfile','/ssl/registry.key','--ca-certs','/ssl/ca.cert','--ssl-version',3]"}
+
+exec "$@"
