Merge pull request #31364 from adshmh/30935-use-encrypted-client-certificate-to-connect-to-a-docker-host

use an encrypted client certificate to connect to a docker daemon
This commit is contained in:
Sebastiaan van Stijn 2017-04-10 10:42:01 +02:00 committed by GitHub
commit 666a23aac2
1 changed files with 22 additions and 0 deletions

View File

@ -20,6 +20,7 @@ import (
dopts "github.com/docker/docker/opts" dopts "github.com/docker/docker/opts"
"github.com/docker/go-connections/sockets" "github.com/docker/go-connections/sockets"
"github.com/docker/go-connections/tlsconfig" "github.com/docker/go-connections/tlsconfig"
"github.com/docker/notary/passphrase"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"golang.org/x/net/context" "golang.org/x/net/context"
@ -153,9 +154,30 @@ func (cli *DockerCli) Initialize(opts *cliflags.ClientOptions) error {
var err error var err error
cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile) cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
if tlsconfig.IsErrEncryptedKey(err) {
var (
passwd string
giveup bool
)
passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
for attempts := 0; tlsconfig.IsErrEncryptedKey(err); attempts++ {
// some code and comments borrowed from notary/trustmanager/keystore.go
passwd, giveup, err = passRetriever("private", "encrypted TLS private", false, attempts)
// Check if the passphrase retriever got an error or if it is telling us to give up
if giveup || err != nil {
return errors.Wrap(err, "private key is encrypted, but could not get passphrase")
}
opts.Common.TLSOptions.Passphrase = passwd
cli.client, err = NewAPIClientFromFlags(opts.Common, cli.configFile)
}
}
if err != nil { if err != nil {
return err return err
} }
cli.defaultVersion = cli.client.ClientVersion() cli.defaultVersion = cli.client.ClientVersion()
if opts.Common.TrustKey == "" { if opts.Common.TrustKey == "" {