diff --git a/config/openssl-ca.cnf b/config/openssl-ca.cnf deleted file mode 100644 index c2b90932..00000000 --- a/config/openssl-ca.cnf +++ /dev/null @@ -1,85 +0,0 @@ -HOME = /etc/docker/ssl -RANDFILE = $ENV::HOME/.rnd - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] - -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = sha256 # use public key default MD -preserve = no # keep passed DN ordering - -x509_extensions = ca_extensions # The extensions to add to the cert - -email_in_dn = no # Don't concat the email in the DN -copy_extensions = copy # Required to copy SANs from CSR to cert - -base_dir = /etc/docker/ssl -certificate = $base_dir/ca.pem # The CA certifcate -private_key = $base_dir/cakey.pem # The CA private key -new_certs_dir = $base_dir # Location for new certs after signing -database = $base_dir/index.txt # Database index file -serial = $base_dir/serial.txt # The current serial number - -unique_subject = no # Set to 'no' to allow creation of - # several certificates with same subject. - -#################################################################### -[ req ] -default_bits = 4096 -default_keyfile = $HOME/cakey.pem -distinguished_name = ca_distinguished_name -x509_extensions = ca_extensions -string_mask = utf8only - -#################################################################### -[ ca_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = US - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = New York - -localityName = Locality Name (eg, city) -localityName_default = New York City - -organizationName = Organization Name (eg, company) -organizationName_default = Contained.AF - -organizationalUnitName = Organizational Unit (eg, division) -organizationalUnitName_default = Tupperware Hackers - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = Contained.AF CA - -emailAddress = Email Address -emailAddress_default = no-reply@contained.af - -#################################################################### -[ ca_extensions ] - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always, issuer -basicConstraints = critical, CA:true -keyUsage = keyCertSign, cRLSign - -#################################################################### -[ signing_policy ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ signing_req ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -basicConstraints = CA:FALSE -keyUsage = digitalSignature, keyEncipherment diff --git a/config/openssl-client.cnf b/config/openssl-client.cnf deleted file mode 100644 index dd99b2aa..00000000 --- a/config/openssl-client.cnf +++ /dev/null @@ -1,49 +0,0 @@ -HOME = /etc/docker/ssl -RANDFILE = $ENV::HOME/.rnd - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = $HOME/client.key -distinguished_name = server_distinguished_name -req_extensions = server_req_extensions -string_mask = utf8only - -#################################################################### -[ server_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = US - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = New York - -localityName = Locality Name (eg, city) -localityName_default = New York City - -organizationName = Organization Name (eg, company) -organizationName_default = Contained.AF - -organizationalUnitName = Organizational Unit (eg, division) -organizationalUnitName_default = Tupperware Hackers - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = Contained.AF CA - -emailAddress = Email Address -emailAddress_default = no-reply@contained.af - -#################################################################### -[ server_req_extensions ] - -subjectKeyIdentifier = hash -basicConstraints = CA:FALSE -keyUsage = digitalSignature, keyEncipherment -extendedKeyUsage = clientAuth -subjectAltName = @alternate_names -nsComment = "OpenSSL Generated Certificate" - -#################################################################### -[ alternate_names ] - -DNS.1 = localhost -IP.1 = 127.0.0.1 diff --git a/config/openssl-server.cnf b/config/openssl-server.cnf deleted file mode 100644 index 77269ce6..00000000 --- a/config/openssl-server.cnf +++ /dev/null @@ -1,48 +0,0 @@ -HOME = /etc/docker/ssl -RANDFILE = $ENV::HOME/.rnd - -#################################################################### -[ req ] -default_bits = 2048 -default_keyfile = $HOME/key.pem -distinguished_name = server_distinguished_name -req_extensions = server_req_extensions -string_mask = utf8only - -#################################################################### -[ server_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = US - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = New York - -localityName = Locality Name (eg, city) -localityName_default = New York City - -organizationName = Organization Name (eg, company) -organizationName_default = Contained.AF - -organizationalUnitName = Organizational Unit (eg, division) -organizationalUnitName_default = Tupperware Hackers - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_default = Contained.AF CA - -emailAddress = Email Address -emailAddress_default = no-reply@contained.af - -#################################################################### -[ server_req_extensions ] - -subjectKeyIdentifier = hash -basicConstraints = CA:FALSE -keyUsage = digitalSignature, keyEncipherment -subjectAltName = @alternate_names -nsComment = "OpenSSL Generated Certificate" - -#################################################################### -[ alternate_names ] - -DNS.1 = localhost -IP.1 = 127.0.0.1 diff --git a/config/setup_certs.sh b/config/setup_certs.sh deleted file mode 100755 index d006d4f1..00000000 --- a/config/setup_certs.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh - -CONFIGS_DIR=/etc/docker/daemon/config -CERT_DIR=/etc/docker/ssl - -CERT_SUBJ="/C=US/ST=New York/L=New York City/O=Contained.AF/CN=Contained.AF CA" - -if [ ! -f "${CERT_DIR}/ca.pem" ]; then - mkdir -p "${CERT_DIR}" - - # create the root CA - openssl req -x509 \ - -config "${CONFIGS_DIR}/openssl-ca.cnf" \ - -newkey rsa:4096 -sha256 \ - -subj "${CERT_SUBJ}" \ - -nodes -out "${CERT_DIR}/ca.pem" -outform PEM - - openssl x509 -noout -text -in "${CERT_DIR}/ca.pem" - - # create the server certificate signing request - openssl req \ - -config "${CONFIGS_DIR}/openssl-server.cnf" \ - -newkey rsa:2048 -sha256 \ - -subj "/CN=localhost" \ - -nodes -out "${CERT_DIR}/server.csr" -outform PEM - openssl req -text -noout -verify -in "${CERT_DIR}/server.csr" - - touch "${CERT_DIR}/index.txt" - echo 01 > "${CERT_DIR}/serial.txt" - - # create the server cert - openssl ca -batch \ - -config "${CONFIGS_DIR}/openssl-ca.cnf" \ - -policy signing_policy -extensions signing_req \ - -out "${CERT_DIR}/cert.pem" -infiles "${CERT_DIR}/server.csr" - - openssl x509 -noout -text -in "${CERT_DIR}/cert.pem" - - # create the client certificate signing request - openssl req \ - -config "${CONFIGS_DIR}/openssl-client.cnf" \ - -newkey rsa:2048 -sha256 \ - -subj "/CN=client" \ - -nodes -out "${CERT_DIR}/client.csr" -outform PEM - openssl req -text -noout -verify -in "${CERT_DIR}/client.csr" - - touch "${CERT_DIR}/index.txt" - echo 02 > "${CERT_DIR}/serial.txt" - - # create the client cert - openssl ca -batch \ - -config "${CONFIGS_DIR}/openssl-ca.cnf" \ - -policy signing_policy -extensions signing_req \ - -out "${CERT_DIR}/client.cert" -infiles "${CERT_DIR}/client.csr" - - openssl x509 -noout -text -in "${CERT_DIR}/client.cert" - - - # remove the signing requests - rm -rf "${CERT_DIR}/client.csr" "${CERT_DIR}/server.csr" "${CERT_DIR}/"*.attr "${CERT_DIR}/"*.old - -fi - -set -- sh "$(which dind)" "$@" -exec "$@" diff --git a/main_test.go b/main_test.go index 3cc05958..f5d59548 100644 --- a/main_test.go +++ b/main_test.go @@ -4,16 +4,12 @@ import ( "flag" "fmt" "log" - "net/http" "os" "os/exec" - "path/filepath" "runtime" "testing" - "github.com/docker/docker/api" "github.com/docker/docker/client" - "github.com/docker/go-connections/tlsconfig" "github.com/jessfraz/reg/testutils" ) @@ -61,7 +57,7 @@ func TestMain(m *testing.M) { defer os.Remove("testreg" + exeSuffix) // create the docker client - dcli, err := newEnvDockerClient() + dcli, err := client.NewEnvClient() if err != nil { panic(fmt.Errorf("could not connect to docker: %v", err)) } @@ -113,42 +109,3 @@ alpine latest t.Fatalf("expected: %s\ngot: %s", expected, out) } } - -func newEnvDockerClient() (*client.Client, error) { - var hc *http.Client - - if dockerCertPath := os.Getenv("DOCKER_CERT_PATH"); dockerCertPath != "" { - options := tlsconfig.Options{ - CAFile: filepath.Join(dockerCertPath, "cacert.pem"), - CertFile: filepath.Join(dockerCertPath, "server.cert"), - KeyFile: filepath.Join(dockerCertPath, "server.key"), - InsecureSkipVerify: os.Getenv("DOCKER_TLS_VERIFY") == "", - } - tlsc, err := tlsconfig.Client(options) - if err != nil { - return nil, err - } - - hc = &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: tlsc, - }, - CheckRedirect: client.CheckRedirect, - } - } - - host := os.Getenv("DOCKER_HOST") - if host == "" { - host = client.DefaultDockerHost - } - version := os.Getenv("DOCKER_API_VERSION") - if version == "" { - version = api.DefaultVersion - } - - cli, err := client.NewClient(host, version, hc, nil) - if err != nil { - return cli, err - } - return cli, nil -}