From abfbe512128a7b5b816276c3f226aba125f00f5e Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Thu, 23 Jan 2020 16:16:56 -0500 Subject: [PATCH] Connect to dind sidecar daemon using TLS - share the path the daemon generates certs into with the client - instruct the client to look for certs there, and to use them - add a readinessProbe to wait for the certs to be generated --- examples/taskruns/dind-sidecar.yaml | 30 ++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/examples/taskruns/dind-sidecar.yaml b/examples/taskruns/dind-sidecar.yaml index efd684df8ae..e9141998c92 100644 --- a/examples/taskruns/dind-sidecar.yaml +++ b/examples/taskruns/dind-sidecar.yaml @@ -8,9 +8,15 @@ spec: - image: docker name: client env: - # Connect to the sidecar over TCP without TLS. + # Connect to the sidecar over TCP, with TLS. - name: DOCKER_HOST - value: tcp://localhost:2375 + value: tcp://localhost:2376 + # Verify TLS. + - name: DOCKER_TLS_VERIFY + value: '1' + # Use the certs generated by the sidecar daemon. + - name: DOCKER_CERT_PATH + value: /certs/client script: | #!/usr/bin/env sh # Run a Docker container. @@ -28,8 +34,8 @@ spec: # ...then run it! docker run hello volumeMounts: - - mountPath: /var/run/ - name: dind-socket + - mountPath: /certs/client + name: dind-certs sidecars: - image: docker:dind @@ -37,13 +43,19 @@ spec: securityContext: privileged: true env: - # This disables TLS for TCP connections between the sidecar and client step. + # Write generated certs to the path shared with the client. - name: DOCKER_TLS_CERTDIR - value: '' + value: /certs volumeMounts: - - mountPath: /var/run/ - name: dind-socket + - mountPath: /certs/client + name: dind-certs + # Wait for the dind daemon to generate the certs it will share with the + # client. + readinessProbe: + periodSeconds: 1 + exec: + command: ['ls', '/certs/client/ca.pem'] volumes: - - name: dind-socket + - name: dind-certs emptyDir: {}