Preliminary support to have to run the API over TLS.

2020-09-10 18:00:37 +02:00 · 2020-09-10 18:00:37 +02:00 · 0c3ae6837c
parent bef809fbc4
commit 0c3ae6837c
4 changed files with 30 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -19,6 +19,16 @@ docker_user_home: /home/docker
 docker_defaults_file: /etc/default/docker
 docker_enable_tcp_socket: False
 docker_tcp_socket_port: 2375
+docker_tls_api: True
+docker_tls_native_tls: True
+# Set the following to the your ca and certificates path if native_tls is False
+docker_tls_ca: '/var/lib/docker/swarm/certificates/swarm-root-ca.crt'
+docker_tls_cert: '/var/lib/docker/swarm/certificates/swarm-node.crt'
+docker_tls_key: '/var/lib/docker/swarm/certificates/swarm-node.key'
+#
+docker_tls_verify_clients: True
+docker_enable_api_port: True
 docker_api_port: 2376
 docker_tcp_socket_host: 127.0.0.1
 docker_log_to_journal: True
+docker_daemon_debug: False
--- a/tasks/swarm_mgr.yml
+++ b/tasks/swarm_mgr.yml
@ -1,7 +1,7 @@
 ---
 - block:
  - debug:
-      msg: "Tasks that setup the Swarm Manager nodes"
+      msg: "Tasks that set up the Swarm Manager nodes"

  when: docker_swarm_manager | bool
  tags: [ 'docker', 'docker_swarm' ]
@ -31,7 +31,7 @@
  tags: [ 'docker', 'docker_swarm' ]

 - block:
-  - name: Add manager nodes to the docker swarm cluster
+  - name: Add some manager nodes to the docker swarm cluster
    docker_swarm:
      state: join
      advertise_addr: '{{ ansible_default_ipv4.address }}'
--- a/templates/daemon.json.j2
+++ b/templates/daemon.json.j2
@ -1,5 +1,19 @@
-{% if docker_log_to_journal %}
 {
-  "log-driver": "journald"
-}
+{% if docker_log_to_journal %}
+    "log-driver": "journald",
 {% endif %}
+{% if docker_tls_api %}
+    "tls": true,
+    "tlscacert": "{{ docker_tls_ca }}",
+    "tlscert": "{{ docker_tls_cert }}",
+    "tlskey": "{{ docker_tls_key }}",
+{% if docker_tls_verify_clients %}
+    "tlsverify": true,
+{% endif %}
+{% endif %}
+{% if docker_daemon_debug %}
+    "debug": true
+{% else %}
+    "debug": false
+{% endif %}
+}
--- a/templates/docker-systemd-override.conf.j2
+++ b/templates/docker-systemd-override.conf.j2
@ -4,4 +4,4 @@ ExecStart=
 ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:{{ docker_api_port }} -H fd:// --containerd=/run/containerd/containerd.sock
 {% else %}
 ExecStart=/usr/bin/dockerd {% if docker_enable_tcp_socket %} -H tcp://{{ docker_tcp_socket_host }}:{{ docker_tcp_socket_port }} {% endif %} -H fd:// --containerd=/run/containerd/containerd.sock
-{% endif %} 
+{% endif %}