If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, then serve via

a TLS endpoint instead of plain HTTP. This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present: * /ssl/ca.crt * /ssl/registry.cert * /ssl/registry.key Signed-off-by: Tibor Vass <teabee89@gmail.com>
docker-archive · Nov 10, 2014 · 8aa5c8d · 8aa5c8d
1 parent 1e4fca7
commit 8aa5c8d
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/docker_registry/run.py b/docker_registry/run.py
@@ -9,6 +9,7 @@
 import logging
 import os
 import sys
+import ssl
 
 from .server import env
 
@@ -84,7 +85,16 @@ def run_gunicorn():
         else:
             logger.warn('You asked we drop priviledges, but we are not root!')
 
-    args += env.source('GUNICORN_OPTS')
+    gunicorn_opts = env.source('GUNICORN_OPTS')
+    if not gunicorn_opts and env.source('REGISTRY_TLS_VERIFY'):
+        gunicorn_opts = ['--ssl-version', ssl.PROTOCOL_TLSv1]
+        for k, v in {'--certfile':'/ssl/registry.cert', '--keyfile':'/ssl/registry.key', '--ca-certs':'/ssl/ca.crt'}.iteritems():
+            if not os.path.isfile(v):
+                print("could not find %s" % (v))
+                sys.exit(1)
+            gunicorn_opts.append(k, v)
+
+    args += gunicorn_opts
     args.append('docker_registry.wsgi:application')
     # Stringify all args and call
     os.execl(*[str(v) for v in args])