FEAT: Allow client side TLS for Docker hosts #2852
Conversation
Inlcude TLS certificate in HTTPS requests when certificate files are locally available to Kuma for a host.
|
IMO uploading the certificate in the UI (in the docker host config) would be better for usability. |
I focused on achieving the goal in the simplest acceptable way which results in ~50 lines of code. Your suggestion is absolutely valid and could be a nice addition but that would require much more effort. Storing certificates in database, providing UI for managing certificates and assigning them to hosts, etc. - probably in the order of a few thousand lines. Which is not to say I wouldn't be open to that, should this PR receive some attention... |
|
Would love to see this merged. |
|
|
||
| class DockerHost { | ||
|
|
||
| static CertificateBasePath = process.env.DOCKER_TLS_DIR_PATH || "data/docker-tls/"; |
There was a problem hiding this comment.
Thanks for the pr.
Since data/ can be changed by the env var DATA_DIR, data/ cannot be hardcoded here.
But actually, in my opinion, these 4 env vars are not necessary, just hardcode:
- Database.dataDir + "docker-tls/"
- ca.pem
- cert.pem
- key.pem
Other sub-directories are created in this function.
uptime-kuma/server/database.js
Lines 93 to 108 in cdb38d4
|
Unable to push, I merge this first. |
|
Hey! Happy to know that this is possible, at least! But it would be awesome if we could just upload the files through the UI. It's not clear to new Uptime Kuma users that we need to setup the folder structure. This is my first day using Uptime Kuma, and I was already thinking that it wouldn't serve the purpose to me, if I couldn't connect to Docker servers using TLS !! :-) |
Feel free to improve the wiki for this. |
Added description of Docker host TLS configuration and certificate locations as detailed in louislam/uptime-kuma#2852
Inlcude client side TLS certificate in HTTPS requests to Docker hosts when certificate files are locally available to Kuma for the given host.
Description
Fixes #2353
Currently it's not possible to add a remote docker daemon that is secured with TLS because in this case the client needs to include the client side TLS certificate, issued by the docker host's CA, in every request.
This PR adds the ability to include client side certificate in HTTPS requests to docker hosts by looking for the certificate files at a specified location in the file system and including them in requests. Certificates for multiple docker hosts can be made available to Kuma as described below.
The base path where certificates are looked for can be set with the
DOCKER_TLS_DIR_PATHenvironmental variable or defaults todata/docker-tls/.If a directory in this path exists with a name matching the FQDN of the docker host (e.g. the FQDN of
https://example.com:2376isexample.comso the directorydata/docker-tls/example.com/would be searched for certificate files), thenca.pem,key.pemandcert.pemfiles are loaded and included in the agent options. File names can also be overridden viaDOCKER_TLS_FILE_NAME_(CA|KEY|CERT).Type of change
Please delete any options that are not relevant.
Checklist
(including JSDoc for methods)
Screen capture
Screen.Recording.2023-02-27.at.14.57.10.mp4