If REGISTRY_TLS_VERIFY is set, but GUNICORN_OPTS is not, serve TLS.

This is done by setting GUNICORN_OPTS to some default value, expecting the following files to be present: * /ssl/ca.crt * /ssl/registry.cert * /ssl/registry.key Signed-off-by: Tibor Vass <[email protected]>
docker-archive · Nov 10, 2014 · eef7d1c · eef7d1c
1 parent 1e4fca7
commit eef7d1c
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/docker_registry/run.py b/docker_registry/run.py
@@ -8,6 +8,7 @@
 import getpass
 import logging
 import os
+import ssl
 import sys
 
 from .server import env
@@ -84,7 +85,20 @@ def run_gunicorn():
         else:
             logger.warn('You asked we drop priviledges, but we are not root!')
 
-    args += env.source('GUNICORN_OPTS')
+    gunicorn_opts = env.source('GUNICORN_OPTS')
+    if not gunicorn_opts and env.source('REGISTRY_TLS_VERIFY'):
+        gunicorn_opts = ['--ssl-version', ssl.PROTOCOL_TLSv1]
+        for k, v in {
+            '--certfile': '/ssl/registry.cert',
+            '--keyfile': '/ssl/registry.key',
+            '--ca-certs': '/ssl/ca.crt'
+        }.iteritems():
+            if not os.path.isfile(v):
+                print("could not find %s" % (v))
+                sys.exit(1)
+            gunicorn_opts.append(k, v)
+
+    args += gunicorn_opts
     args.append('docker_registry.wsgi:application')
     # Stringify all args and call
     os.execl(*[str(v) for v in args])