Suport Docker TLS endpoint with client certificate authentication #370
Comments
|
👍 I agree, it makes a lot of sense to support client certificate authentication. The implementation is not that difficult, I guess. I suggest the following changes:
What do you think? Would you like to contribute and create a pull request? Otherwise, I can probably take a look into it at the end of next week, but I need at least someone to test it. |
|
Sounds reasonable! I'd like to give it a try and create a PR following the suggestion you made. I'm not sure how fast I can provide the complete PR but I think as I am the only who depends on it right now there's no reason to hurry 😅 I already had a look at your contribution guide, I'll try to stick to it as good as I can 😊 |
|
Sorry to bother you but I think there are some details worthwhile to discuss: First I have to add a dependency to Second: reading PEM files in .NET is way more cumbersome than I expected. It's better in .NET 5 but for now I thought it might be okay to assume the certs are RSA based because it's the default for You might have seen the WIP PR, probably you would like to give me some early feedback what you think so that I'm able to clean up and align everything according to your structure? It's not urgent I just thought this might be easier and less stressful than a huge review afterwards. |
|
I haven't seen your comment - sorry.
Ofc.
The .NET Client for Docker Remote API suggest to use a .pfx file (PKCS12 format), see Example: HTTPS Authentication to Docker. This should make the pem file obsolete.
Shouldn't be necessary with .pfx, right?
Sure, I pushed some suggestions to your fork. |
|
😄 sure they suggest to use I'm wondering if it's not easier to rather accept a This would even allow most users to use the included convenience wrappers from .NET 5 and to keep this library on .NET Standard 2.1? |
|
That's complicated, somehow 😅. I think I need to set up a small example to get a better understanding of which parts are supported and which not.
It's not part of Standard 2.1?
If we keep the flow from
Sounds good. |
No they are not 😕 .NET has this nice convenience method: var certPem = File.ReadAllText("cert.pem");
var eccPem = File.ReadAllText("ecc.pem");
var cert = X509Certificate2.CreateFromPem(certPem, eccPem);but .NET Standard 2.1 does not. All I can do is either accept a X502Certificate2 for authentication or a directory that contains all required files. |
Yep, I double checked it. Not available in Standard 2.1.
Sounds good. Let me know if I can help. |
|
Hi! We have a new project using dotnet-testcontainers. I'm familiar with the Java Testcontainers from previous jobs and love it, so I was hoping to use it here as well. Our docker host is in AWS and secured by TLS client auth, so to use dotnet-testcontainers we need TLS working. Note that our project uses .NET Framework 4.8. It doesn't look like there's been any activity here for a while. As far as pem/pfx is concerned, it's trivial to convert cert.pem and key.pem to a pfx file using the openssl command line, and it's even documented in the Docker.DotNet documentation. We are more than happy to use it this way. If there hasn't been any progress on this, we may be able to take the time to implement it ourselves and submit a PR. But I wanted to check first to see if anyone else is close to finishing. |
|
Hi @tyrel I'm sorry to say that I had to postpone my project where I intended to use this PR and therefore stopped working on it. Feel free to 'recycle' as much of the original code as you like but I don't think I'll have much time to work on this in the near future. At least not to provide the complete implementation. I'd happy to help with feedback or probably smaller PRs though. |
|
@tyrel as @baez90 mentioned PR #372 covers already a lot of the requirement, but it is not finished yet. I have not the infrastructure or use case to develop and test it further. Anyway - I think it is an important feature and I would be happy too, to support as much as I can. I'm pretty sure we can use a lot of @baez90 work. Personally, I prefer smaller increments to keep the scope of the PR cleaner. It makes the review much easier. Maybe we can collect necessary tasks and organize the work a bit?
What do you think? |
|
One thing that comes to my mind looking at the old PR is that it was actually quite hard to keep track of:
I think it might be rather import to conform about which and how these TLS related settings should be done before starting to extend the API. As soon this is settled the tasks @HofmeisterAn already mentioned are for sure accurate. Regarding testing: I did the integration testing on GitLab with DinD but shouldn't be that hard to integrate DinD with TLS enabled also e.g. in Github actions? |
|
Thanks for your responses @baez90 and @HofmeisterAn! I will discuss this with my team and work out how much of this we have bandwidth for. At a minimum we just need to specify a PFX file that can be used for TLS client authentication. We'll look at our options for the server certificate validation as well. |
|
@baez90 DinD is a nice idea. I'll try to setup an example for Azure Pipelines. |
|
We can use This (setup the test environment) can be done straight in .NET Testcontainers using xUnit fixtures. I can prepare it in the next days. Shouldn't be much code. |
…ckerEndpointAuthenticationConfiguration'
{Add Docker endpoint auth config.}
…ckerEndpointAuthenticationConfiguration'
{Add Docker endpoint auth config.}
|
aed5679 ( You can use this method to do the TLS or any other kind of authentication. Upcoming tasks:
|
…ntainersSettings'
{Add the public API attribute to the configuration namespace.}
…nticationProvider'
{Prepare the authentication provider for different configurations.}
…kerEndpointAuthenticationProvider'
{Add Docker endpoint auth provider.}
…ceReaper'
{Use Docker endpoint authentication configuration.}
…ceReaper'
{Use Docker endpoint authentication configuration.}
…(TLS) Co-authored-by: Andre Hofmeister <[email protected]>
…(TLS) Co-authored-by: Andre Hofmeister <[email protected]>
Co-authored-by: Andre Hofmeister <[email protected]>
Is your feature request related to a problem? Please describe.
GitLab CI allows to use Docker-in-Docker (DinD) to execute various Docker related tasks.
The DinD configuration within the public GitLab CI enforces the usage of TLS to connect to the Docker daemon which is apparently not supported by dotnet-testconainers.
Describe the solution you'd like
It would be nice to either have the option to further configure the
DockerClientConfiguratione.g. with a Lambda like it's quite common with ASP.NET Core to be able to set e.g. credentials or to expose aWithDockerEnvEndpointmethod that takes the common environment variables:DOCKER_HOSTDOCKER_TLS_VERIFYDOCKER_TLS_CERTDIR/DOCKER_CERT_PATHinto account and configures the Docker client accordingly.
Describe alternatives you've considered
Setting the
DockerEndpointto something likehttps://docker:2376allows to connect to the API via TLS already but I couldn't manage to use the client certs to authorize myself.There are probably other options e.g. with a nginx proxy between the client and the API but I don't consider them actually very practical.
It would also be sufficient to be able to pass in a pre-configured Docker client or register a pre-configured client previously.
Additional context
The GitLab CI docs might also be interesting for further details, paths, etc.
Of course I'd be glad to create a PR to implement the required changes as soon as you confirmed that this request is valid and the design how to implement it is settled!
The text was updated successfully, but these errors were encountered: