{"id":13437464,"url":"https://github.com/kekru/docker-remote-api-tls","last_synced_at":"2025-03-19T06:31:14.679Z","repository":{"id":45364066,"uuid":"71391441","full_name":"kekru/docker-remote-api-tls","owner":"kekru","description":"Docker Image that forwards to the Docker API Socket and requires TLS Client authentication","archived":false,"fork":false,"pushed_at":"2024-10-19T20:35:17.000Z","size":127,"stargazers_count":76,"open_issues_count":3,"forks_count":25,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-10-27T21:51:41.562Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/kekru/docker-remote-api-tls","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kekru.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-19T19:19:56.000Z","updated_at":"2024-10-19T20:22:56.000Z","dependencies_parsed_at":"2024-11-03T14:03:56.267Z","dependency_job_id":null,"html_url":"https://github.com/kekru/docker-remote-api-tls","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kekru%2Fdocker-remote-api-tls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kekru%2Fdocker-remote-api-tls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kekru%2Fdocker-remote-api-tls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kekru%2Fdocker-remote-api-tls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kekru","download_url":"https://codeload.github.com/kekru/docker-remote-api-tls/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244371067,"owners_count":20442332,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:00:57.358Z","updated_at":"2025-03-19T06:31:14.673Z","avatar_url":"https://github.com/kekru.png","language":"Java","funding_links":[],"categories":["HarmonyOS","Java"],"sub_categories":["Windows Manager"],"readme":"# Docker Remote API with TLS client authentication via container\n\nThis images makes you publish your Docker Remote API by a container.\nA client must authenticate with a client-TLS certificate.\nThis is an alternative way, instead of [configuring TLS on Docker directly](https://gist.github.com/kekru/974e40bb1cd4b947a53cca5ba4b0bbe5).\n\n[![dockeri.co](https://dockerico.blankenship.io/image/kekru/docker-remote-api-tls)](https://hub.docker.com/r/kekru/docker-remote-api-tls)\n\n## Remote Api with external CA, certificates and key\n\nFirst you need a CA and certs and keys for your Docker server and the client.\n\nCreate them as shown here [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).\nOr create the files with this script [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh). Read [Create certificate files](https://gist.github.com/kekru/974e40bb1cd4b947a53cca5ba4b0bbe5#create-certificate-files) for information on how to use the script.\n\nCopy the following files in a directory. The directory will me mounted in the container.\n\n```bash\nca-cert.pem\nserver-cert.pem\nserver-key.pem\n```\n\nThe files `cert.pem` and `key.pem` are certificate and key for the client. The client will also need the `ca-cert.pem`.\n\nCreate a docker-compose.yml file:\n\n```yml\nversion: \"3.4\"\nservices:\n  remote-api:\n    image: kekru/docker-remote-api-tls:v0.5.0\n    ports:\n     - 2376:443\n    volumes:\n     - \u003clocal cert dir\u003e:/data/certs:ro\n     - /var/run/docker.sock:/var/run/docker.sock:ro\n```\n\nNow run the container with `docker-compose up -d` or `docker stack deploy --compose-file=docker-compose.yml remoteapi`.\nYour Docker Remote API is available on port 2376 via https. The client needs to authenticate via `cert.pem` and `key.pem`.\n\n## Remote Api with auto generating CA, certificates and keys\n\nThe docker-remote-api image can generate CA, certificates and keys for you automatically.\nCreate a docker-compose.yml file, specifying a password and the hostname, on which the remote api will be accessible later on. The hostname will be written to the server's certificate.\n\n```yml\nversion: \"3.4\"\nservices:\n  remote-api:\n    image: kekru/docker-remote-api-tls:v0.5.0\n    ports:\n     - 2376:443\n    environment:\n     - CREATE_CERTS_WITH_PW=supersecret\n     - CERT_HOSTNAME=remote-api.example.com\n    volumes:\n     - \u003clocal cert dir\u003e:/data/certs\n     - /var/run/docker.sock:/var/run/docker.sock:ro\n```\n\nNow run the container with `docker-compose up -d` or `docker stack deploy --compose-file=docker-compose.yml remoteapi`.\nCertificates will be created in `\u003clocal cert dir\u003e`.\nYou will find the client-certs in `\u003clocal cert dir\u003e/client/`. The files are `ca.pem`, `cert.pem` and `key.pem`.\n\n## Environment variables\n\n#### `CREATE_CERTS_WITH_PW`\nPassphrase to encrypt the certificate.\n\n#### `CERTS_PASSWORD_FILE`\nCertificate passphrase will be read from this docker secret. Absolute path of the secret file has to be provided i.e. `CERTS_PASSWORD_FILE=/run/secrets/\u003csecret_name\u003e`.\n\nIf both passphrase and secret file are set, the secret file takes precedence.\n\n#### `CERT_EXPIRATION_DAYS`\nCertificate expiration for server and client certs in days. If not set, the default value 365 is applied.\n\n#### `CA_EXPIRATION_DAYS`\nCertificate expiration for CA in days. If not set, the default value 900 is applied.\n\n#### `CERT_HOSTNAME`\nDomain name of the docker server.  \nIf you don't have a DNS name, you can use [nip.io](https://nip.io) to get a name for any IP.  \n\n## Setup client\n\nSee [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for instructions how to setup a client to communicate with the remote api.\n\nYou can also reuse [dockerRemote](./dockerRemote) and set url and path in it to your correct values.  \nThen just run `./dockerRemote ps` to call `ps` against your remote api.\n\n## Quick test\n\nTo test this repo quickly, clone this repo, then run\n\n```bash\n# Start remote-api locally\ndocker-compose up -d\n# Run ps over remote api (use GitBash when you are on Windows)\n./dockerRemote ps\n```\n\n## Changelog\n\n#### v0.2.0\n\nFirst stable release  \nThanks [@smiller171](https://github.com/smiller171) for contributing!\n\n#### v0.3.0\n\n+ update nginx version\n+ add configuration for cert expiration\n+ add configuration to use swarm secret as password for cert generation\n+ add automatic tests\n\nThanks [@benkorichard](https://github.com/benkorichard) for contributing!\n\n#### v0.4.0\n\n+ update nginx version to 1.20.2\n\n#### v0.5.0\n\n+ update nginx version to 1.26.2\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkekru%2Fdocker-remote-api-tls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkekru%2Fdocker-remote-api-tls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkekru%2Fdocker-remote-api-tls/lists"}