Skip to content

Add TLS-aware Docker context resolution in coast-docker#64

Draft
agustif wants to merge 2 commits intocoast-guard:mainfrom
agustif:af/docker-context-tls
Draft

Add TLS-aware Docker context resolution in coast-docker#64
agustif wants to merge 2 commits intocoast-guard:mainfrom
agustif:af/docker-context-tls

Conversation

@agustif
Copy link
Contributor

@agustif agustif commented Mar 12, 2026

Summary

Draft follow-up for #63.

This PR adds TLS-aware Docker context resolution inside coast-docker::host only.

Important review note

This branch currently includes the resolver base from #61 plus the TLS follow-up on top of it.

I’m opening it now for visibility because the implementation is ready, but the intended review/merge order is still:

  1. Respect active Docker contexts when resolving the host engine #61
  2. Fail coast run before it can persist invalid state #62
  3. this PR

If #61 lands first, this branch can be rebased down to the TLS-only delta.

What changed

  • extends the resolved endpoint model with optional TLS material
  • computes context TLS storage from Docker context metadata
  • supports both:
    • <TLSPath>/docker/{ca,cert,key}.pem
    • <TLSPath>/{ca,cert,key}.pem
  • transport selection for context-driven endpoints becomes:
    • unix:// / npipe:// -> socket path
    • tcp:// / http:// without TLS material -> HTTP
    • tcp:// / https:// with TLS material -> TLS
    • ssh:// -> explicit unsupported error in this slice
  • explicit env-driven DOCKER_HOST / DOCKER_TLS_VERIFY / DOCKER_CERT_PATH behavior is still delegated to Bollard defaults

Scope

This PR does not change daemon or CLI behavior beyond what already consumes the shared resolver. It keeps all TLS handling inside coast-docker::host.

Validation

  • cargo test -p coast-docker --lib
  • cargo test -p coast-cli doctor:: -- --nocapture

Out of scope

  • SSH Docker contexts
  • diagnostics polish for endpoint source / TLS reporting
  • unrelated coast-guard frontend/build issues

Refs: #63

@agustif @codex
Respect Docker contexts when resolving the host engine
37a12cd 
Honor Docker's documented precedence by letting DOCKER_CONTEXT override DOCKER_HOST, treating DOCKER_CONTEXT=default as the default local engine selection, and only consulting currentContext when neither env var is set. Keep the shared resolver wiring limited to local/context socket discovery.

Refs: coast-guard#60

Co-authored-by: Codex <noreply@openai.com>
This was referenced Mar 12, 2026
Open
Closed
@agustif agustif force-pushed the af/docker-context-tls branch from e7f294a to 0bef148 Compare March 12, 2026 12:09
@agustif @codex
Add TLS-aware Docker context resolution in coast-docker
01cc46f 
Extend `coast-docker::host` so context-driven Docker endpoints can resolve TLS transport from Docker context storage. Preserve explicit env-driven DOCKER_HOST / DOCKER_TLS_VERIFY / DOCKER_CERT_PATH behavior by continuing to defer that path to Bollard's env-aware defaults. Reject ssh:// contexts explicitly in this slice.

Refs: coast-guard#63

Co-authored-by: Codex <noreply@openai.com>
@agustif agustif force-pushed the af/docker-context-tls branch from 0bef148 to 01cc46f Compare March 12, 2026 12:23
@jamiesunderland jamiesunderland mentioned this pull request Mar 16, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamiesunderland jamiesunderland Awaiting requested review from jamiesunderland jamiesunderland will be requested when the pull request is marked ready for review jamiesunderland is a code owner

@dahyman91 dahyman91 Awaiting requested review from dahyman91 dahyman91 will be requested when the pull request is marked ready for review dahyman91 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@agustif