FEAT: Allow client side TLS for Docker hosts

[marekful]

Inlcude client side TLS certificate in HTTPS requests to Docker hosts when certificate files are locally available to Kuma for the given host.

• I have read and understand the pull request rules.

Description

Fixes #2353

Currently it's not possible to add a remote docker daemon that is secured with TLS because in this case the client needs to include the client side TLS certificate, issued by the docker host's CA, in every request.

This PR adds the ability to include client side certificate in HTTPS requests to docker hosts by looking for the certificate files at a specified location in the file system and including them in requests. Certificates for multiple docker hosts can be made available to Kuma as described below.

The base path where certificates are looked for can be set with the DOCKER_TLS_DIR_PATH environmental variable or defaults to data/docker-tls/.

If a directory in this path exists with a name matching the FQDN of the docker host (e.g. the FQDN of https://example.com:2376 is example.com so the directory data/docker-tls/example.com/ would be searched for certificate files), then ca.pem, key.pem and cert.pem files are loaded and included in the agent options. File names can also be overridden via DOCKER_TLS_FILE_NAME_(CA|KEY|CERT).

Type of change

Please delete any options that are not relevant.

• New feature (non-breaking change which adds functionality)
• This change requires a documentation update

Checklist

• My code follows the style guidelines of this project
• I ran ESLint and other linters for modified files
• I have performed a self-review of my own code and tested it
• I have commented my code, particularly in hard-to-understand areas
  (including JSDoc for methods)
• My changes generate no new warnings
• My code needed automated testing. I have added them (this is optional task)

Screen capture

Screen.Recording.2023-02-27.at.14.57.10.mp4

[chakflying]

IMO uploading the certificate in the UI (in the docker host config) would be better for usability.

[marekful]

IMO uploading the certificate in the UI (in the docker host config) would be better for usability.

I focused on achieving the goal in the simplest acceptable way which results in ~50 lines of code. Your suggestion is absolutely valid and could be a nice addition but that would require much more effort. Storing certificates in database, providing UI for managing certificates and assigning them to hosts, etc. - probably in the order of a few thousand lines.

Which is not to say I wouldn't be open to that, should this PR receive some attention...

[flikites]

Would love to see this merged.

[louislam]

Thanks for the pr.

Since data/ can be changed by the env var DATA_DIR, data/ cannot be hardcoded here.

But actually, in my opinion, these 4 env vars are not necessary, just hardcode:

• Database.dataDir + "docker-tls/"
• ca.pem
• cert.pem
• key.pem

Other sub-directories are created in this function.

uptime-kuma/server/database.js

Lines 93 to 108 in cdb38d4

	Database.path = Database.dataDir + "kuma.db";
	if (! fs.existsSync(Database.dataDir)) {
	fs.mkdirSync(Database.dataDir, { recursive: true });
	}
	Database.uploadDir = Database.dataDir + "upload/";
	if (! fs.existsSync(Database.uploadDir)) {
	fs.mkdirSync(Database.uploadDir, { recursive: true });
	}
	// Create screenshot dir
	Database.screenshotDir = Database.dataDir + "screenshots/";
	if (! fs.existsSync(Database.screenshotDir)) {
	fs.mkdirSync(Database.screenshotDir, { recursive: true });
	}

[louislam]

Unable to push, I merge this first.

! [remote rejected]   feat/docker-host-client-side-tls -> feat/docker-host-client-side-tls (permission denied)

[ghnp5]

Hey! Happy to know that this is possible, at least! But it would be awesome if we could just upload the files through the UI. It's not clear to new Uptime Kuma users that we need to setup the folder structure. This is my first day using Uptime Kuma, and I was already thinking that it wouldn't serve the purpose to me, if I couldn't connect to Docker servers using TLS !! :-)
Thanks!!

[CommanderStorm]

It's not clear to new Uptime Kuma users that we need to setup the folder structure.

Feel free to improve the wiki for this.
I think this already mentones tls => no action required