We have a set of services where one of the containers makes docker client calls back to the docker engine to do various things (start a short-lived container, do some management, whatever)
This works fine unless we have TLS enabled on the docker engine instance.
From the container, it looks easy to generate a client key when the container starts up (though I really don’t want to have to install openssl on this container…). But it looks like the server side key needs to have the IP addresses of the clients in advance it is created.
This is a bit of a chicken-egg problem because we won’t know the IP of the container until it starts.
Is there a way around this? Perhaps a second docker-engine port that only listens on the internal docker network?