refactor: replace go-connections tls config with stdlib

drop docker/go-connections dependency
use crypto/tls config
ignore unused options and keep default ciphers and tls version

docker/watcher.go

@@ -22,17 +22,20 @@ package docker
 
 import (
  "context"
+ "crypto/tls"
+ "crypto/x509"
  "errors"
+ "fmt"
  "io"
  "net/http"
+ "os"
  "sync"
  "time"
 
  "github.com/docker/docker/api/types"
  "github.com/docker/docker/api/types/container"
  "github.com/docker/docker/api/types/events"
  "github.com/docker/docker/api/types/filters"
- "github.com/docker/go-connections/tlsconfig"
 
  "github.com/elastic/elastic-agent-autodiscover/bus"
  "github.com/elastic/elastic-agent-libs/logp"
@@ -121,23 +124,37 @@ type Client interface {
 type WatcherConstructor func(logp *logp.Logger, host string, tls *TLSConfig, storeShortID bool) (Watcher, error)
 
 // NewWatcher returns a watcher running for the given settings
-func NewWatcher(log *logp.Logger, host string, tls *TLSConfig, storeShortID bool) (Watcher, error) {
+func NewWatcher(log *logp.Logger, host string, cfg *TLSConfig, storeShortID bool) (Watcher, error) {
  var httpClient *http.Client
- if tls != nil {
- options := tlsconfig.Options{
- CAFile: tls.CA,
- CertFile: tls.Certificate,
- KeyFile: tls.Key,
+ if cfg != nil {
+ tlsConfig := &tls.Config{
+ // Prefer TLS1.2 as the client minimum
+ MinVersion: tls.VersionTLS12,
+ CipherSuites: []uint16{
+ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ }
+
+ if cfg.CA != "" {
+ CAs, err := certPool(cfg.CA)
+ if err != nil {
+ return nil, err
+ }
+ tlsConfig.RootCAs = CAs
  }
 
- tlsc, err := tlsconfig.Client(options)
+ tlsCerts, err := getCert(cfg.Certificate, cfg.Key)
  if err != nil {
  return nil, err
  }
+ tlsConfig.Certificates = tlsCerts
 
  httpClient = &http.Client{
  Transport: &http.Transport{
- TLSClientConfig: tlsc,
+ TLSClientConfig: tlsConfig,
  },
  }
  }
@@ -157,6 +174,44 @@ func NewWatcher(log *logp.Logger, host string, tls *TLSConfig, storeShortID bool
  return NewWatcherWithClient(log, client, 60*time.Second, storeShortID)
 }
 
+func certPool(caFile string) (*x509.CertPool, error) {
+ certPool, err := x509.SystemCertPool()
+ if err != nil {
+ return nil, fmt.Errorf("failed to read system certificates: %v", err)
+ }
+ pem, err := os.ReadFile(caFile)
+ if err != nil {
+ return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
+ }
+ if !certPool.AppendCertsFromPEM(pem) {
+ return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
+ }
+ return certPool, nil
+}
+
+func getCert(certFile string, keyFile string) ([]tls.Certificate, error) {
+ if certFile == "" && keyFile == "" {
+ return nil, nil
+ }
+
+ cert, err := os.ReadFile(certFile)
+ if err != nil {
+ return nil, fmt.Errorf("could not read certFile %q: %w", certFile, err)
+ }
+
+ prKeyBytes, err := os.ReadFile(keyFile)
+ if err != nil {
+ return nil, fmt.Errorf("could not read keyFile %q: %w", keyFile, err)
+ }
+
+ tlsCert, err := tls.X509KeyPair(cert, prKeyBytes)
+ if err != nil {
+ return nil, fmt.Errorf("could not create keyPair: %w", err)
+ }
+
+ return []tls.Certificate{tlsCert}, nil
+}
+
 // NewWatcherWithClient creates a new Watcher from a given Docker client
 func NewWatcherWithClient(log *logp.Logger, client Client, cleanupTimeout time.Duration, storeShortID bool) (Watcher, error) {
  ctx, cancel := context.WithCancel(context.Background())

go.mod

@@ -4,7 +4,6 @@ go 1.21
 
 require (
  github.com/docker/docker v26.1.5+incompatible
- github.com/docker/go-connections v0.4.0
  github.com/elastic/elastic-agent-libs v0.3.3
  github.com/magefile/mage v1.13.0
  github.com/stretchr/testify v1.9.0
@@ -20,6 +19,7 @@ require (
  github.com/cyphar/filepath-securejoin v0.2.4 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
  github.com/distribution/reference v0.6.0 // indirect
+ github.com/docker/go-connections v0.4.0 // indirect
  github.com/docker/go-units v0.4.0 // indirect
  github.com/emicklei/go-restful/v3 v3.11.0 // indirect
  github.com/evanphx/json-patch v4.12.0+incompatible // indirect