Connect to dind sidecar daemon using TLS

- share the path the daemon generates certs into with the client
- instruct the client to look for certs there, and to use them
- add a readinessProbe to wait for the certs to be generated

examples/taskruns/dind-sidecar.yaml

@@ -8,9 +8,15 @@ spec:
     - image: docker
       name: client
       env:
-      # Connect to the sidecar over TCP without TLS.
+      # Connect to the sidecar over TCP, with TLS.
       - name: DOCKER_HOST
-        value: tcp://localhost:2375
+        value: tcp://localhost:2376
+      # Verify TLS.
+      - name: DOCKER_TLS_VERIFY
+        value: '1'
+      # Use the certs generated by the sidecar daemon.
+      - name: DOCKER_CERT_PATH
+        value: /certs/client
       script: |
           #!/usr/bin/env sh
           # Run a Docker container.
@@ -28,22 +34,28 @@ spec:
           # ...then run it!
           docker run hello
       volumeMounts:
-      - mountPath: /var/run/
-        name: dind-socket
+      - mountPath: /certs/client
+        name: dind-certs
 
     sidecars:
     - image: docker:dind
       name: server
       securityContext:
         privileged: true
       env:
-      # This disables TLS for TCP connections between the sidecar and client step.
+      # Write generated certs to the path shared with the client.
       - name: DOCKER_TLS_CERTDIR
-        value: ''
+        value: /certs
       volumeMounts:
-      - mountPath: /var/run/
-        name: dind-socket
+      - mountPath: /certs/client
+        name: dind-certs
+      # Wait for the dind daemon to generate the certs it will share with the
+      # client.
+      readinessProbe:
+        periodSeconds: 1
+        exec:
+          command: ['ls', '/certs/client/ca.pem']
 
     volumes:
-    - name: dind-socket
+    - name: dind-certs
       emptyDir: {}