From f3331515ea3277ba268a4ac1bbd77c0e7b25c17c Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Wed, 7 Jan 2026 15:28:53 +0800
Subject: [PATCH] fix(docker): add TLS check; correct dial handling and
 reconnection for custom docker provider; modernize pointer arithemetic with
 unsafe.Add

---
 internal/docker/client.go          | 22 ++++++++++++++++++++--
 internal/watcher/docker_watcher.go |  2 +-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/internal/docker/client.go b/internal/docker/client.go
index 356f858d..3ad3e00d 100644
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -6,6 +6,7 @@ import (
 	"maps"
 	"net"
 	"net/http"
+	"net/url"
 	"reflect"
 	"sync"
 	"sync/atomic"
@@ -170,9 +171,26 @@ func NewClient(cfg types.DockerProviderConfig, unique ...bool) (*SharedClient, e
 				client.WithDialContext(helper.Dialer),
 			}
 		} else {
+			// connhelper.GetConnectionHelper already parsed the host without error
+			url, _ := url.Parse(host)
 			opt = []client.Opt{
 				client.WithHost(host),
 			}
+			switch url.Scheme {
+			case "", "tls", "http", "https":
+				if (url.Scheme == "https" || url.Scheme == "tls") && cfg.TLS == nil {
+					return nil, fmt.Errorf("TLS config is not set when using %s:// host", url.Scheme)
+				}
+
+				dial = func(ctx context.Context) (net.Conn, error) {
+					var dialer net.Dialer
+					return dialer.DialContext(ctx, "tcp", url.Host)
+				}
+
+				opt = append(opt, client.WithDialContext(func(ctx context.Context, _, _ string) (net.Conn, error) {
+					return dial(ctx)
+				}))
+			}
 		}
 	}
 
@@ -213,7 +231,7 @@ func NewClient(cfg types.DockerProviderConfig, unique ...bool) (*SharedClient, e
 }
 
 func (c *SharedClient) GetHTTPClient() **http.Client {
-	return (**http.Client)(unsafe.Pointer(uintptr(unsafe.Pointer(c.Client)) + clientClientOffset))
+	return (**http.Client)(unsafe.Add(unsafe.Pointer(c.Client), clientClientOffset))
 }
 
 func (c *SharedClient) InterceptHTTPClient(intercept httputils.InterceptFunc) {
@@ -280,6 +298,6 @@ func (c *SharedClient) unotel() {
 		log.Debug().Str("host", c.DaemonHost()).Msgf("docker client transport is not an otelhttp.Transport: %T", httpClient.Transport)
 		return
 	}
-	transport := *(*http.RoundTripper)(unsafe.Pointer(uintptr(unsafe.Pointer(otelTransport)) + otelRtOffset))
+	transport := *(*http.RoundTripper)(unsafe.Add(unsafe.Pointer(otelTransport), otelRtOffset))
 	httpClient.Transport = transport
 }
diff --git a/internal/watcher/docker_watcher.go b/internal/watcher/docker_watcher.go
index af34d30f..9187d21c 100644
--- a/internal/watcher/docker_watcher.go
+++ b/internal/watcher/docker_watcher.go
@@ -159,7 +159,7 @@ func checkConnection(ctx context.Context, client *docker.SharedClient) bool {
 	defer cancel()
 	err := client.CheckConnection(ctx)
 	if err != nil {
-		log.Debug().Err(err).Msg("docker watcher: connection failed")
+		log.Debug().Err(err).Str("host", client.Address()).Msg("docker watcher: connection failed")
 		return false
 	}
 	return true