Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagate the provided external CA certificate to the external CA object in swarm #1178

Merged
merged 1 commit into from
Jul 9, 2018
Merged

Propagate the provided external CA certificate to the external CA object in swarm #1178

merged 1 commit into from
Jul 9, 2018

Conversation

cyli
Copy link
Contributor

@cyli cyli commented Jul 3, 2018
edited
Loading

Also, fix some CLI command confusions:

  1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
    the external CA is set but the CA certificate is actually rotated to an internal
    cert
  2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
    provided as well, otherwise either the server will say that the request is
    invalid, or if there was previously an external CA corresponding to the cert, it
    will succeed. While that works, it's better to require the user to explicitly
    set all the parameters of the new desired root CA.

This also changes the swarm update function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

As pointed out in moby/swarmkit#2680, the CA cert is not propagated correctly making it impossible to rotate the CA certificate to an external CA using the CLI.

This also fixes some other confusing ways the CLI worked previously.

@cyli
Propagate the provided external CA certificate to the external CA object
4243440 
in swarm.

Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
   the external CA is set but the CA certificate is actually rotated to an internal
   cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
   provided as well, otherwise either the server will say that the request is
   invalid, or if there was previously an external CA corresponding to the cert, it
   will succeed.  While that works, it's better to require the user to explicitly
   set all the parameters of the new desired root CA.

This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

Signed-off-by: Ying Li <ying.li@docker.com>
thaJeztah
thaJeztah approved these changes Jul 3, 2018
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member

ping @vdemeester @silvin-lubecki @justincormack PTAL!

vdemeester
vdemeester approved these changes Jul 9, 2018
View reviewed changes
Copy link
Collaborator

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐯

@thaJeztah thaJeztah merged commit c8b9c21 into docker:master Jul 9, 2018
@GordonTheTurtle GordonTheTurtle added this to the 18.07.0 milestone Jul 9, 2018
@thaJeztah thaJeztah mentioned this pull request Jul 9, 2018
Merged
@cyli cyli deleted the fix-swarm-ca-command branch July 10, 2018 00:46
This was referenced Jul 12, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@vdemeester vdemeester vdemeester approved these changes

Assignees
No one assigned
Labels
area/swarm status/2-code-review
Projects
None yet
Milestone
18.09.0
Development

Successfully merging this pull request may close these issues.
4 participants
@cyli @thaJeztah @vdemeester @GordonTheTurtle