Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[18.06] Propagate the provided external CA certificate to the external CA object in swarm #1199

Merged

Conversation

thaJeztah
Copy link
Member

cherry-pick of #1178 for 18.06

cherry-pick was clean; no conflicts

Also, fix some CLI command confusions:

  1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
    the external CA is set but the CA certificate is actually rotated to an internal
    cert
  2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
    provided as well, otherwise either the server will say that the request is
    invalid, or if there was previously an external CA corresponding to the cert, it
    will succeed. While that works, it's better to require the user to explicitly
    set all the parameters of the new desired root CA.

This also changes the swarm update function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

Signed-off-by: Ying Li ying.li@docker.com
(cherry picked from commit 4243440)
Signed-off-by: Sebastiaan van Stijn github@gone.nl

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

in swarm.

Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
   the external CA is set but the CA certificate is actually rotated to an internal
   cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
   provided as well, otherwise either the server will say that the request is
   invalid, or if there was previously an external CA corresponding to the cert, it
   will succeed.  While that works, it's better to require the user to explicitly
   set all the parameters of the new desired root CA.

This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 4243440)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 18.06.0 milestone Jul 9, 2018
@thaJeztah
Copy link
Member Author

ping @cyli @vdemeester PTAL

Copy link
Contributor

@silvin-lubecki silvin-lubecki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@cyli cyli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

Copy link
Collaborator

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐸

@thaJeztah
Copy link
Member Author

looks ready to go; merging

@thaJeztah thaJeztah merged commit 1d5e206 into docker:18.06 Jul 10, 2018
@thaJeztah thaJeztah deleted the 18.06-backport-fix-swarm-ca-command branch July 10, 2018 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants