Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Propagate the provided external CA certificate to the external CA object in swarm #1178

Merged
merged 1 commit into from
Jul 9, 2018
Merged

Propagate the provided external CA certificate to the external CA object in swarm #1178

merged 1 commit into from
Jul 9, 2018

Conversation

cyli
Copy link
Contributor

@cyli cyli commented Jul 3, 2018

Also, fix some CLI command confusions:

  1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
    the external CA is set but the CA certificate is actually rotated to an internal
    cert
  2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
    provided as well, otherwise either the server will say that the request is
    invalid, or if there was previously an external CA corresponding to the cert, it
    will succeed. While that works, it's better to require the user to explicitly
    set all the parameters of the new desired root CA.

This also changes the swarm update function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

As pointed out in moby/swarmkit#2680, the CA cert is not propagated correctly making it impossible to rotate the CA certificate to an external CA using the CLI.

This also fixes some other confusing ways the CLI worked previously.

in swarm.

Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
   the external CA is set but the CA certificate is actually rotated to an internal
   cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
   provided as well, otherwise either the server will say that the request is
   invalid, or if there was previously an external CA corresponding to the cert, it
   will succeed.  While that works, it's better to require the user to explicitly
   set all the parameters of the new desired root CA.

This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.

Signed-off-by: Ying Li <ying.li@docker.com>
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member

ping @vdemeester @silvin-lubecki @justincormack PTAL!

Copy link
Collaborator

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🐯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants