Replace secrets, node acceptance, and CA hash with join tokens

Implement the swarmkit parts of the flow described in moby/moby#24430. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
moby · Jul 19, 2016 · 26dda2a · 26dda2a
1 parent 60115ea
commit 26dda2a
Show file tree

Hide file tree

Showing 30 changed files with 1,280 additions and 964 deletions.
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -58,7 +58,7 @@ func TestAgent(t *testing.T) {
 }
 
 func TestAgentStartStop(t *testing.T) {
-	tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, ""))
+	tc := testutils.NewTestCA(t)
 	defer tc.Stop()
 
 	agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole)
@@ -137,7 +137,7 @@ func TestHandleSessionMessage(t *testing.T) {
 
 func agentTestEnv(t *testing.T) (*Agent, func()) {
 	var cleanup []func()
-	tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, ""))
+	tc := testutils.NewTestCA(t)
 	cleanup = append(cleanup, func() { tc.Stop() })
 
 	agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole)

diff --git a/agent/node.go b/agent/node.go
@@ -46,8 +46,8 @@ type NodeConfig struct {
 	// CAHash to be used on the first certificate request.
 	CAHash string
 
-	// Secret to be used on the first certificate request.
-	Secret string
+	// JoinToken is the token to be used on the first certificate request.
+	JoinToken string
 
 	// ExternalCAs is a list of CAs to which a manager node
 	// will make certificate signing requests for node certificates.
@@ -220,7 +220,7 @@ func (n *Node) run(ctx context.Context) (err error) {
 	}()
 
 	certDir := filepath.Join(n.config.StateDir, "certificates")
-	securityConfig, err := ca.LoadOrCreateSecurityConfig(ctx, certDir, n.config.CAHash, n.config.Secret, csrRole, picker.NewPicker(n.remotes), issueResponseChan)
+	securityConfig, err := ca.LoadOrCreateSecurityConfig(ctx, certDir, n.config.JoinToken, csrRole, picker.NewPicker(n.remotes), issueResponseChan)
 	if err != nil {
 		return err
 	}

diff --git a/api/ca.pb.go b/api/ca.pb.go
diff --git a/api/ca.proto b/api/ca.proto
@@ -34,8 +34,12 @@ message NodeCertificateStatusResponse {
 }
 
 message IssueNodeCertificateRequest {
-	NodeRole role = 1;
+	// DEPRECATED: Role is now selected based on which secret is matched.
+	NodeRole role = 1 [deprecated=true];
+
+	// CSR is the certificate signing request.
 	bytes csr = 2 [(gogoproto.customname) = "CSR"];
+
 	// Secret represents a user-provided string that is necessary for new
 	// nodes to join the cluster
 	string secret = 3;