Merge pull request #1189 from aaronlehmann/join-tokens

Replace secrets, node acceptance, and CA hash with join tokens
moby · Jul 20, 2016 · d74b236 · d74b236
2 parents eacedad + dd9a504
commit d74b236
Show file tree

Hide file tree

Showing 40 changed files with 1,380 additions and 1,886 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -58,7 +58,7 @@ func TestAgent(t *testing.T) {
 }
 
 func TestAgentStartStop(t *testing.T) {
-	tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, ""))
+	tc := testutils.NewTestCA(t)
 	defer tc.Stop()
 
 	agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole)
@@ -137,7 +137,7 @@ func TestHandleSessionMessage(t *testing.T) {
 
 func agentTestEnv(t *testing.T) (*Agent, func()) {
 	var cleanup []func()
-	tc := testutils.NewTestCA(t, testutils.AcceptancePolicy(true, true, ""))
+	tc := testutils.NewTestCA(t)
 	cleanup = append(cleanup, func() { tc.Stop() })
 
 	agentSecurityConfig, err := tc.NewNodeConfig(ca.AgentRole)

diff --git a/agent/node.go b/agent/node.go
@@ -43,11 +43,8 @@ type NodeConfig struct {
 	// remote managers and certificates.
 	StateDir string
 
-	// CAHash to be used on the first certificate request.
-	CAHash string
-
-	// Secret to be used on the first certificate request.
-	Secret string
+	// JoinToken is the token to be used on the first certificate request.
+	JoinToken string
 
 	// ExternalCAs is a list of CAs to which a manager node
 	// will make certificate signing requests for node certificates.
@@ -73,9 +70,6 @@ type NodeConfig struct {
 	// HeartbeatTick defines the amount of ticks between each
 	// heartbeat sent to other members for health-check purposes
 	HeartbeatTick uint32
-
-	// todo: temporary to bypass promotion not working yet
-	IsManager bool
 }
 
 // Node implements the primary node functionality for a member of a swarm
@@ -193,11 +187,6 @@ func (n *Node) run(ctx context.Context) (err error) {
 		}
 	}
 
-	csrRole := n.role
-	if n.config.IsManager { // todo: temporary
-		csrRole = ca.ManagerRole
-	}
-
 	// Obtain new certs and setup TLS certificates renewal for this node:
 	// - We call LoadOrCreateSecurityConfig which blocks until a valid certificate has been issued
 	// - We retrieve the nodeID from LoadOrCreateSecurityConfig through the info channel. This allows
@@ -220,7 +209,7 @@ func (n *Node) run(ctx context.Context) (err error) {
 	}()
 
 	certDir := filepath.Join(n.config.StateDir, "certificates")
-	securityConfig, err := ca.LoadOrCreateSecurityConfig(ctx, certDir, n.config.CAHash, n.config.Secret, csrRole, picker.NewPicker(n.remotes), issueResponseChan)
+	securityConfig, err := ca.LoadOrCreateSecurityConfig(ctx, certDir, n.config.JoinToken, ca.ManagerRole, picker.NewPicker(n.remotes), issueResponseChan)
 	if err != nil {
 		return err
 	}

diff --git a/api/ca.pb.go b/api/ca.pb.go
diff --git a/api/ca.proto b/api/ca.proto
@@ -34,11 +34,15 @@ message NodeCertificateStatusResponse {
 }
 
 message IssueNodeCertificateRequest {
-	NodeRole role = 1;
+	// DEPRECATED: Role is now selected based on which secret is matched.
+	NodeRole role = 1 [deprecated=true];
+
+	// CSR is the certificate signing request.
 	bytes csr = 2 [(gogoproto.customname) = "CSR"];
-	// Secret represents a user-provided string that is necessary for new
+
+	// Token represents a user-provided string that is necessary for new
 	// nodes to join the cluster
-	string secret = 3;
+	string token = 3;
 }
 
 message IssueNodeCertificateResponse {