Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ca/node] Maybe update the root CA when renewing the TLS cert #2238

Merged
merged 1 commit into from
Jun 12, 2017
Merged

[ca/node] Maybe update the root CA when renewing the TLS cert #2238

merged 1 commit into from
Jun 12, 2017

Conversation

cyli
Copy link
Contributor

@cyli cyli commented Jun 10, 2017

When renewing the TLS certificate, if we get an x509.UnknownAuthorityError,
try to update the root CA such that it validates against the old TLS creds
before renewing again.

This can help with edge cases where a manager might have been demoted, and
thus not be able to push the latest root certificate to its agent, but
the node needs to renew the TLS cert to get one for the worker role (but
root rotation has already finished, and hence any certificate it gets will
no longer have the intermediate and won't validate).

Signed-off-by: Ying Li ying.li@docker.com

Still needs test. The ideal scenario @aaronlehmann and I discussed was to separate the Root CA used to sign new certs from the root CA the node itself uses to validate incoming connections and external servers, but that may be a bigger change.

This functionality may still be useful, however, to account for edge cases.

@cyli cyli mentioned this pull request Jun 12, 2017
Closed
40 tasks
@aaronlehmann
Copy link
Collaborator

This isn't compiling yet but the concept looks sound.

@cyli cyli force-pushed the download-ca-when-requesting branch 2 times, most recently from 520262f to ecf9b7f Compare June 12, 2017 21:38
@codecov
Copy link

codecov bot commented Jun 12, 2017
edited
Loading

Codecov Report

Merging #2238 into master will decrease coverage by 0.04%.
The diff coverage is 78.78%.

@@            Coverage Diff             @@
##           master    #2238      +/-   ##
==========================================
- Coverage   60.27%   60.22%   -0.05%     
==========================================
  Files         124      124              
  Lines       20220    20212       -8     
==========================================
- Hits        12187    12173      -14     
- Misses       6675     6677       +2     
- Partials     1358     1362       +4

@cyli cyli changed the title WIP: [ca/node] Maybe update the root CA when renewing the TLS cert [ca/node] Maybe update the root CA when renewing the TLS cert Jun 12, 2017
@cyli
When renewing the TLS certificate, if we get an x509.UnknownAuthority…
7492f2a 
…Error,

try to update the root CA such that it validates against the old TLS creds
before renewing again.

This can help with edge cases where a manager might have been demoted, and
thus not be able to push the latest root certificate to its agent, but
the node needs to renew the TLS cert to get one for the worker role (but
root rotation has already finished, and hence any certificate it gets will
no longer have the intermediate and won't validate).

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the download-ca-when-requesting branch from ecf9b7f to 7492f2a Compare June 12, 2017 22:01
@cyli cyli mentioned this pull request Jun 12, 2017
Closed
@cyli
Copy link
Contributor Author

cyli commented Jun 12, 2017

Ok, test written and CI passing, ready for another look.

diogomonica
diogomonica approved these changes Jun 12, 2017
View reviewed changes
Copy link
Contributor

@diogomonica diogomonica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aaronlehmann
Copy link
Collaborator

LGTM

@aaronlehmann aaronlehmann merged commit ad6d216 into moby:master Jun 12, 2017
@cyli cyli deleted the download-ca-when-requesting branch June 12, 2017 23:10
@andrewhsu andrewhsu mentioned this pull request Jun 13, 2017
Merged
@cyli cyli mentioned this pull request May 22, 2018
Open
silvin-lubecki pushed a commit to silvin-lubecki/docker-ce that referenced this pull request Feb 3, 2020
@andrewhsu
revendor github.com/docker/swarmkit to 6083c76
cd38044 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Feb 3, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
58471c2 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 10, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
83aa94f 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
silvin-lubecki pushed a commit to silvin-lubecki/engine-extract that referenced this pull request Mar 23, 2020
@andrewhsu @silvin-lubecki
revendor github.com/docker/swarmkit to 6083c76
dcbaad5 
To get the changes:
* moby/swarmkit#2234
* moby/swarmkit#2237
* moby/swarmkit#2238

Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diogomonica diogomonica diogomonica approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cyli @aaronlehmann @diogomonica