Replace secrets with join tokens

Implement the proposal from https://github.com/docker/docker/issues/24430#issuecomment-233100121 Removes acceptance policy and secret in favor of an automatically generated join token that combines the secret, CA hash, and manager/worker role into a single opaque string. Adds a docker swarm join-token subcommand to inspect and rotate the tokens. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> Upstream-commit: 2cc5bd33eef038bf5721582e2410ba459bb656e9 Component: engine
2016-07-20 11:15:08 -07:00
parent 281fb0ce0f
commit b141a44de0
46 changed files with 451 additions and 893 deletions
--- a/components/engine/api/server/router/swarm/backend.go
+++ b/components/engine/api/server/router/swarm/backend.go
@ -11,7 +11,7 @@ type Backend interface {
 	Join(req types.JoinRequest) error
 	Leave(force bool) error
 	Inspect() (types.Swarm, error)
-	Update(uint64, types.Spec) error
+	Update(uint64, types.Spec, types.UpdateFlags) error
 	GetServices(basictypes.ServiceListOptions) ([]types.Service, error)
 	GetService(string) (types.Service, error)
 	CreateService(types.ServiceSpec, string) (string, error)
--- a/components/engine/api/server/router/swarm/cluster_routes.go
+++ b/components/engine/api/server/router/swarm/cluster_routes.go
@ -66,7 +66,15 @@ func (sr *swarmRouter) updateCluster(ctx context.Context, w http.ResponseWriter,
 		return fmt.Errorf("Invalid swarm version '%s': %s", rawVersion, err.Error())
 	}

-	if err := sr.backend.Update(version, swarm); err != nil {
+	var flags types.UpdateFlags
+	if r.URL.Query().Get("rotate_worker_token") == "true" {
+		flags.RotateWorkerToken = true
+	}
+	if r.URL.Query().Get("rotate_manager_token") == "true" {
+		flags.RotateManagerToken = true
+	}
+
+	if err := sr.backend.Update(version, swarm, flags); err != nil {
 		logrus.Errorf("Error configuring swarm: %v", err)
 		return err
 	}