toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Redact the swarm's spec's signing CA cert when getting swarm info, because

Browse Source 
otherwise if the user gets the info from the API, makes a non-CA related change,
then updates, swarm will interpret this as the user trying to remove the signing
key from the swarm.  We are redacting due to usability reasons, not because
the signing cert is secret.  The signing KEY is secret, hence it's redacted.

Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit bdfbd22afbbf16a07f0316656c6c17453df3e0f7)
Signed-off-by: Tibor Vass <tibor@docker.com>
This commit is contained in:
Ying Li
2017-06-15 18:11:14 -07:00
committed by Tibor Vass
parent 073d80bc46
commit bb23c93d28
2 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
components/engine/daemon/cluster/convert/swarm.go
View File

@ -31,9 +31,10 @@ func SwarmFromGRPC(c swarmapi.Cluster) types.Swarm {
AutoLockManagers: c.Spec.EncryptionConfig.AutoLockManagers,
},
CAConfig: types.CAConfig{
// do not include the signing CA key (it should already be redacted via the swarm APIs)
SigningCACert: string(c.Spec.CAConfig.SigningCACert),
ForceRotate: c.Spec.CAConfig.ForceRotate,
// do not include the signing CA cert or key (it should already be redacted via the swarm APIs) -
// the key because it's secret, and the cert because otherwise doing a get + update on the spec
// can cause issues because the key would be missing and the cert wouldn't
ForceRotate: c.Spec.CAConfig.ForceRotate,
},
},
TLSInfo: types.TLSInfo{

9
components/engine/integration-cli/docker_api_swarm_test.go
View File

@ -966,20 +966,21 @@ func (s *DockerSwarmSuite) TestSwarmRepeatedRootRotation(c *check.C) {
for j := 0; j < 18; j++ {
info, err := m.SwarmInfo()
c.Assert(err, checker.IsNil)
c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, expectedCert)
// the desired CA key is always redacted
// the desired CA cert and key is always redacted
c.Assert(info.Cluster.Spec.CAConfig.SigningCAKey, checker.Equals, "")
c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, "")
clusterTLSInfo = info.Cluster.TLSInfo
if !info.Cluster.RootRotationInProgress {
// if root rotation is done and the trust root has changed, we don't have to poll anymore
if !info.Cluster.RootRotationInProgress && clusterTLSInfo.TrustRoot != currentTrustRoot {
break
}
// root rotation not done
time.Sleep(250 * time.Millisecond)
}
c.Assert(clusterTLSInfo.TrustRoot, checker.Not(checker.Equals), currentTrustRoot)
if cert != nil {
c.Assert(clusterTLSInfo.TrustRoot, checker.Equals, expectedCert)
}