Propagate TLS Info in swarm info and node info REST endpoints#32875
Propagate TLS Info in swarm info and node info REST endpoints#32875thaJeztah merged 1 commit intomoby:masterfrom cyli:root-ca-info-in-api
Conversation
|
Can we hide the |
|
@aaronlehmann @cyli I'm fine with not adding it to the output of @cyli to see if a rotation is in progress, maybe we could add something to |
|
@diogomonica It seems more useful on Can totally hide it with a flag or only display if a root rotation was in progress, though. @diogomonica Yes, I can add the boolean to |
|
@cyli totally fine with just showing that column if there is a rotation currently in progress. I assume that the json output of the |
|
@diogomonica The JSON output shows the current CA cert trusted by the node, and the base64-encoded raw public key and raw subject of the issuer. Example in YAML format: https://github.com/moby/moby/pull/32875/files#diff-6822c0fe0233dff6af0bbadb1300458cR1756 |
|
Updated: here are some sample outputs (this is in the case of no root rotation, since we can't enable root rotation yet) |
|
Design LGTM. pinging @thaJeztah for a sanity check on the design, particularly showing the |
|
LGTM |
cli/command/formatter/node.go
Outdated
There was a problem hiding this comment.
I was thinking to show it in docker node ls, so if the root rotation is hanging, we can see which node(s) may be problematic and not able to renew. (#32993 is the root rotation CLI changes)
There was a problem hiding this comment.
Should we have a more generic ERROR column for that? (thinking out loud)
There was a problem hiding this comment.
Possibly - I'm not sure what other errors we should include, though. There's already an availability column, and likely the ones that are failing to renew are the down or unavailable ones, but it's possible that they went down after renewing.
The other option is to not include the TLS status here, but to include a list of nodes that need certificate renewals in the CLI in #32993 - I was just worried this list would be too long if the user had like 1000 nodes, and providing it in node ls allows the user to look at only the ones that need renewal.
There was a problem hiding this comment.
(heh, didn't read the entire discussion above, and see the same point came up above)
|
Ok, I overlooked that it's only shown in design LGTM |
|
I really don't like a conditional column. It makes scripting really difficult. |
|
Updated: No more conditional column, even if a root rotation is in progress. |
|
I hate to bikeshed, but IMHO it's unfortunate that a user can't see which nodes are holding up the root rotation without passing a magic incantation to |
|
@aaronlehmann How frequently do you think this would be used? It's also not clear exactly how one would disable the column with We can also always add it if people start asking for it, but we can't really take it away. |
|
@cpuguy83 The TLS status info is only useful some of the time, but it would only be displayed during those times that it's useful (when a root rotation is in progress). You'd only need to exclude it if you really didn't want to see the TLS status even if a root rotation is going - otherwise it wouldn't appear. Alternately, maybe we should provide a filter to filter by nodes whose TLS status is not "Ready", and we can display the info in the filtered view? If there are nodes holding up the root rotation, it may be useful to see only the nodes that are holding things up, and not the nodes that are in good shape. |
|
Also I assume this should be split into 2 PRs now |
|
Hm... I think the filtering change would have to come in swarmkit because we'd have to tell whether the TLS status matches the desired cluster TLS status. @cpuguy83 Is the concern that the user would see TLS status information during status information during a root rotation, but not want to see it? |
|
Ok, have removed the CLI bits and put them in docker/cli#44. Does the API design look ok? If so, if this could be merged, would love to get #32993 in for 17.06 :) |
|
Sorry to keep bothering folks :) Tests are all green - is this ok to merge or are there more API issues to address? |
daemon/cluster/convert/swarm.go
Outdated
There was a problem hiding this comment.
Please check the error value. It's not necessary to expose it, but I think we should avoid relying on the contents of issuerInfo if the function returns an error.
|
Noted one thing, otherwise this looks fine. @thaJeztah: Does this PR need to go through docs-review? |
|
Looking now 👍 |
|
Swagger output looks good to me;
Can you;
After docker/cli#44 is merged, we should update some example outputs for
|
objects into the REST API responses. In the CLI, display only whether the nodes' TLS info matches the cluster's TLS info, or whether the node needs cert rotation. Signed-off-by: Ying Li <ying.li@docker.com>
|
@thaJeztah Updated and also opened #33148 in preparation for the CLI PR to be merged :) Thanks |
|
I see @aaronlehmann's comment was addressed as well; all green, so I'll go ahead and merge 👍 |
|
@thaJeztah Thanks!! |
Propagate the swarm cluster and node TLS info provided by the swarm
objects into the REST API responses. In the CLI, display only
whether the nodes' TLS info matches the cluster's TLS info, or
whether the node needs cert rotation.
Signed-off-by: Ying Li ying.li@docker.com
This is useful to see whether a root rotation is in progress, and which nodes have yet to have their certs rotated.
cc @diogomonica @aaronlehmann
If there is no TLS info for a node, for instance if it's an old node,
docker node inspectlooks something like:But will have the TLS info if it's been reported back on a newer node.
docker node lswill look something like:If the TLS certificate is signed by the current root. If it isn't, it'd way "Needs Rotation"