API changes to rotate swarm root CA#32993
API changes to rotate swarm root CA#32993aaronlehmann merged 3 commits intomoby:masterfrom cyli:root-rotation-cli
Conversation
daemon/cluster/convert/swarm.go
Outdated
There was a problem hiding this comment.
I'm sure there's a good reason, but why are there a different number of spaces before these?
There was a problem hiding this comment.
I was trying to right-align the text, since they appear next to the progress bars. Happy to left-align instead, though.
There was a problem hiding this comment.
Right now the output looks like this:
desired root digest: sha256:a594409c21f2339d4fa5a207549e500574d6a9872dcd040f4e63e461aa969302
nodes rotated TLS certificates: 1/1 done [==================================================>]
nodes rotated CA certificates: 1/1 done [==================================================>]
I have a slight preference for:
desired root digest: sha256:a594409c21f2339d4fa5a207549e500574d6a9872dcd040f4e63e461aa969302
nodes rotated TLS certificates: 1/1 done [==================================================>]
nodes rotated CA certificates: 1/1 done [==================================================>]
But this is not important
There was a problem hiding this comment.
I am indifferent, so happy to change it :)
There was a problem hiding this comment.
Updated, along with the asciinema recording
There was a problem hiding this comment.
Note streamformatter was refactored and this line will need to be updated.
There was a problem hiding this comment.
Thanks, I wouldn't have noticed that! :) Updated.
There was a problem hiding this comment.
Is it necessary to wait like this after the root rotation? For a service create or service update, a very common failure mode is that tasks briefly reach the Running state, but immediately fail due to a misconfiguration, or even something like specifying an entrypoint that doesn't exist in the image. Is there any equivalent with root rotation, or would this only cover a new root rotation starting right after the old one finishes?
There was a problem hiding this comment.
@aaronlehmann It was only to cover another root rotation - agree it's probably not necessary though.
There was a problem hiding this comment.
I would suggest removing this phase. It would simplify the code and be a little more user-friendly.
pkg/jsonmessage/jsonmessage.go
Outdated
There was a problem hiding this comment.
Looks like something done by the editor
There was a problem hiding this comment.
:( yeah it's picky. Sorry about that!
|
CI faliing: |
There was a problem hiding this comment.
The lazy initialization doesn't seem necessary. Normally I'd say to just define an updater outside the for loop. However, I'm not sure the abstraction is justified here. In service create/update, there are two implementations. Here, there is only one implementation, so it seems like it could just be a function call updateProgress or something.done should become a return value. As for initialized, you could just move those initial progress.Update calls to happen before the for loop in this function.
|
Design LGTM |
|
LGTM, still playing with it. |
|
I've split out the CLI code to docker/cli#48. |
|
|
@mlaventure Thank you - fixed. |
|
Also updated the api version history here. cc @thaJeztah if you wouldn't mind checking the docs here as well :) |
|
@cyli it looks like the cli revision is invalid now |
|
That was my branch, which I had to rebase to get merged and allow moby to switch back to the official repo. I've restored that revision. A simple rebuild should work. |
|
Thanks @aaronlehmann! |
in the Docker REST APIs when viewing or updating the swarm spec info, and also propagate the desired CA key in the Docker REST APIs when updating swarm spec info only (it is not available for viewing). Signed-off-by: Ying Li <ying.li@docker.com>
|
Rebased again. PTAL. |
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
|
LGTM |
|
Also pinging @cpuguy83 for review: since you reviewed the last API changes that included TLS info (sorry, no good deed goes unpunished :)) - this is the follow up that will trigger the root rotation that can make use of the TLS info. Alternately @vdemeester or @tiborvass or may or may not be familiar with the feature. |
|
Thanks @cpuguy83 and @aaronlehmann! :) |
This is stacked on top of #32875.Merged.This is the first stab the CLI command to actually rotate the root CA cert. I added a new one, because we want to optionally take a root certificate and key, and/or external CAs, but we also want the user to be able to tell swarm to generate one. So:
Sample progress bar here, copied styling from the synchronous service create progress bar: https://asciinema.org/a/dcpy5y2fcueb8fpmokxvf3vec
If the design looks good, I'll add a bunch more tests and update the docs. cc @aaronlehmann @aluzzardi @diogomonica
Note: I originally thought about just doing
docker swarm update --rotate-ca cert=/path/...,key=/path/...but I wasn't sure how to also do tell the CLI to just generate a cert and key - it'd probably have to look likedocker swarm update --rotate-ca ""which seems weird, hence the new command.Also a suggestion from @NathanMcCauley: if we have service identities, and those could be rotated, do we want to use the same command to view/rotate those as well?