Add --ca-cert & --ca-key flags to swarm init #137
Conversation
Signed-off-by: Sunny Gogoi <me@darkowlzz.space>
|
circleci continues to load forever at Lint stage. Won't show what the issue is 🤷♀️ |
|
I see the issue in the output in 3 of 4: |
darkowlzz
force-pushed
the
swarm-init-external-ca
branch
from
1192b97 to
b860f83
Compare
|
@dnephin thanks. I got this error earlier and fixed it but forgot to push the changed code 😅 |
Codecov Report
@@ Coverage Diff @@
## master #137 +/- ##
==========================================
+ Coverage 44.82% 44.85% +0.02%
==========================================
Files 169 169
Lines 11360 11366 +6
==========================================
+ Hits 5092 5098 +6
+ Misses 5978 5976 -2
- Partials 290 292 +2 |
|
ping @cyli I don't think having |
|
@aaronlehmann No, it doesn't - because in swarmkit, the I don't particularly see anything wrong for that (but I could be missing an edge case) - it'd be the same as initializing and then immediately rotating. If we wanted to avoid having the first node generate a cert/key at all, we're probably going to have to make more extensive changes in the swarmkit code. |
|
Makes sense.
Immediately rotating doesn't seem crazy if we test it and it works. On the other hand, it might expose us to race conditions where joining nodes might see the old CA first.
Passing an optional CA cert and key into Node might make sense.
|
That's true, or they get a join token that will be immediately invalidated. Another possible option is that in the moby/moby logic, on init it waits until the rotation is done before returning successfully. While my preference is to get the daemon/swarmkit fixed up first before the CLI changes, they can technically happen in any order. If the CLI changes came first the daemon/swarmkit changes would be fixing any race condition that may crop up. |
|
what's the status on this one? |
…-19.03-2432af701a7973ea582196b4b9488831156f3458 [19.03] sync to upstream 19.03 2432af7
full diff: mitchellh/mapstructure@v1.0.0...v1.3.2 v1.3.2 - Decode into interface type with a struct value is supported [dockerGH-187] v1.3.1 - Squash should only squash embedded structs. [dockerGH-194] v1.3.0 - Added `",omitempty"` support. This will ignore zero values in the source structure when encoding. [dockerGH-145] v1.2.3 - Fix duplicate entries in Keys list with pointer values. [dockerGH-185] v1.2.2 - Do not add unsettable (unexported) values to the unused metadata key or "remain" value. [dockerGH-150] v1.2.1 - Go modules checksum mismatch fix v1.2.0 - Added support to capture unused values in a field using the `",remain"` value in the mapstructure tag. There is an example to showcase usage. - Added `DecoderConfig` option to always squash embedded structs - `json.Number` can decode into `uint` types - Empty slices are preserved and not replaced with nil slices - Fix panic that can occur in when decoding a map into a nil slice of structs - Improved package documentation for godoc v1.1.2 - Fix error when decode hook decodes interface implementation into interface type. [dockerGH-140] v1.1.1 - Fix panic that can happen in `decodePtr` v1.1.0 - Added `StringToIPHookFunc` to convert `string` to `net.IP` and `net.IPNet` [dockerGH-133] - Support struct to struct decoding [dockerGH-137] - If source map value is nil, then destination map value is nil (instead of empty) - If source slice value is nil, then destination slice value is nil (instead of empty) - If source pointer is nil, then destination pointer is set to nil (instead of allocated zero value of type) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: mitchellh/mapstructure@v1.0.0...v1.3.2 v1.3.2 - Decode into interface type with a struct value is supported dockerGH-187 v1.3.1 - Squash should only squash embedded structs. dockerGH-194 v1.3.0 - Added `",omitempty"` support. This will ignore zero values in the source structure when encoding. dockerGH-145 v1.2.3 - Fix duplicate entries in Keys list with pointer values. dockerGH-185 v1.2.2 - Do not add unsettable (unexported) values to the unused metadata key or "remain" value. dockerGH-150 v1.2.1 - Go modules checksum mismatch fix v1.2.0 - Added support to capture unused values in a field using the `",remain"` value in the mapstructure tag. There is an example to showcase usage. - Added `DecoderConfig` option to always squash embedded structs - `json.Number` can decode into `uint` types - Empty slices are preserved and not replaced with nil slices - Fix panic that can occur in when decoding a map into a nil slice of structs - Improved package documentation for godoc v1.1.2 - Fix error when decode hook decodes interface implementation into interface type. dockerGH-140 v1.1.1 - Fix panic that can happen in `decodePtr` v1.1.0 - Added `StringToIPHookFunc` to convert `string` to `net.IP` and `net.IPNet` dockerGH-133 - Support struct to struct decoding dockerGH-137 - If source map value is nil, then destination map value is nil (instead of empty) - If source slice value is nil, then destination slice value is nil (instead of empty) - If source pointer is nil, then destination pointer is set to nil (instead of allocated zero value of type) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add
--ca-certand--ca-keyflags todocker swarm initand mergerootCACertandrootCAKeywith the swarm spec, which is sent to the docker daemon.Signed-off-by: Sunny Gogoi me@darkowlzz.space
Refer moby/moby#33385