Synchronous CLI command for root CA rotation

[cyli]

Provide command line tool to view and rotate swarm's currently CA root certificate.

Signed-off-by: Ying Li ying.li@docker.com

This code was originally in moby/moby#32993.

root@ubuntu:~#  docker swarm ca
-----BEGIN CERTIFICATE-----
MIIBazCCARCgAwIBAgIUJPzo67QC7g8Ebg2ansjkZ8CbmaswCgYIKoZIzj0EAwIw
EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAzMTcxMDAwWhcNMzcwNDI4MTcx
MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABKL6/C0sihYEb935wVPRA8MqzPLn3jzou0OJRXHsCLcVExigrMdgmLCC+Va4
+sJ+SLVO1eQbvLHH8uuDdF/QOU6jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
Af8EBTADAQH/MB0GA1UdDgQWBBSfUy5bjUnBAx/B0GkOBKp91XvxzjAKBggqhkjO
PQQDAgNJADBGAiEAnbvh0puOS5R/qvy1PMHY1iksYKh2acsGLtL/jAIvO4ACIQCi
lIwQqLkJ48SQqCjG1DBTSBsHmMSRT+6mE2My+Z3GKA==
-----END CERTIFICATE-----

root@ubuntu:~# docker swarm ca --help

Usage:	docker swarm ca [OPTIONS]

Manage root CA

Options:
      --ca-cert pem-file          Path to the PEM-formatted root CA certificate to use for the new cluster
      --ca-key pem-file           Path to the PEM-formatted root CA key to use for the new cluster
      --cert-expiry duration      Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
  -d, --detach                    Exit immediately instead of waiting for the root rotation to converge
      --external-ca external-ca   Specifications of one or more certificate signing endpoints
      --help                      Print usage
  -q, --quiet                     Suppress progress output
      --rotate                    Rotate the swarm CA - if no certificate or key are provided, new ones will be generated

Sample progress bar here, copied styling from the synchronous service create progress bar: https://asciinema.org/a/2em3i7y1u50ajeut13es5m6uh

Note: I originally thought about just doing docker swarm update --rotate-ca cert=/path/...,key=/path/... but I wasn't sure how to also do tell the CLI to just generate a cert and key - it'd probably have to look like docker swarm update --rotate-ca "" which seems weird, hence the new command.

Also a suggestion from @NathanMcCauley: if we have service identities, and those could be rotated, do we want to use the same CLI command to view/rotate those as well?

[cyli]

Have re-vendored the latest version of moby/moby master instead of my fork, so this is ready for review.

[thaJeztah]

Looking at this again, I wonder if;

• swarm ca should be a separate command; it's showing a single field in the swarm configuration, does this open the door to creating a separate command for each property? Is this information part of docker system info (or should we have docker swarm info? Possibly --rotate should be part of docker swarm update
• if we do think ca should be its own "entity" / "object type" in the CLI, should it follow the ls / list / inspect etc subcommands? (will be a bit odd as well, given that there's only a single CA, not a list)
• If we want to keep it similar to join-token, then swarm ca --rotate should print the ca after it was rotated

Happy to hear thoughts @aaronlehmann @diogomonica @dnephin

[cyli]

Possibly --rotate should be part of docker swarm update

I originally thought about just doing docker swarm update --rotate-ca cert=/path/...,key=/path/... but I wasn't sure how to also do tell the CLI to just generate a cert and key - it'd probably have to look like docker swarm update --rotate-ca "" which seems weird, hence the new command - but happy to have other opinions and suggestions instead - maybe the cert and key can be different flags?

The one argument I'd have for a separate command is that docker swarm update already has a bunch of flags, and the extra ones here (--ca-cert, --ca-key, -d and -q) for instance all seem to be bundled together, so maybe including them in a separate command makes sense?

Is this information part of docker system info (or should we have docker swarm info)?

Some of this info is currently on docker system info - I don't mind adding a docker swarm info, if that'd be useful - it seems like system info includes swarm info though.

If we want to keep it similar to join-token, then swarm ca --rotate should print the ca after it was rotated.

Happy to do that as well.

[diogomonica]

I have a slight preference for having the ca subcommand

[diogomonica]

LGTM

[cyli]

Updated the --rotate command to print out the final CA certificate after the root rotation is complete.

[aaronlehmann]

LGTM

[tonistiigi]

nit: this could be simpler with ioutil.Discard

[cyli]

Updated with io.Copy(ioutil.Discard, pipeReader)

[tonistiigi]

Don't need a for or function wrapper anymore.

[thaJeztah]

left one comment, LGTM otherwise

[thaJeztah]

Can you add

Tags: map[string]string{"version": "1.30"},

like we have on cli/command/system/prune.go#L31, so that the command is hidden when talking to an older daemon, and produces an error that it requires a newer daemon

[aaronlehmann]

@tonistiigi: Pushed a commit that simplifies the use of io.Copy

[tonistiigi]

LGTM

[cyli]

Thanks @aaronlehmann!

[bkatiemills]

Hi folks - Training wants to highlight this feature in our workshops, but I'm a bit confused; docker swarm ca --cert-expiry 720h spits a key back at me on 17.06.0-ce-rc2 but shows no change to the CA configuration / expiry duration key in the output of docker system info. I assumed (wrongly?) this command was equivalent to docker swarm update --cert-expiry 720h, which does show an updated expiry duration immediately. Thoughts?

[cyli]

@BillMills Ah, apologies, that was intended to be used with the --rotate flag (e.g. you can rotate the CA cert and update the cert expiry to be used with that new cert at the same time. If you don't pass --rotate, it ignores all the other flags, since cert expiry could also be changed with docker swarm update --cert-expiry ....

Wondering if we should update the flags, if used by themselves, to specify that they are ignored unless --rotate is passed?

[dnephin]

A warning would be great. We might even want to consider it an error.