From d01b45b0ffde81ddf55a2643d93d932c1e33cab6 Mon Sep 17 00:00:00 2001 From: Ying Li Date: Thu, 15 Jun 2017 18:11:14 -0700 Subject: [PATCH] Redact the swarm's spec's signing CA cert when getting swarm info, because otherwise if the user gets the info from the API, makes a non-CA related change, then updates, swarm will interpret this as the user trying to remove the signing key from the swarm. We are redacting due to usability reasons, not because the signing cert is secret. The signing KEY is secret, hence it's redacted. Signed-off-by: Ying Li Upstream-commit: bdfbd22afbbf16a07f0316656c6c17453df3e0f7 Component: engine --- components/engine/daemon/cluster/convert/swarm.go | 7 ++++--- .../engine/integration-cli/docker_api_swarm_test.go | 9 +++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/components/engine/daemon/cluster/convert/swarm.go b/components/engine/daemon/cluster/convert/swarm.go index 0d5c8738c9..2ea89b968e 100644 --- a/components/engine/daemon/cluster/convert/swarm.go +++ b/components/engine/daemon/cluster/convert/swarm.go @@ -31,9 +31,10 @@ func SwarmFromGRPC(c swarmapi.Cluster) types.Swarm { AutoLockManagers: c.Spec.EncryptionConfig.AutoLockManagers, }, CAConfig: types.CAConfig{ - // do not include the signing CA key (it should already be redacted via the swarm APIs) - SigningCACert: string(c.Spec.CAConfig.SigningCACert), - ForceRotate: c.Spec.CAConfig.ForceRotate, + // do not include the signing CA cert or key (it should already be redacted via the swarm APIs) - + // the key because it's secret, and the cert because otherwise doing a get + update on the spec + // can cause issues because the key would be missing and the cert wouldn't + ForceRotate: c.Spec.CAConfig.ForceRotate, }, }, TLSInfo: types.TLSInfo{ diff --git a/components/engine/integration-cli/docker_api_swarm_test.go b/components/engine/integration-cli/docker_api_swarm_test.go index d9d3d94433..03cf899d71 100644 --- a/components/engine/integration-cli/docker_api_swarm_test.go +++ b/components/engine/integration-cli/docker_api_swarm_test.go @@ -967,20 +967,21 @@ func (s *DockerSwarmSuite) TestSwarmRepeatedRootRotation(c *check.C) { for j := 0; j < 18; j++ { info, err := m.SwarmInfo() c.Assert(err, checker.IsNil) - c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, expectedCert) - // the desired CA key is always redacted + + // the desired CA cert and key is always redacted c.Assert(info.Cluster.Spec.CAConfig.SigningCAKey, checker.Equals, "") + c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, "") clusterTLSInfo = info.Cluster.TLSInfo - if !info.Cluster.RootRotationInProgress { + // if root rotation is done and the trust root has changed, we don't have to poll anymore + if !info.Cluster.RootRotationInProgress && clusterTLSInfo.TrustRoot != currentTrustRoot { break } // root rotation not done time.Sleep(250 * time.Millisecond) } - c.Assert(clusterTLSInfo.TrustRoot, checker.Not(checker.Equals), currentTrustRoot) if cert != nil { c.Assert(clusterTLSInfo.TrustRoot, checker.Equals, expectedCert) }