ca: when the Root CA is updated in the security config, update all TLS creds too

[cyli]

So that both can use the new root CA pool to validate peers.

[aaronlehmann]

Do we know for sure that previousConfig.Certificates has at least one item?

[aaronlehmann]

Is there a possibility of a race here? Say the node's certificate gets renewed at the same moment, and there's a call to LoadNewTLSConfig in these calls to Config and LoadNewTLSConfig. Wouldn't we overwrite the new node certificate?

[cyli]

@aaronlehmann Good point - I guess the lock needs to be on the mutable TLS object.

[codecov-io]

Codecov Report

Merging #1983 into master will increase coverage by 0.17%.
The diff coverage is 92.3%.

@@            Coverage Diff             @@
##           master    #1983      +/-   ##
==========================================
+ Coverage   53.69%   53.86%   +0.17%     
==========================================
  Files         109      109              
  Lines       18925    18943      +18     
==========================================
+ Hits        10161    10203      +42     
+ Misses       7538     7501      -37     
- Partials     1226     1239      +13

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a52e9c8...598a7ed. Read the comment docs.

[aaronlehmann]

Clone exists in 1.7.

Would you mind switching to it before merging?

AFAIK there's no reason we need to support Go 1.6. @vdemeester do you know if there is?

[cyli]

Hm... do I have something horribly misconfigured?

$ go test -race github.com/docker/swarmkit/ca
ca/transport.go:142: c.config.Clone undefined (type *tls.Config has no field or method Clone, but does have tls.clone)

$  go version
go version go1.7.4 darwin/amd64

[cyli]

https://github.com/golang/go/blob/release-branch.go1.7/src/crypto/tls/common.go#L426 seems to only have Config.clone(), but https://github.com/golang/go/blob/release-branch.go1.8/src/crypto/tls/common.go#L550 has the exported function (I could just be missing an exported function in 1.7 in a different file, though)

[aaronlehmann]

I looked for Clone on both branches to verify, but did not notice it's unexported in 1.7.

I remember https://github.com/docker/docker/blob/master/pkg/tlsconfig dealing with this, and I see this was back in September. I thought it happened before Go 1.7 was released. Apparently it was right after. My apologies.

Anyway, would you mind vendoring/importing github.com/docker/docker/pkg/tlsconfig in this PR?

[cyli]

Not at all - as I've said before, my machine is haunted :) And go vet still produces errors on my machine that no one else seems to be able to replicate so I totally would believe something is wrong with my setup.

And sure, will do.

[aaronlehmann]

nit: return nil?

[aaronlehmann]

How about return cfcsr.ParseRequest(req) for clarity?

[aaronlehmann]

I don't believe it's necessary to hold this lock. s.externalCA seems to be set when the SecurityConfig is created, and never changed to point to anything else. updateCluster uses this field without holding the lock.

[cyli]

Good point, thanks!

[diogomonica]

Do we want to be conservative in both places?

[aaronlehmann]

Needs a rebase

[diogomonica]

Do we need locking?

[aaronlehmann]

Heh: #1983 (comment)

[diogomonica]

why do we need to clone instead of directly modifying it?

[cyli]

I tried that originally, but it's not really safe to modify a tls.Config while it's being used I think. I ended up with a data race in the tests, since a tls.Config stores some handshake/session state. The comment for tls.Config contains:

After one has been passed to a TLS function it must not be modified.