[controlapi] Allow starting and aborting root CA rotations during swarm update API

[cyli]

This adds the ability to specify, using the ClusterSpec, whether the swarm root CA should be rotated, and if so, what the new cert and key should be.

If no desired cert or key are provided, then a pair will be generated so long as the ForceRotate counter is bumped up.

If a desired cert is provided, the ForceRotate counter needs not be bumped, but it would not break anything if it were.

This is stacked on top of #2050 and #2051. Update: These have been merged.

Remaining TODOs:

• I think it may be possible for the current security config, if a root rotation is in progress, to sign using a different cert and key than the current root. Need to confirm. Update: Yes, my test was not actually updating the test cases for root rotation - this has been fixed.
• There might also be a chance for a race condition when updating the cluster - the cluster may have been updated but the security config containing the RootCA may not have been updated yet due to a delay in notifications. So the new join tokens or cross-signed certs may be generating using an outdated RootCA. Update: Fixed in [ca] Make the control API server take a security config instead of RootCA #2051
• Validate on ClusterUpdate that at least one of the remote CAs on the list is up.

[codecov]

Codecov Report

Merging #2052 into master will increase coverage by 0.3%.
The diff coverage is 89.4%.

@@            Coverage Diff            @@
##           master    #2052     +/-   ##
=========================================
+ Coverage   54.21%   54.51%   +0.3%     
=========================================
  Files         111      112      +1     
  Lines       19354    19497    +143     
=========================================
+ Hits        10492    10629    +137     
+ Misses       7597     7590      -7     
- Partials     1265     1278     +13

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 74a3d19...1b1c030. Read the comment docs.

[aaronlehmann]

Missing newline here

[aaronlehmann]

Maybe just RotationVersion?

Maybe LastForcedRotation is better, actually, because that is less likely to be confused with the Version field in Meta.

[cyli]

You're right, we probably only need the top level one.

[aaronlehmann]

Why does this appear in both RootRotation and one level above it? Is that intentional?

[aaronlehmann]

Never mind, read the comments... But I'm still surprised we would need to keep track of both. Will read the code next.

[aaronlehmann]

ping @aluzzardi for API review

I think this approach makes sense. It lets a client request a rotation in a declarative way, either by providing a new key/cert or asking the manager to generate one. We also discussed passing flags to controlapi's UpdateCluster, but I think doing it in a declarative way is preferable.

[diogomonica]

In general LGTM, but I would love to have a deeper look at validateAndUpdateCA with a high-level diagram that describes the four big blocks of that function.

[diogomonica]

"If not provided,"

[diogomonica]

*a root CA rotation

[diogomonica]

aren't all rotations forced? why not just last_rotation?

[cyli]

I don't particularly feel strongly - the name is to make it clearer that it corresponds with the ForceRotation value in the config.

[diogomonica]

My first instinct was: this is reasonable. But on further consideration, and given that fact that:

• This is the root CA
• We have the ability of rotating at any time if compromised

This makes me think that maybe we should help our users not shoot themselves in the foot and increase the minimum a bit more (3 years)? Just a thought though, I'm 100% ok with 1 year.

/cc @sul3n3t

[cyli]

I also don't feel strongly - happy to change it to 3 years too. I just picked some value. :)

[diogomonica]

Should this be a method on cluster?

[diogomonica]

I dislike that this is not a method on cluster but has side-effects on cluster.

[cyli]

The api module is just data, and I don't know if we should be adding this to that module, particular could create import issues since then nothing from ca would be able to import anything from api, since api would then depend in ca.

[diogomonica]

can we just change cluster at will?

[diogomonica]

Isn't this the exact same conditional as the one on line 147?

[cyli]

In this case, the cert has changed, it just has the same subject and public key. One such example is if the cert is renewed. In this case, leaf certs issued by the previous CA cert will still correctly validate, but the cert digest has changed, and hence join tokens need to be re-generated.

[diogomonica]

So: Root CA Cert is expiring, and we self-sign a longer lived one?

[diogomonica]

What are the situations for each of these? Why doesn't this one update the tokens?

[cyli]

It's byte-for-byte the exact same cert, so the tokens do not need to be re-generated, since the hash is the same.

[diogomonica]

A lot of tests 👍

[aaronlehmann]

Thanks for making this table-driven.

[diogomonica]

what about testing the same?

[diogomonica]

Ignore, the same is a valid case.

[cyli]

Added the same value test case to the valid cases.

[diogomonica]

@aaronlehmann @cyli I commented it inline, but why not have a simpler logic of bumping the rotation version to kick a rotation, and if valid Cert/Key are provided we use them, if not, we generate new ones. Not sure I see the advantage of having two mechanisms.

[aaronlehmann]

@cyli: Is this still WIP?

[cyli]

@aaronlehmann It wasn't before - just pushed the latest :) So it is now, thanks for checking!

[aaronlehmann]

Use net.SplitHostPort

[cyli]

Oh nice! Thanks! I didn't know about that one - go 1.8's code doesn't use it either. :D

[aaronlehmann]

Use net.JoinHostPort

[aaronlehmann]

It shouldn't be necessary to defer this.

[aaronlehmann]

panic here?

[aaronlehmann]

Seems like a potentially useful log message. Any downsides to making it a warning?

[cyli]

Not particularly - this may be noisy if we have to re-validate every time, but perhaps if I reflect.DeepEqual(<oldCAConfig spec>, <newCAConfig spec> in UpdateCluster it would be fine? That'd assume nothing else goes and changes api.RootCA in the store (which is probably a fair assumption).

[aaronlehmann]

This is in controlapi, so at most you would get a warning per unreachable CA every time the cluster object is updated through the API, right?

[cyli]

Yes. Do we want to warn every time a cluster update is attempted, or just when the the user attempts to change the CAConfig?

[aaronlehmann]

I don't see any harm in warning every time the cluster is updated, as long as the unreachable CAs continue to be referenced in the spec. We're checking the CAs anyway, so if we discover that one is unreachable we might as well expose that information.

[cyli]

Sounds good, although this is on attempted spec update as well, not just when the spec update succeeds. I'm ok with that though, just wanted to make sure it's clear.

[diogomonica]

do we have a test for this being redacted?

[diogomonica]

yup, it's there, never mind!

[diogomonica]

why do we have commented out code?

[cyli]

Oops sorry, I needed this while debugging. Forgot to uncomment it, thanks!

[aaronlehmann]

Are the join tokens being regenerated because the digest of the certificate might be changing even if the subject and public key are the same?

[aaronlehmann]

I guess the digest is guaranteed to change in this case, because otherwise the bytes.Equal above would return true, right?

[cyli]

Yep, that's correct

[cyli]

After some discussion with @diogomonica, it may not be worth it to check this particular case. We're optimizing for not having to generate a new cross-signed certificate, but it might simplify the code if we don't try to do this optimization and just do a full root rotation object instead. How would you feel about removing this check?

[aaronlehmann]

Sounds good.

[diogomonica]

I regret my comment. Maybe 1 year makes this more flexible?

@sul3n3t

[aaronlehmann]

extra blank line

[aaronlehmann]

digest shouldn't be necessary.

[cyli]

Good point, thanks! My auto-importer insists on adding it every time I save. :)

[aaronlehmann]

BTW require.Equal will do the same thing, and show a diff if there is an unexpected change.

[aaronlehmann]

Slightly more verbose, but I think this would be easier to read and more useful as:

if valid.expectJoinTokenChange {
        require.NotEqual(t, result.JoinTokens, valid.rootCA.JoinTokens, fmtString, valid.description, result.JoinTokens, valid.rootCA.JoinTokens)
} else {
        require.Equal(t, result.JoinTokens, valid.rootCA.JoinTokens, fmtString, valid.description, result.JoinTokens, valid.rootCA.JoinTokens)
}

[aaronlehmann]

require.Len :)

[aaronlehmann]

require.NotEqual

[aaronlehmann]

require.Equal

[aaronlehmann]

I don't understand the purpose of this loop.

[cyli]

That's fair - I'm just testing that if the desired cert is different than the current root rotation cert, then the root rotation is replaced. That can just be 1 extra case, instead of 3 extra cases.

[cyli]

Oh sorry, unless you mean because I'm only checking the last one (testCases[2:])? That was something accidentally left over from when I was debugging. Regardless, I probably don't need the extra cases anyway.

[aaronlehmann]

Just confused about why you're looping and then doing something different for each value of the loop counter. I think I'm missing something.

[cyli]

I was trying to preserve the original testcases' configurations and expected root CA values (e.g. I was too lazy to type it again). It was to test that whatever the initial RootRotation value was, because the cert is different, it will just be replaced completely by a new root rotation with differentInitialCert, and that any external CAs required by the old root rotation will no longer be required.

I think this can probably be replaced by a single case.

[aaronlehmann]

Is this saying that NewRootCA parses SigningCACert, so we expect parsing it again will succeed?

[cyli]

Yes - that's much clearer, thanks. I'll update the comment to say that.

[aaronlehmann]

My preference is to check the error anyway, as a future-proofing step.

[cyli]

Ok, can do that as well.

[aaronlehmann]

I'm not sure this is reachable - it looks like SplitHostPort returns an error in this case. I expected that if SplitHostPort returns an error, we would assume the address does not have a port.

[cyli]

Oh hm... I didn't realize a port was required. It also looks like it returns an error if there are too many colons, though, and that does not seem to be something url.Parse will return an error on: https://play.golang.org/p/lAmzyII0-z.

[cyli]

Poking a bit more I guess go1.8's URL.Hostname() interprets "http://x:1:2" as a single host with no port, at least SplitHostPort will assume the same thing.

And I guess the dialer will fail if it's a weird hostname.

[diogomonica]

Add comment as to why we use TCP vs HTTP?

[cyli]

Added it to the comment for the function (at the top of this function).

[diogomonica]

This LGTM

/cc @aluzzardi

[aaronlehmann]

Let's also have host = parsed.Host here. I don't know if SplitHostPort returns the argument as host if it also returns an error (and even if it does, it seems better not to rely on the other values when an error is returned).

[aaronlehmann]

LGTM

[aaronlehmann]

Feel free to reorganize the commits.

[aluzzardi]

Just had a quick glance, overall LGTM