Skip to content

[ca] Separate server signing root CA from security config root CA#2336

Merged
cyli merged 3 commits into
moby:masterfrom
cyli:ca-signer-not-security-config
Aug 2, 2017
Merged

[ca] Separate server signing root CA from security config root CA#2336
cyli merged 3 commits into
moby:masterfrom
cyli:ca-signer-not-security-config

Conversation

@cyli
Copy link
Copy Markdown
Contributor

@cyli cyli commented Jul 29, 2017

This finishes separating signing functionality from the security config that was started with #2262. This way, the mechanism for updating the root certs in the security config is the same for both managers and workers (via the dispatcher), which makes the root update logic a little less complex.

This also means that the CA server is more standalone, again - it performs its own watch on the store for cluster update changes.

cyli added 2 commits July 27, 2017 15:51
@cyli
Store a local signing root CA on the CA server - do not use the Secur…
b55cb6e 
…ityConfig's.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli
Add a cluster watch back to the CA server, so it no longer requires some
3252251 
external force to call `UpdateRootCA`.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the ca-signer-not-security-config branch from cfee09a to 9147d5f Compare July 29, 2017 09:13
@codecov
Copy link
Copy Markdown

codecov Bot commented Jul 29, 2017
edited
Loading

Codecov Report

Merging #2336 into master will decrease coverage by 0.04%.
The diff coverage is 82.05%.

@@            Coverage Diff             @@
##           master    #2336      +/-   ##
==========================================
- Coverage   60.59%   60.55%   -0.05%     
==========================================
  Files         128      128              
  Lines       26048    26056       +8     
==========================================
- Hits        15783    15777       -6     
- Misses       8878     8885       +7     
- Partials     1387     1394       +7

diogomonica
diogomonica approved these changes Jul 31, 2017
View reviewed changes
Copy link
Copy Markdown
Contributor

@diogomonica diogomonica left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyli
Copy link
Copy Markdown
Contributor Author

cyli commented Jul 31, 2017

ping @nishanttotla for review, if you have time. :)
Also cc @jlhawn

aaronlehmann
aaronlehmann reviewed Aug 1, 2017
View reviewed changes
Comment thread ca/server_test.go
for _, secConfig := range secConfigs {
s, err := secConfig.RootCA().Signer()
for i, server := range append(otherServers) {
s, err := server.RootCA().Signer()
Copy link
Copy Markdown
Collaborator

@aaronlehmann aaronlehmann Aug 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be range otherServers?

Copy link
Copy Markdown
Contributor Author

@cyli cyli Aug 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, thanks! Also, 👋 hello!

aaronlehmann
aaronlehmann reviewed Aug 1, 2017
View reviewed changes
Comment thread ca/server_test.go
if !bytes.Equal(s.Key, rotationKey) {
return errors.New("all the sec configs haven't been updated yet")
return errors.Errorf("all the servers' root CAs haven't been updated yet: server %d", i)
}
Copy link
Copy Markdown
Collaborator

@aaronlehmann aaronlehmann Aug 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe "server %d's root CA hasn't been updated yet"? Or even better, could this give the server name instead of the index?

Copy link
Copy Markdown
Collaborator

@aaronlehmann aaronlehmann Aug 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, just realized this is a test, so it doesn't really matter.

Copy link
Copy Markdown
Contributor Author

@cyli cyli Aug 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have updated the message, although still just with the index, since the name might not be that useful in debugging which one failed.

@cyli
Use a single codepath for updating the root CA in the security config…
82c36fe 
… for

both manager and worker nodes.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli cyli force-pushed the ca-signer-not-security-config branch from 9147d5f to 82c36fe Compare August 1, 2017 17:44
aaronlehmann
aaronlehmann approved these changes Aug 2, 2017
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aaronlehmann aaronlehmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyli
Copy link
Copy Markdown
Contributor Author

cyli commented Aug 2, 2017

Thanks @aaronlehmann and @diogomonica!

@cyli cyli merged commit 975a197 into moby:master Aug 2, 2017
@cyli cyli deleted the ca-signer-not-security-config branch August 2, 2017 21:43
This was referenced Aug 2, 2017
Merged
Closed
@cyli cyli mentioned this pull request May 22, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronlehmann aaronlehmann aaronlehmann approved these changes

+1 more reviewer

@diogomonica diogomonica diogomonica approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyli @diogomonica @aaronlehmann