Browse code
Add unlock key rotation
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Aaron Lehmann authored on 2016/10/29 08:35:49Showing 4 changed files
- api/server/router/swarm/cluster_routes.go
- cli/command/swarm/unlock_key.go
- client/swarm_update.go
- daemon/cluster/cluster.go
| ... | ... |
@@ -87,6 +87,15 @@ func (sr *swarmRouter) updateCluster(ctx context.Context, w http.ResponseWriter, |
| 87 | 87 |
flags.RotateManagerToken = rot |
| 88 | 88 |
} |
| 89 | 89 |
|
| 90 |
+ if value := r.URL.Query().Get("rotateManagerUnlockKey"); value != "" {
|
|
| 91 |
+ rot, err := strconv.ParseBool(value) |
|
| 92 |
+ if err != nil {
|
|
| 93 |
+ return fmt.Errorf("invalid value for rotateManagerUnlockKey: %s", value)
|
|
| 94 |
+ } |
|
| 95 |
+ |
|
| 96 |
+ flags.RotateManagerUnlockKey = rot |
|
| 97 |
+ } |
|
| 98 |
+ |
|
| 90 | 99 |
if err := sr.backend.Update(version, swarm, flags); err != nil {
|
| 91 | 100 |
logrus.Errorf("Error configuring swarm: %v", err)
|
| 92 | 101 |
return err |
| ... | ... |
@@ -5,6 +5,7 @@ import ( |
| 5 | 5 |
|
| 6 | 6 |
"github.com/spf13/cobra" |
| 7 | 7 |
|
| 8 |
+ "github.com/docker/docker/api/types/swarm" |
|
| 8 | 9 |
"github.com/docker/docker/cli" |
| 9 | 10 |
"github.com/docker/docker/cli/command" |
| 10 | 11 |
"github.com/pkg/errors" |
| ... | ... |
@@ -23,7 +24,24 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
|
| 23 | 23 |
ctx := context.Background() |
| 24 | 24 |
|
| 25 | 25 |
if rotate {
|
| 26 |
- // FIXME(aaronl) |
|
| 26 |
+ flags := swarm.UpdateFlags{RotateManagerUnlockKey: true}
|
|
| 27 |
+ |
|
| 28 |
+ swarm, err := client.SwarmInspect(ctx) |
|
| 29 |
+ if err != nil {
|
|
| 30 |
+ return err |
|
| 31 |
+ } |
|
| 32 |
+ |
|
| 33 |
+ if !swarm.Spec.EncryptionConfig.AutoLockManagers {
|
|
| 34 |
+ return errors.New("cannot rotate because autolock is not turned on")
|
|
| 35 |
+ } |
|
| 36 |
+ |
|
| 37 |
+ err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, flags) |
|
| 38 |
+ if err != nil {
|
|
| 39 |
+ return err |
|
| 40 |
+ } |
|
| 41 |
+ if !quiet {
|
|
| 42 |
+ fmt.Fprintf(dockerCli.Out(), "Successfully rotated manager unlock key.\n\n") |
|
| 43 |
+ } |
|
| 27 | 44 |
} |
| 28 | 45 |
|
| 29 | 46 |
unlockKeyResp, err := client.SwarmGetUnlockKey(ctx) |
| ... | ... |
@@ -31,6 +49,10 @@ func newUnlockKeyCommand(dockerCli *command.DockerCli) *cobra.Command {
|
| 31 | 31 |
return errors.Wrap(err, "could not fetch unlock key") |
| 32 | 32 |
} |
| 33 | 33 |
|
| 34 |
+ if unlockKeyResp.UnlockKey == "" {
|
|
| 35 |
+ return errors.New("no unlock key is set")
|
|
| 36 |
+ } |
|
| 37 |
+ |
|
| 34 | 38 |
if quiet {
|
| 35 | 39 |
fmt.Fprintln(dockerCli.Out(), unlockKeyResp.UnlockKey) |
| 36 | 40 |
} else {
|
| ... | ... |
@@ -15,6 +15,7 @@ func (cli *Client) SwarmUpdate(ctx context.Context, version swarm.Version, swarm |
| 15 | 15 |
query.Set("version", strconv.FormatUint(version.Index, 10))
|
| 16 | 16 |
query.Set("rotateWorkerToken", fmt.Sprintf("%v", flags.RotateWorkerToken))
|
| 17 | 17 |
query.Set("rotateManagerToken", fmt.Sprintf("%v", flags.RotateManagerToken))
|
| 18 |
+ query.Set("rotateManagerUnlockKey", fmt.Sprintf("%v", flags.RotateManagerUnlockKey))
|
|
| 18 | 19 |
resp, err := cli.post(ctx, "/swarm/update", query, swarm, nil) |
| 19 | 20 |
ensureReaderClosed(resp) |
| 20 | 21 |
return err |