Signed-off-by: Ying Li <ying.li@docker.com>
Ying Li authored on 2017/06/16 10:11:14... | ... |
@@ -31,9 +31,10 @@ func SwarmFromGRPC(c swarmapi.Cluster) types.Swarm { |
31 | 31 |
AutoLockManagers: c.Spec.EncryptionConfig.AutoLockManagers, |
32 | 32 |
}, |
33 | 33 |
CAConfig: types.CAConfig{ |
34 |
- // do not include the signing CA key (it should already be redacted via the swarm APIs) |
|
35 |
- SigningCACert: string(c.Spec.CAConfig.SigningCACert), |
|
36 |
- ForceRotate: c.Spec.CAConfig.ForceRotate, |
|
34 |
+ // do not include the signing CA cert or key (it should already be redacted via the swarm APIs) - |
|
35 |
+ // the key because it's secret, and the cert because otherwise doing a get + update on the spec |
|
36 |
+ // can cause issues because the key would be missing and the cert wouldn't |
|
37 |
+ ForceRotate: c.Spec.CAConfig.ForceRotate, |
|
37 | 38 |
}, |
38 | 39 |
}, |
39 | 40 |
TLSInfo: types.TLSInfo{ |
... | ... |
@@ -967,20 +967,21 @@ func (s *DockerSwarmSuite) TestSwarmRepeatedRootRotation(c *check.C) { |
967 | 967 |
for j := 0; j < 18; j++ { |
968 | 968 |
info, err := m.SwarmInfo() |
969 | 969 |
c.Assert(err, checker.IsNil) |
970 |
- c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, expectedCert) |
|
971 |
- // the desired CA key is always redacted |
|
970 |
+ |
|
971 |
+ // the desired CA cert and key is always redacted |
|
972 | 972 |
c.Assert(info.Cluster.Spec.CAConfig.SigningCAKey, checker.Equals, "") |
973 |
+ c.Assert(info.Cluster.Spec.CAConfig.SigningCACert, checker.Equals, "") |
|
973 | 974 |
|
974 | 975 |
clusterTLSInfo = info.Cluster.TLSInfo |
975 | 976 |
|
976 |
- if !info.Cluster.RootRotationInProgress { |
|
977 |
+ // if root rotation is done and the trust root has changed, we don't have to poll anymore |
|
978 |
+ if !info.Cluster.RootRotationInProgress && clusterTLSInfo.TrustRoot != currentTrustRoot { |
|
977 | 979 |
break |
978 | 980 |
} |
979 | 981 |
|
980 | 982 |
// root rotation not done |
981 | 983 |
time.Sleep(250 * time.Millisecond) |
982 | 984 |
} |
983 |
- c.Assert(clusterTLSInfo.TrustRoot, checker.Not(checker.Equals), currentTrustRoot) |
|
984 | 985 |
if cert != nil { |
985 | 986 |
c.Assert(clusterTLSInfo.TrustRoot, checker.Equals, expectedCert) |
986 | 987 |
} |