@@ -145,6 +145,25 @@ func (s *DockerSwarmSuite) TestAPISwarmJoinToken(c *check.C) {

 	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)

 }

+func (s *DockerSwarmSuite) TestUpdateSwarmAddExternalCA(c *check.C) {

+	// TODO: when root rotation is in, convert to a series of root rotation tests instead.

+	// currently just makes sure that we don't have to provide a CA certificate when

+	// providing an external CA

+	d1 := s.AddDaemon(c, false, false)

+	c.Assert(d1.Init(swarm.InitRequest{}), checker.IsNil)

+	d1.UpdateSwarm(c, func(s *swarm.Spec) {

+		s.CAConfig.ExternalCAs = []*swarm.ExternalCA{

+			{

+				Protocol: swarm.ExternalCAProtocolCFSSL,

+				URL:      "https://thishasnoca.org",

+			},

+		}

+	})

+	info, err := d1.SwarmInfo()

+	c.Assert(err, checker.IsNil)

+	c.Assert(info.Cluster.Spec.CAConfig.ExternalCAs, checker.HasLen, 1)

+}

+

 func (s *DockerSwarmSuite) TestAPISwarmCAHash(c *check.C) {

 	d1 := s.AddDaemon(c, true, true)

 	d2 := s.AddDaemon(c, false, false)

@@ -50,6 +50,13 @@ func (s *DockerSwarmSuite) TestSwarmUpdate(c *check.C) {

 	c.Assert(out, checker.Contains, "minimum certificate expiry time")

 	spec = getSpec()

 	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)

+

+	// passing an external CA (this is without starting a root rotation) does not fail

+	out, err = d.Cmd("swarm", "update", "--external-ca", "protocol=cfssl,url=https://something.org")

+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))

+

+	spec = getSpec()

+	c.Assert(spec.CAConfig.ExternalCAs, checker.HasLen, 1)

 }

 func (s *DockerSwarmSuite) TestSwarmInit(c *check.C) {

@@ -60,12 +67,14 @@ func (s *DockerSwarmSuite) TestSwarmInit(c *check.C) {

 		return sw.Spec

 	}

-	cli.Docker(cli.Args("swarm", "init", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s"),

+	cli.Docker(cli.Args("swarm", "init", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s",

+		"--external-ca", "protocol=cfssl,url=https://something.org"),

 		cli.Daemon(d.Daemon)).Assert(c, icmd.Success)

 	spec := getSpec()

 	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)

 	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, 11*time.Second)

+	c.Assert(spec.CAConfig.ExternalCAs, checker.HasLen, 1)

 	c.Assert(d.Leave(true), checker.IsNil)

 	time.Sleep(500 * time.Millisecond) // https://github.com/docker/swarmkit/issues/1421

@@ -105,7 +105,7 @@ github.com/docker/containerd 9048e5e50717ea4497b757314bad98ea3763c145

 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4

 # cluster

-github.com/docker/swarmkit d5232280c510d70755ab11305d46a5704735371a

+github.com/docker/swarmkit 6a6f38c02f1c96b1d3c548e45927349656ae37a1

 github.com/gogo/protobuf 8d70fb3182befc465c4a1eac8ad4d38ff49778e2

 github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a

 github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e

@@ -148,14 +148,16 @@ func validateHasAtLeastOneExternalCA(ctx context.Context, externalCAs map[string

 // validates that the list of external CAs have valid certs associated with them, and produce a mapping of subject/pubkey:external

 // for later validation of required external CAs

-func getNormalizedExtCAs(caConfig *api.CAConfig) (map[string][]*api.ExternalCA, error) {

+func getNormalizedExtCAs(caConfig *api.CAConfig, normalizedCurrentRootCACert []byte) (map[string][]*api.ExternalCA, error) {

 	extCAs := make(map[string][]*api.ExternalCA)

 	for _, extCA := range caConfig.ExternalCAs {

-		if len(extCA.CACert) == 0 {

-			return nil, grpc.Errorf(codes.InvalidArgument, "must specify CA certificate for each external CA")

+		associatedCert := normalizedCurrentRootCACert

+		// if no associated cert is provided, assume it's the current root cert

+		if len(extCA.CACert) > 0 {

+			associatedCert = ca.NormalizePEMs(extCA.CACert)

 		}

-		certKey := string(ca.NormalizePEMs(extCA.CACert))

+		certKey := string(associatedCert)

 		extCAs[certKey] = append(extCAs[certKey], extCA)

 	}

@@ -191,12 +193,12 @@ func validateCAConfig(ctx context.Context, securityConfig *ca.SecurityConfig, cl

 		return nil, grpc.Errorf(codes.InvalidArgument, "if a signing CA key is provided, the signing CA cert must also be provided")

 	}

-	extCAs, err := getNormalizedExtCAs(newConfig) // validate that the list of external CAs is not malformed

+	normalizedRootCA := ca.NormalizePEMs(cluster.RootCA.CACert)

+	extCAs, err := getNormalizedExtCAs(newConfig, normalizedRootCA) // validate that the list of external CAs is not malformed

 	if err != nil {

 		return nil, err

 	}

-	normalizedRootCA := ca.NormalizePEMs(cluster.RootCA.CACert)

 	var oldCertExtCAs []*api.ExternalCA

 	if !hasSigningKey(&cluster.RootCA) {

 		oldCertExtCAs, err = validateHasAtLeastOneExternalCA(ctx, extCAs, securityConfig, normalizedRootCA, "current")

@@ -297,8 +297,9 @@ func (g *Orchestrator) reconcileServices(ctx context.Context, serviceIDs []strin

 	updates := make(map[*api.Service][]orchestrator.Slot)

 	_, err := g.store.Batch(func(batch *store.Batch) error {

-		var updateTasks []orchestrator.Slot

 		for _, serviceID := range serviceIDs {

+			var updateTasks []orchestrator.Slot

+

 			if _, exists := nodeTasks[serviceID]; !exists {

 				continue

 			}

@@ -352,7 +353,6 @@ func (g *Orchestrator) reconcileServices(ctx context.Context, serviceIDs []strin

 	for service, updateTasks := range updates {

 		g.updater.Update(ctx, g.cluster, service, updateTasks)

 	}

-

 }

 // updateNode updates g.nodes based on the current node value