Merge pull request #23651 from tonistiigi/cert-expiry

Add cert-expiry to swarm update

api/client/swarm/update.go

@@ -18,6 +18,7 @@ type updateOptions struct {
 	secret              string
 	taskHistoryLimit    int64
 	dispatcherHeartbeat time.Duration
+	nodeCertExpiry      time.Duration
 }
 
 func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
@@ -38,6 +39,7 @@ func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	flags.StringVar(&opts.secret, "secret", "", "Set secret value needed to accept nodes into cluster")
 	flags.Int64Var(&opts.taskHistoryLimit, "task-history-limit", 10, "Task history retention limit")
 	flags.DurationVar(&opts.dispatcherHeartbeat, "dispatcher-heartbeat", time.Duration(5*time.Second), "Dispatcher heartbeat period")
+	flags.DurationVar(&opts.nodeCertExpiry, "cert-expiry", time.Duration(90*24*time.Hour), "Validity period for node certificates")
 	return cmd
 }
 
@@ -92,5 +94,11 @@ func mergeSwarm(swarm *swarm.Swarm, flags *pflag.FlagSet) error {
 		}
 	}
 
+	if flags.Changed("cert-expiry") {
+		if v, err := flags.GetDuration("cert-expiry"); err == nil {
+			spec.CAConfig.NodeCertExpiry = v
+		}
+	}
+
 	return nil
 }

docs/reference/commandline/swarm_update.md

@@ -22,6 +22,7 @@ parent = "smn_cli"
           --help                            Print usage
           --secret string                   Set secret value needed to accept nodes into cluster
           --task-history-limit int          Task history retention limit (default 10)
+          --cert-expiry duration            Validity period for node certificates (default 2160h0m0s)
 
 Updates a Swarm cluster with new parameter values. This command must target a manager node.
 

integration-cli/docker_cli_swarm_test.go

@@ -0,0 +1,76 @@
+// +build !windows
+
+package main
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/docker/docker/pkg/integration/checker"
+	"github.com/docker/engine-api/types/swarm"
+	"github.com/go-check/check"
+)
+
+func (s *DockerSwarmSuite) TestSwarmUpdate(c *check.C) {
+	d := s.AddDaemon(c, true, true)
+
+	getSpec := func() swarm.Spec {
+		out, err := d.Cmd("swarm", "inspect")
+		c.Assert(err, checker.IsNil)
+		var sw []swarm.Swarm
+		c.Assert(json.Unmarshal([]byte(out), &sw), checker.IsNil)
+		c.Assert(len(sw), checker.Equals, 1)
+		return sw[0].Spec
+	}
+
+	out, err := d.Cmd("swarm", "update", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s", "--auto-accept", "manager", "--auto-accept", "worker", "--secret", "foo")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+
+	spec := getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, uint64(11*time.Second))
+
+	c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2)
+
+	for _, p := range spec.AcceptancePolicy.Policies {
+		c.Assert(p.Autoaccept, checker.Equals, true)
+		c.Assert(p.Secret, checker.NotNil)
+		c.Assert(*p.Secret, checker.Not(checker.Equals), "")
+	}
+
+	out, err = d.Cmd("swarm", "update", "--auto-accept", "none")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+
+	spec = getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+	c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, uint64(11*time.Second))
+
+	c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2)
+
+	for _, p := range spec.AcceptancePolicy.Policies {
+		c.Assert(p.Autoaccept, checker.Equals, false)
+		// secret is still set
+		c.Assert(p.Secret, checker.NotNil)
+		c.Assert(*p.Secret, checker.Not(checker.Equals), "")
+	}
+
+	out, err = d.Cmd("swarm", "update", "--auto-accept", "manager", "--secret", "")
+	c.Assert(err, checker.IsNil, check.Commentf("out: %v", out))
+
+	spec = getSpec()
+
+	c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2)
+
+	for _, p := range spec.AcceptancePolicy.Policies {
+		c.Assert(p.Autoaccept, checker.Equals, p.Role == swarm.NodeRoleManager)
+		// secret has been removed
+		c.Assert(p.Secret, checker.IsNil)
+	}
+
+	// setting anything under 30m for cert-expiry is not allowed
+	out, err = d.Cmd("swarm", "update", "--cert-expiry", "15m")
+	c.Assert(err, checker.NotNil)
+	c.Assert(out, checker.Contains, "minimum certificate expiry time")
+	spec = getSpec()
+	c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour)
+}