DockerCLI/cli/command/swarm/ca.go

package swarm

import (
	"fmt"
	"io"
	"strings"

	"golang.org/x/net/context"

	"io/ioutil"

	"github.com/docker/cli/cli"
	"github.com/docker/cli/cli/command"
	"github.com/docker/cli/cli/command/swarm/progress"
	"github.com/docker/docker/api/types/swarm"
	"github.com/docker/docker/pkg/jsonmessage"
	"github.com/spf13/cobra"
	"github.com/spf13/pflag"
)

type caOptions struct {
	swarmOptions
	rootCACert PEMFile
	rootCAKey  PEMFile
	rotate     bool
	detach     bool
	quiet      bool
}

func newRotateCACommand(dockerCli command.Cli) *cobra.Command {
	opts := caOptions{}

	cmd := &cobra.Command{
		Use:   "ca [OPTIONS]",
		Short: "Manage root CA",
		Args:  cli.NoArgs,
		RunE: func(cmd *cobra.Command, args []string) error {
			return runRotateCA(dockerCli, cmd.Flags(), opts)
		},
		Tags: map[string]string{"version": "1.30"},
	}

	flags := cmd.Flags()
	addSwarmCAFlags(flags, &opts.swarmOptions)
	flags.BoolVar(&opts.rotate, flagRotate, false, "Rotate the swarm CA - if no certificate or key are provided, new ones will be generated")
	flags.Var(&opts.rootCACert, flagCACert, "Path to the PEM-formatted root CA certificate to use for the new cluster")
	flags.Var(&opts.rootCAKey, flagCAKey, "Path to the PEM-formatted root CA key to use for the new cluster")

	flags.BoolVarP(&opts.detach, "detach", "d", false, "Exit immediately instead of waiting for the root rotation to converge")
	flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress progress output")
	return cmd
}

func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) error {
	client := dockerCli.Client()
	ctx := context.Background()

	swarmInspect, err := client.SwarmInspect(ctx)
	if err != nil {
		return err
	}

	if !opts.rotate {
		for _, f := range []string{flagCACert, flagCAKey, flagCACert, flagExternalCA} {
			if flags.Changed(f) {
				return fmt.Errorf("`--%s` flag requires the `--rotate` flag to update the CA", f)
			}
		}
		if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" {
			fmt.Fprintln(dockerCli.Out(), "No CA information available")
		} else {
			fmt.Fprintln(dockerCli.Out(), strings.TrimSpace(swarmInspect.ClusterInfo.TLSInfo.TrustRoot))
		}
		return nil
	}

	genRootCA := true
	spec := &swarmInspect.Spec
	opts.mergeSwarmSpec(spec, flags) // updates the spec given the cert expiry or external CA flag
	if flags.Changed(flagCACert) {
		spec.CAConfig.SigningCACert = opts.rootCACert.Contents()
		genRootCA = false
	}
	if flags.Changed(flagCAKey) {
		spec.CAConfig.SigningCAKey = opts.rootCAKey.Contents()
		genRootCA = false
	}
	if genRootCA {
		spec.CAConfig.ForceRotate++
		spec.CAConfig.SigningCACert = ""
		spec.CAConfig.SigningCAKey = ""
	}

	if err := client.SwarmUpdate(ctx, swarmInspect.Version, swarmInspect.Spec, swarm.UpdateFlags{}); err != nil {
		return err
	}

	if opts.detach {
		return nil
	}

	errChan := make(chan error, 1)
	pipeReader, pipeWriter := io.Pipe()

	go func() {
		errChan <- progress.RootRotationProgress(ctx, client, pipeWriter)
	}()

	if opts.quiet {
		go io.Copy(ioutil.Discard, pipeReader)
		return <-errChan
	}

	err = jsonmessage.DisplayJSONMessagesToStream(pipeReader, dockerCli.Out(), nil)
	if err == nil {
		err = <-errChan
	}
	if err != nil {
		return err
	}

	swarmInspect, err = client.SwarmInspect(ctx)
	if err != nil {
		return err
	}

	if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" {
		fmt.Fprintln(dockerCli.Out(), "No CA information available")
	} else {
		fmt.Fprintln(dockerCli.Out(), strings.TrimSpace(swarmInspect.ClusterInfo.TLSInfo.TrustRoot))
	}
	return nil
}
Provide command line tool to view and rotate swarm's currently CA root certificate. Signed-off-by: Ying Li <ying.li@docker.com> 2017-05-08 17:37:36 -04:00			`package swarm`

			`import (`
			`"fmt"`
			`"io"`
			`"strings"`

			`"golang.org/x/net/context"`

			`"io/ioutil"`

			`"github.com/docker/cli/cli"`
			`"github.com/docker/cli/cli/command"`
			`"github.com/docker/cli/cli/command/swarm/progress"`
			`"github.com/docker/docker/api/types/swarm"`
			`"github.com/docker/docker/pkg/jsonmessage"`
			`"github.com/spf13/cobra"`
			`"github.com/spf13/pflag"`
			`)`

			`type caOptions struct {`
			`swarmOptions`
			`rootCACert PEMFile`
			`rootCAKey PEMFile`
			`rotate bool`
			`detach bool`
			`quiet bool`
			`}`

			`func newRotateCACommand(dockerCli command.Cli) *cobra.Command {`
			`opts := caOptions{}`

			`cmd := &cobra.Command{`
			`Use: "ca [OPTIONS]",`
			`Short: "Manage root CA",`
			`Args: cli.NoArgs,`
			`RunE: func(cmd *cobra.Command, args []string) error {`
			`return runRotateCA(dockerCli, cmd.Flags(), opts)`
			`},`
			`Tags: map[string]string{"version": "1.30"},`
			`}`

			`flags := cmd.Flags()`
			`addSwarmCAFlags(flags, &opts.swarmOptions)`
			`flags.BoolVar(&opts.rotate, flagRotate, false, "Rotate the swarm CA - if no certificate or key are provided, new ones will be generated")`
			`flags.Var(&opts.rootCACert, flagCACert, "Path to the PEM-formatted root CA certificate to use for the new cluster")`
			`flags.Var(&opts.rootCAKey, flagCAKey, "Path to the PEM-formatted root CA key to use for the new cluster")`

			`flags.BoolVarP(&opts.detach, "detach", "d", false, "Exit immediately instead of waiting for the root rotation to converge")`
			`flags.BoolVarP(&opts.quiet, "quiet", "q", false, "Suppress progress output")`
			`return cmd`
			`}`

			`func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) error {`
			`client := dockerCli.Client()`
			`ctx := context.Background()`

			`swarmInspect, err := client.SwarmInspect(ctx)`
			`if err != nil {`
			`return err`
			`}`

			`if !opts.rotate {`
If `docker swarm ca` is not called with the `--rotate` flag, the other flags, including cert expiry, will be ignored, so warn if a user attempts to use `docker swarm ca --cert-expiry` or something. Signed-off-by: Ying Li <ying.li@docker.com> 2017-06-19 16:34:18 -04:00			`for _, f := range []string{flagCACert, flagCAKey, flagCACert, flagExternalCA} {`
			`if flags.Changed(f) {`
			return fmt.Errorf("`--%s` flag requires the `--rotate` flag to update the CA", f)
			`}`
			`}`
Provide command line tool to view and rotate swarm's currently CA root certificate. Signed-off-by: Ying Li <ying.li@docker.com> 2017-05-08 17:37:36 -04:00			`if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" {`
			`fmt.Fprintln(dockerCli.Out(), "No CA information available")`
			`} else {`
			`fmt.Fprintln(dockerCli.Out(), strings.TrimSpace(swarmInspect.ClusterInfo.TLSInfo.TrustRoot))`
			`}`
			`return nil`
			`}`

			`genRootCA := true`
			`spec := &swarmInspect.Spec`
If `docker swarm ca` is not called with the `--rotate` flag, the other flags, including cert expiry, will be ignored, so warn if a user attempts to use `docker swarm ca --cert-expiry` or something. Signed-off-by: Ying Li <ying.li@docker.com> 2017-06-19 16:34:18 -04:00			`opts.mergeSwarmSpec(spec, flags) // updates the spec given the cert expiry or external CA flag`
Provide command line tool to view and rotate swarm's currently CA root certificate. Signed-off-by: Ying Li <ying.li@docker.com> 2017-05-08 17:37:36 -04:00			`if flags.Changed(flagCACert) {`
			`spec.CAConfig.SigningCACert = opts.rootCACert.Contents()`
			`genRootCA = false`
			`}`
			`if flags.Changed(flagCAKey) {`
			`spec.CAConfig.SigningCAKey = opts.rootCAKey.Contents()`
			`genRootCA = false`
			`}`
			`if genRootCA {`
			`spec.CAConfig.ForceRotate++`
			`spec.CAConfig.SigningCACert = ""`
			`spec.CAConfig.SigningCAKey = ""`
			`}`

			`if err := client.SwarmUpdate(ctx, swarmInspect.Version, swarmInspect.Spec, swarm.UpdateFlags{}); err != nil {`
			`return err`
			`}`

			`if opts.detach {`
			`return nil`
			`}`

			`errChan := make(chan error, 1)`
			`pipeReader, pipeWriter := io.Pipe()`

			`go func() {`
			`errChan <- progress.RootRotationProgress(ctx, client, pipeWriter)`
			`}()`

			`if opts.quiet {`
Avoid loop when discarding contents of progress pipe Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2017-05-16 17:32:29 -04:00			`go io.Copy(ioutil.Discard, pipeReader)`
Provide command line tool to view and rotate swarm's currently CA root certificate. Signed-off-by: Ying Li <ying.li@docker.com> 2017-05-08 17:37:36 -04:00			`return <-errChan`
			`}`

			`err = jsonmessage.DisplayJSONMessagesToStream(pipeReader, dockerCli.Out(), nil)`
			`if err == nil {`
			`err = <-errChan`
			`}`
			`if err != nil {`
			`return err`
			`}`

			`swarmInspect, err = client.SwarmInspect(ctx)`
			`if err != nil {`
			`return err`
			`}`

			`if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" {`
			`fmt.Fprintln(dockerCli.Out(), "No CA information available")`
			`} else {`
			`fmt.Fprintln(dockerCli.Out(), strings.TrimSpace(swarmInspect.ClusterInfo.TLSInfo.TrustRoot))`
			`}`
			`return nil`
			`}`