2016-12-25 16:23:35 -05:00
|
|
|
package swarm
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2017-08-21 16:30:09 -04:00
|
|
|
"github.com/docker/cli/internal/test"
|
2016-12-25 16:23:35 -05:00
|
|
|
"github.com/docker/docker/api/types"
|
|
|
|
|
"github.com/docker/docker/api/types/swarm"
|
2017-03-09 13:23:45 -05:00
|
|
|
"github.com/pkg/errors"
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
|
2016-12-25 16:23:35 -05:00
|
|
|
// Import builders to get the builder function as package function
|
2017-08-21 16:30:09 -04:00
|
|
|
. "github.com/docker/cli/internal/test/builders"
|
2018-06-08 12:24:26 -04:00
|
|
|
"gotest.tools/assert"
|
|
|
|
|
"gotest.tools/golden"
|
2016-12-25 16:23:35 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestSwarmUpdateErrors(t *testing.T) {
|
|
|
|
|
testCases := []struct {
|
|
|
|
|
name string
|
|
|
|
|
args []string
|
|
|
|
|
flags map[string]string
|
|
|
|
|
swarmInspectFunc func() (swarm.Swarm, error)
|
|
|
|
|
swarmUpdateFunc func(swarm swarm.Spec, flags swarm.UpdateFlags) error
|
|
|
|
|
swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
|
|
|
|
|
expectedError string
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "too-many-args",
|
|
|
|
|
args: []string{"foo"},
|
2017-08-12 12:25:38 -04:00
|
|
|
expectedError: "accepts no arguments",
|
2016-12-25 16:23:35 -05:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "swarm-inspect-error",
|
|
|
|
|
flags: map[string]string{
|
|
|
|
|
flagTaskHistoryLimit: "10",
|
|
|
|
|
},
|
|
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
2017-03-09 13:23:45 -05:00
|
|
|
return swarm.Swarm{}, errors.Errorf("error inspecting the swarm")
|
2016-12-25 16:23:35 -05:00
|
|
|
},
|
|
|
|
|
expectedError: "error inspecting the swarm",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "swarm-update-error",
|
|
|
|
|
flags: map[string]string{
|
|
|
|
|
flagTaskHistoryLimit: "10",
|
|
|
|
|
},
|
|
|
|
|
swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("error updating the swarm")
|
2016-12-25 16:23:35 -05:00
|
|
|
},
|
|
|
|
|
expectedError: "error updating the swarm",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "swarm-unlockkey-error",
|
|
|
|
|
flags: map[string]string{
|
|
|
|
|
flagAutolock: "true",
|
|
|
|
|
},
|
|
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
|
|
|
|
return *Swarm(), nil
|
|
|
|
|
},
|
|
|
|
|
swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
|
2017-03-09 13:23:45 -05:00
|
|
|
return types.SwarmUnlockKeyResponse{}, errors.Errorf("error getting unlock key")
|
2016-12-25 16:23:35 -05:00
|
|
|
},
|
|
|
|
|
expectedError: "error getting unlock key",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
|
cmd := newUpdateCommand(
|
2017-07-05 14:43:39 -04:00
|
|
|
test.NewFakeCli(&fakeClient{
|
2016-12-25 16:23:35 -05:00
|
|
|
swarmInspectFunc: tc.swarmInspectFunc,
|
|
|
|
|
swarmUpdateFunc: tc.swarmUpdateFunc,
|
|
|
|
|
swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
|
2017-07-05 14:43:39 -04:00
|
|
|
}))
|
2016-12-25 16:23:35 -05:00
|
|
|
cmd.SetArgs(tc.args)
|
|
|
|
|
for key, value := range tc.flags {
|
|
|
|
|
cmd.Flags().Set(key, value)
|
|
|
|
|
}
|
|
|
|
|
cmd.SetOutput(ioutil.Discard)
|
2018-03-06 14:03:47 -05:00
|
|
|
assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSwarmUpdate(t *testing.T) {
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
swarmInfo := Swarm()
|
|
|
|
|
swarmInfo.ClusterInfo.TLSInfo.TrustRoot = "trustroot"
|
|
|
|
|
|
2016-12-25 16:23:35 -05:00
|
|
|
testCases := []struct {
|
|
|
|
|
name string
|
|
|
|
|
args []string
|
|
|
|
|
flags map[string]string
|
|
|
|
|
swarmInspectFunc func() (swarm.Swarm, error)
|
|
|
|
|
swarmUpdateFunc func(swarm swarm.Spec, flags swarm.UpdateFlags) error
|
|
|
|
|
swarmGetUnlockKeyFunc func() (types.SwarmUnlockKeyResponse, error)
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "noargs",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "all-flags-quiet",
|
|
|
|
|
flags: map[string]string{
|
|
|
|
|
flagTaskHistoryLimit: "10",
|
|
|
|
|
flagDispatcherHeartbeat: "10s",
|
|
|
|
|
flagCertExpiry: "20s",
|
|
|
|
|
flagExternalCA: "protocol=cfssl,url=https://example.com.",
|
|
|
|
|
flagMaxSnapshots: "10",
|
|
|
|
|
flagSnapshotInterval: "100",
|
|
|
|
|
flagAutolock: "true",
|
|
|
|
|
flagQuiet: "true",
|
|
|
|
|
},
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
|
|
|
|
return *swarmInfo, nil
|
|
|
|
|
},
|
2016-12-25 16:23:35 -05:00
|
|
|
swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
|
|
|
|
|
if *swarm.Orchestration.TaskHistoryRetentionLimit != 10 {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("historyLimit not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
heartbeatDuration, err := time.ParseDuration("10s")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if swarm.Dispatcher.HeartbeatPeriod != heartbeatDuration {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("heartbeatPeriodLimit not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
certExpiryDuration, err := time.ParseDuration("20s")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if swarm.CAConfig.NodeCertExpiry != certExpiryDuration {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("certExpiry not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
Propagate the provided external CA certificate to the external CA object
in swarm.
Also, fix some CLI command confusions:
1. If the --external-ca flag is provided, require a --ca-cert flag as well, otherwise
the external CA is set but the CA certificate is actually rotated to an internal
cert
2. If a --ca-cert flag is provided, require a --ca-key or --external-ca flag be
provided as well, otherwise either the server will say that the request is
invalid, or if there was previously an external CA corresponding to the cert, it
will succeed. While that works, it's better to require the user to explicitly
set all the parameters of the new desired root CA.
This also changes the `swarm update` function to set the external CA's CACert field,
which while not strictly necessary, makes the CA list more explicit.
Signed-off-by: Ying Li <ying.li@docker.com>
2018-07-02 19:53:23 -04:00
|
|
|
if len(swarm.CAConfig.ExternalCAs) != 1 || swarm.CAConfig.ExternalCAs[0].CACert != "trustroot" {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("externalCA not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
if *swarm.Raft.KeepOldSnapshots != 10 {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("keepOldSnapshots not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
if swarm.Raft.SnapshotInterval != 100 {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("snapshotInterval not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
if !swarm.EncryptionConfig.AutoLockManagers {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("autolock not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "autolock-unlock-key",
|
|
|
|
|
flags: map[string]string{
|
|
|
|
|
flagTaskHistoryLimit: "10",
|
|
|
|
|
flagAutolock: "true",
|
|
|
|
|
},
|
|
|
|
|
swarmUpdateFunc: func(swarm swarm.Spec, flags swarm.UpdateFlags) error {
|
|
|
|
|
if *swarm.Orchestration.TaskHistoryRetentionLimit != 10 {
|
2017-03-09 13:23:45 -05:00
|
|
|
return errors.Errorf("historyLimit not correctly set")
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
swarmInspectFunc: func() (swarm.Swarm, error) {
|
|
|
|
|
return *Swarm(), nil
|
|
|
|
|
},
|
|
|
|
|
swarmGetUnlockKeyFunc: func() (types.SwarmUnlockKeyResponse, error) {
|
|
|
|
|
return types.SwarmUnlockKeyResponse{
|
|
|
|
|
UnlockKey: "unlock-key",
|
|
|
|
|
}, nil
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tc := range testCases {
|
2017-07-05 14:43:39 -04:00
|
|
|
cli := test.NewFakeCli(&fakeClient{
|
|
|
|
|
swarmInspectFunc: tc.swarmInspectFunc,
|
|
|
|
|
swarmUpdateFunc: tc.swarmUpdateFunc,
|
|
|
|
|
swarmGetUnlockKeyFunc: tc.swarmGetUnlockKeyFunc,
|
|
|
|
|
})
|
|
|
|
|
cmd := newUpdateCommand(cli)
|
2016-12-25 16:23:35 -05:00
|
|
|
cmd.SetArgs(tc.args)
|
|
|
|
|
for key, value := range tc.flags {
|
|
|
|
|
cmd.Flags().Set(key, value)
|
|
|
|
|
}
|
2017-07-05 14:43:39 -04:00
|
|
|
cmd.SetOutput(cli.OutBuffer())
|
2018-03-06 15:13:00 -05:00
|
|
|
assert.NilError(t, cmd.Execute())
|
2017-08-16 13:48:31 -04:00
|
|
|
golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("update-%s.golden", tc.name))
|
2016-12-25 16:23:35 -05:00
|
|
|
}
|
|
|
|
|
}
|
