From 32b43bc21a053cbe566feefd3c54def739d40bfe Mon Sep 17 00:00:00 2001 From: Ying Li Date: Mon, 19 Jun 2017 13:34:18 -0700 Subject: [PATCH] If `docker swarm ca` is not called with the `--rotate` flag, the other flags, including cert expiry, will be ignored, so warn if a user attempts to use `docker swarm ca --cert-expiry` or something. Signed-off-by: Ying Li --- cli/command/swarm/ca.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cli/command/swarm/ca.go b/cli/command/swarm/ca.go index fab0929b64..2f01ab4da4 100644 --- a/cli/command/swarm/ca.go +++ b/cli/command/swarm/ca.go @@ -61,6 +61,11 @@ func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) er } if !opts.rotate { + for _, f := range []string{flagCACert, flagCAKey, flagCACert, flagExternalCA} { + if flags.Changed(f) { + return fmt.Errorf("`--%s` flag requires the `--rotate` flag to update the CA", f) + } + } if swarmInspect.ClusterInfo.TLSInfo.TrustRoot == "" { fmt.Fprintln(dockerCli.Out(), "No CA information available") } else { @@ -71,7 +76,7 @@ func runRotateCA(dockerCli command.Cli, flags *pflag.FlagSet, opts caOptions) er genRootCA := true spec := &swarmInspect.Spec - opts.mergeSwarmSpec(spec, flags) + opts.mergeSwarmSpec(spec, flags) // updates the spec given the cert expiry or external CA flag if flags.Changed(flagCACert) { spec.CAConfig.SigningCACert = opts.rootCACert.Contents() genRootCA = false