Skip to content

swarm/init: Fix --external-ca ignoring cacert option #5995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

swarm/init: Fix --external-ca ignoring cacert option #5995

wants to merge 2 commits into from

Conversation

vvoland
Copy link
Collaborator

@vvoland vvoland commented Apr 9, 2025
edited
Loading

- What I did
31d6292 mistakenly changed the ToSpec function to set all certs passed via external-ca to empty strings.

- How I did it

- How to verify it

  • TestSwarmUpdate on in moby integration-cli
  • TestSwarmInitWithExternalCA

Before:

$ go test -run TestSwarmInitWithExternalCA
--- FAIL: TestSwarmInitWithExternalCA (0.00s)
    init_test.go:143: assertion failed: 
        --- req.Spec.CAConfig.ExternalCAs[0].CACert
        +++ cert
        @@ -1 +1,13 @@
        -
        +
        +-----BEGIN CERTIFICATE-----
        +MIIBuDCCAV4CCQDOqUYOWdqMdjAKBggqhkjOPQQDAzBjMQswCQYDVQQGEwJVUzEL
        +MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
        +Y2tlcjEPMA0GA1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MCAXDTE4MDcwMjIx
        +MjkxOFoYDzMwMTcxMTAyMjEyOTE4WjBjMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
        +Q0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRvY2tlcjEPMA0G
        +A1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
        +AQcDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZTozu
        +s9ZZZA8tzUhIqS36gsFuyIZ4YiAlyjAKBggqhkjOPQQDAwNIADBFAiBQ7pCPQrj8
        +8zaItMf0pk8j1NU5XrFqFEZICzvjzUJQBAIhAKq2gFwoTn8KH+cAAXZpAGJPmOsT
        +zsBT8gBAOHhNA6/2
        +-----END CERTIFICATE-----
        
FAIL
exit status 1
FAIL	github.com/docker/cli/cli/command/swarm	0.381s

After

$ go test -run TestSwarmInitWithExternalCA 
PASS
ok  	github.com/docker/cli/cli/command/swarm	1.009

- Human readable description for the release notes

- Fix `docker swarm init` ignoring `cacert` option of `--external-ca` .

- A picture of a cute animal (not mandatory but encouraged)
@vvoland vvoland added this to the 28.1.0 milestone Apr 9, 2025
@vvoland
Copy link
Collaborator Author

vvoland commented Apr 9, 2025

Am I wrong here, or has this been broken for 7 years and nobody noticed? 🤣
@vvoland
swarm/init: Test init --external-ca with custom cert
a0385bf 
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland force-pushed the swarm-init-cacert branch from f341ce3 to a5aa4c5 Compare April 9, 2025 14:56
@vvoland vvoland mentioned this pull request Apr 9, 2025
Merged
@codecov-commenter
Copy link

codecov-commenter commented Apr 9, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.11%. Comparing base (6714b50) to head (6c2d023).
Report is 13 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5995      +/-   ##
==========================================
- Coverage   59.12%   59.11%   -0.02%     
==========================================
  Files         355      355              
  Lines       29740    29753      +13     
==========================================
+ Hits        17583    17587       +4     
- Misses      11182    11188       +6     
- Partials      975      978       +3
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
@vvoland vvoland force-pushed the swarm-init-cacert branch from a5aa4c5 to e41ef5b Compare April 9, 2025 15:00
@thaJeztah
Copy link
Member

Am I wrong here, or has this been broken for 7 years and nobody noticed? 🤣

Oh, someone noticed,

(and there's a couple of, now archived, internal issues tracking it); ISTR there was a security-related issue attached at some point, and there was some discussion whether the feature had to be restored or removed, and that's where things got stuck.
@vvoland
Copy link
Collaborator Author

vvoland commented Apr 10, 2025

Actually this isn't the same issue - the PRs you mention deal with the first cert being empty instead of defaulting to the "Trusted CA Root".

This PR is about the second cert which the CLI doesn't even pass to the swarm.
@vvoland
swarm/init: Fix --external-ca ignoring cacert option
6c2d023 
31d6292 mistakenly changed the `ToSpec`
function to set all certs passed via `external-ca` to empty strings.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland force-pushed the swarm-init-cacert branch from e41ef5b to 6c2d023 Compare April 10, 2025 09:41
@vvoland vvoland self-assigned this Apr 10, 2025
@vvoland vvoland moved this to Up next in Maintainer spotlight Apr 10, 2025
@vvoland vvoland removed this from the 28.1.0 milestone Apr 10, 2025
@vvoland
Copy link
Collaborator Author

vvoland commented Apr 10, 2025

I'll leave it up to the Mirantis folks to decide what to do with this one.

cc @dperny @corhere
@thompson-shaun thompson-shaun moved this from Up next to Complete in Maintainer spotlight Apr 10, 2025
@thaJeztah thaJeztah moved this from Complete to Up next in Maintainer spotlight Apr 17, 2025
@thompson-shaun thompson-shaun requested a review from Copilot April 17, 2025 18:05
Copilot
Copilot AI reviewed Apr 17, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/swarm impact/changelog kind/bugfix PR's that fix bugs status/2-code-review
4 participants
@vvoland @codecov-commenter @thaJeztah @aepifanov