Skip to content

swarm/init: Fix --external-ca ignoring cacert option#5995

Merged
thaJeztah merged 2 commits intodocker:masterfrom
vvoland:swarm-init-cacert
May 21, 2025
Merged

swarm/init: Fix --external-ca ignoring cacert option#5995
thaJeztah merged 2 commits intodocker:masterfrom
vvoland:swarm-init-cacert

Conversation

@vvoland
Copy link
Collaborator

@vvoland vvoland commented Apr 9, 2025
edited
Loading

- What I did
31d6292 mistakenly changed the ToSpec function to set all certs passed via external-ca to empty strings.

- How I did it

- How to verify it

  • TestSwarmUpdate on in moby integration-cli
  • TestSwarmInitWithExternalCA

Before:

$ go test -run TestSwarmInitWithExternalCA
--- FAIL: TestSwarmInitWithExternalCA (0.00s)
    init_test.go:143: assertion failed: 
        --- req.Spec.CAConfig.ExternalCAs[0].CACert
        +++ cert
        @@ -1 +1,13 @@
        -
        +
        +-----BEGIN CERTIFICATE-----
        +MIIBuDCCAV4CCQDOqUYOWdqMdjAKBggqhkjOPQQDAzBjMQswCQYDVQQGEwJVUzEL
        +MAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRv
        +Y2tlcjEPMA0GA1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MCAXDTE4MDcwMjIx
        +MjkxOFoYDzMwMTcxMTAyMjEyOTE4WjBjMQswCQYDVQQGEwJVUzELMAkGA1UECAwC
        +Q0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkRvY2tlcjEPMA0G
        +A1UECwwGRG9ja2VyMQ0wCwYDVQQDDARUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
        +AQcDQgAEgvvZl5Vqpr1e+g5IhoU6TZHgRau+BZETVFTmqyWYajA/mooRQ1MZTozu
        +s9ZZZA8tzUhIqS36gsFuyIZ4YiAlyjAKBggqhkjOPQQDAwNIADBFAiBQ7pCPQrj8
        +8zaItMf0pk8j1NU5XrFqFEZICzvjzUJQBAIhAKq2gFwoTn8KH+cAAXZpAGJPmOsT
        +zsBT8gBAOHhNA6/2
        +-----END CERTIFICATE-----
        
FAIL
exit status 1
FAIL	github.com/docker/cli/cli/command/swarm	0.381s

After

$ go test -run TestSwarmInitWithExternalCA 
PASS
ok  	github.com/docker/cli/cli/command/swarm	1.009

- Human readable description for the release notes

- Fix `docker swarm init` ignoring `cacert` option of `--external-ca`.

- A picture of a cute animal (not mandatory but encouraged)

@vvoland vvoland added this to the 28.1.0 milestone Apr 9, 2025
@vvoland
Copy link
Collaborator Author

vvoland commented Apr 9, 2025

Am I wrong here, or has this been broken for 7 years and nobody noticed? 🤣

@vvoland
swarm/init: Test init --external-ca with custom cert
a0385bf 
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland force-pushed the swarm-init-cacert branch from f341ce3 to a5aa4c5 Compare April 9, 2025 14:56
@vvoland vvoland mentioned this pull request Apr 9, 2025
Merged
@codecov-commenter
Copy link

codecov-commenter commented Apr 9, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@vvoland vvoland force-pushed the swarm-init-cacert branch from a5aa4c5 to e41ef5b Compare April 9, 2025 15:00
@thaJeztah
Copy link
Member

thaJeztah commented Apr 9, 2025

Am I wrong here, or has this been broken for 7 years and nobody noticed? 🤣

Oh, someone noticed,

(and there's a couple of, now archived, internal issues tracking it); ISTR there was a security-related issue attached at some point, and there was some discussion whether the feature had to be restored or removed, and that's where things got stuck.

@vvoland
Copy link
Collaborator Author

vvoland commented Apr 10, 2025

Actually this isn't the same issue - the PRs you mention deal with the first cert being empty instead of defaulting to the "Trusted CA Root".

This PR is about the second cert which the CLI doesn't even pass to the swarm.

@vvoland
swarm/init: Fix --external-ca ignoring cacert option
6c2d023 
31d6292 mistakenly changed the `ToSpec`
function to set all certs passed via `external-ca` to empty strings.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland force-pushed the swarm-init-cacert branch from e41ef5b to 6c2d023 Compare April 10, 2025 09:41
@vvoland vvoland self-assigned this Apr 10, 2025
@vvoland vvoland removed this from the 28.1.0 milestone Apr 10, 2025
@vvoland
Copy link
Collaborator Author

vvoland commented Apr 10, 2025

I'll leave it up to the Mirantis folks to decide what to do with this one.

cc @dperny @corhere

@thompson-shaun thompson-shaun moved this from Up next to Complete in 🔦 Maintainer spotlight Apr 10, 2025
@thaJeztah thaJeztah moved this from Complete to Up next in 🔦 Maintainer spotlight Apr 17, 2025
@thompson-shaun thompson-shaun requested a review from Copilot April 17, 2025 18:05
Copilot AI reviewed Apr 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

thaJeztah
thaJeztah approved these changes May 21, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

lets bring this one in

@thaJeztah thaJeztah merged commit 0ee20b8 into docker:master May 21, 2025
92 checks passed
@thaJeztah thaJeztah added this to the 28.2.0 milestone May 21, 2025
@vvoland vvoland moved this from Up next to Complete in 🔦 Maintainer spotlight May 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@thaJeztah thaJeztah thaJeztah approved these changes

+1 more reviewer

@aepifanov aepifanov aepifanov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vvoland vvoland

Labels

area/swarm impact/changelog kind/bugfix PR's that fix bugs status/2-code-review

Projects

None yet

Milestone

28.2.0

Development

Successfully merging this pull request may close these issues.

5 participants

@vvoland @codecov-commenter @thaJeztah @aepifanov