Merge pull request #5995 from vvoland/swarm-init-cacert

thaJeztah · web-flow · commit 0ee20b85430e · 2025-05-21T18:31:14.000+02:00
swarm/init: Fix `--external-ca` ignoring `cacert` option
diff --git a/cli/command/swarm/ca.go b/cli/command/swarm/ca.go
@@ -96,7 +96,7 @@ func runCA(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, opt
 func updateSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, opts caOptions) {
 	caCert := opts.rootCACert.Contents()
 	caKey := opts.rootCAKey.Contents()
-	opts.mergeSwarmSpecCAFlags(spec, flags, caCert)
+	opts.mergeSwarmSpecCAFlags(spec, flags, &caCert)
 
 	spec.CAConfig.SigningCACert = caCert
 	spec.CAConfig.SigningCAKey = caKey
diff --git a/cli/command/swarm/client_test.go b/cli/command/swarm/client_test.go
@@ -11,7 +11,7 @@ import (
 type fakeClient struct {
 	client.Client
 	infoFunc              func() (system.Info, error)
-	swarmInitFunc         func() (string, error)
+	swarmInitFunc         func(req swarm.InitRequest) (string, error)
 	swarmInspectFunc      func() (swarm.Swarm, error)
 	nodeInspectFunc       func() (swarm.Node, []byte, error)
 	swarmGetUnlockKeyFunc func() (swarm.UnlockKeyResponse, error)
@@ -35,9 +35,9 @@ func (cli *fakeClient) NodeInspectWithRaw(context.Context, string) (swarm.Node,
 	return swarm.Node{}, []byte{}, nil
 }
 
-func (cli *fakeClient) SwarmInit(context.Context, swarm.InitRequest) (string, error) {
+func (cli *fakeClient) SwarmInit(_ context.Context, req swarm.InitRequest) (string, error) {
 	if cli.swarmInitFunc != nil {
-		return cli.swarmInitFunc()
+		return cli.swarmInitFunc(req)
 	}
 	return "", nil
 }
diff --git a/cli/command/swarm/init_test.go b/cli/command/swarm/init_test.go
@@ -4,34 +4,37 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/docker/cli/internal/test"
 	"github.com/docker/docker/api/types/swarm"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
 )
 
 func TestSwarmInitErrorOnAPIFailure(t *testing.T) {
 	testCases := []struct {
 		name                  string
 		flags                 map[string]string
-		swarmInitFunc         func() (string, error)
+		swarmInitFunc         func(swarm.InitRequest) (string, error)
 		swarmInspectFunc      func() (swarm.Swarm, error)
 		swarmGetUnlockKeyFunc func() (swarm.UnlockKeyResponse, error)
 		nodeInspectFunc       func() (swarm.Node, []byte, error)
 		expectedError         string
 	}{
 		{
 			name: "init-failed",
-			swarmInitFunc: func() (string, error) {
+			swarmInitFunc: func(swarm.InitRequest) (string, error) {
 				return "", errors.New("error initializing the swarm")
 			},
 			expectedError: "error initializing the swarm",
 		},
 		{
 			name: "init-failed-with-ip-choice",
-			swarmInitFunc: func() (string, error) {
+			swarmInitFunc: func(swarm.InitRequest) (string, error) {
 				return "", errors.New("could not choose an IP address to advertise")
 			},
 			expectedError: "could not choose an IP address to advertise - specify one with --advertise-addr",
@@ -85,14 +88,14 @@ func TestSwarmInit(t *testing.T) {
 	testCases := []struct {
 		name                  string
 		flags                 map[string]string
-		swarmInitFunc         func() (string, error)
+		swarmInitFunc         func(req swarm.InitRequest) (string, error)
 		swarmInspectFunc      func() (swarm.Swarm, error)
 		swarmGetUnlockKeyFunc func() (swarm.UnlockKeyResponse, error)
 		nodeInspectFunc       func() (swarm.Node, []byte, error)
 	}{
 		{
 			name: "init",
-			swarmInitFunc: func() (string, error) {
+			swarmInitFunc: func(swarm.InitRequest) (string, error) {
 				return "nodeID", nil
 			},
 		},
@@ -101,7 +104,7 @@ func TestSwarmInit(t *testing.T) {
 			flags: map[string]string{
 				flagAutolock: "true",
 			},
-			swarmInitFunc: func() (string, error) {
+			swarmInitFunc: func(swarm.InitRequest) (string, error) {
 				return "nodeID", nil
 			},
 			swarmGetUnlockKeyFunc: func() (swarm.UnlockKeyResponse, error) {
@@ -131,3 +134,28 @@ func TestSwarmInit(t *testing.T) {
 		})
 	}
 }
+
+func TestSwarmInitWithExternalCA(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{
+		swarmInitFunc: func(req swarm.InitRequest) (string, error) {
+			if assert.Check(t, is.Len(req.Spec.CAConfig.ExternalCAs, 1)) {
+				assert.Equal(t, req.Spec.CAConfig.ExternalCAs[0].CACert, cert)
+				assert.Equal(t, req.Spec.CAConfig.ExternalCAs[0].Protocol, swarm.ExternalCAProtocolCFSSL)
+				assert.Equal(t, req.Spec.CAConfig.ExternalCAs[0].URL, "https://example.com")
+			}
+			return "nodeID", nil
+		},
+	})
+
+	tempDir := t.TempDir()
+	certFile := filepath.Join(tempDir, "cert.pem")
+	err := os.WriteFile(certFile, []byte(cert), 0o644)
+	assert.NilError(t, err)
+
+	cmd := newInitCommand(cli)
+	cmd.SetArgs([]string{})
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+	assert.NilError(t, cmd.Flags().Set(flagExternalCA, "protocol=cfssl,url=https://example.com,cacert="+certFile))
+	assert.NilError(t, cmd.Execute())
+}
diff --git a/cli/command/swarm/opts.go b/cli/command/swarm/opts.go
@@ -231,7 +231,7 @@ func addSwarmFlags(flags *pflag.FlagSet, options *swarmOptions) {
 	addSwarmCAFlags(flags, &options.swarmCAOptions)
 }
 
-func (o *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+func (o *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert *string) {
 	if flags.Changed(flagTaskHistoryLimit) {
 		spec.Orchestration.TaskHistoryRetentionLimit = &o.taskHistoryLimit
 	}
@@ -255,20 +255,24 @@ type swarmCAOptions struct {
 	externalCA     ExternalCAOption
 }
 
-func (o *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+func (o *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert *string) {
 	if flags.Changed(flagCertExpiry) {
 		spec.CAConfig.NodeCertExpiry = o.nodeCertExpiry
 	}
 	if flags.Changed(flagExternalCA) {
 		spec.CAConfig.ExternalCAs = o.externalCA.Value()
-		for _, ca := range spec.CAConfig.ExternalCAs {
-			ca.CACert = caCert
+		if caCert != nil {
+			for _, ca := range spec.CAConfig.ExternalCAs {
+				if ca.CACert == "" {
+					ca.CACert = *caCert
+				}
+			}
 		}
 	}
 }
 
 func (o *swarmOptions) ToSpec(flags *pflag.FlagSet) swarm.Spec {
 	var spec swarm.Spec
-	o.mergeSwarmSpec(&spec, flags, "")
+	o.mergeSwarmSpec(&spec, flags, nil)
 	return spec
 }
diff --git a/cli/command/swarm/update.go b/cli/command/swarm/update.go
@@ -53,7 +53,7 @@ func runUpdate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 
 	prevAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers
 
-	opts.mergeSwarmSpec(&swarmInspect.Spec, flags, swarmInspect.ClusterInfo.TLSInfo.TrustRoot)
+	opts.mergeSwarmSpec(&swarmInspect.Spec, flags, &swarmInspect.ClusterInfo.TLSInfo.TrustRoot)
 
 	curAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers
 

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`type fakeClient struct {`
`12`	`12`	`client.Client`
`13`	`13`	`infoFunc func() (system.Info, error)`
`14`		`- swarmInitFunc func() (string, error)`
	`14`	`+ swarmInitFunc func(req swarm.InitRequest) (string, error)`
`15`	`15`	`swarmInspectFunc func() (swarm.Swarm, error)`
`16`	`16`	`nodeInspectFunc func() (swarm.Node, []byte, error)`
`17`	`17`	`swarmGetUnlockKeyFunc func() (swarm.UnlockKeyResponse, error)`
`@@ -35,9 +35,9 @@ func (cli *fakeClient) NodeInspectWithRaw(context.Context, string) (swarm.Node,`
`35`	`35`	`return swarm.Node{}, []byte{}, nil`
`36`	`36`	`}`
`37`	`37`
`38`		`-func (cli *fakeClient) SwarmInit(context.Context, swarm.InitRequest) (string, error) {`
	`38`	`+func (cli *fakeClient) SwarmInit(_ context.Context, req swarm.InitRequest) (string, error) {`
`39`	`39`	`if cli.swarmInitFunc != nil {`
`40`		`- return cli.swarmInitFunc()`
	`40`	`+ return cli.swarmInitFunc(req)`
`41`	`41`	`}`
`42`	`42`	`return "", nil`
`43`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ func addSwarmFlags(flags pflag.FlagSet, options swarmOptions) {`
`231`	`231`	`addSwarmCAFlags(flags, &options.swarmCAOptions)`
`232`	`232`	`}`
`233`	`233`
`234`		`-func (o swarmOptions) mergeSwarmSpec(spec swarm.Spec, flags *pflag.FlagSet, caCert string) {`
	`234`	`+func (o swarmOptions) mergeSwarmSpec(spec swarm.Spec, flags pflag.FlagSet, caCert string) {`
`235`	`235`	`if flags.Changed(flagTaskHistoryLimit) {`
`236`	`236`	`spec.Orchestration.TaskHistoryRetentionLimit = &o.taskHistoryLimit`
`237`	`237`	`}`
`@@ -255,20 +255,24 @@ type swarmCAOptions struct {`
`255`	`255`	`externalCA ExternalCAOption`
`256`	`256`	`}`
`257`	`257`
`258`		`-func (o swarmCAOptions) mergeSwarmSpecCAFlags(spec swarm.Spec, flags *pflag.FlagSet, caCert string) {`
	`258`	`+func (o swarmCAOptions) mergeSwarmSpecCAFlags(spec swarm.Spec, flags pflag.FlagSet, caCert string) {`
`259`	`259`	`if flags.Changed(flagCertExpiry) {`
`260`	`260`	`spec.CAConfig.NodeCertExpiry = o.nodeCertExpiry`
`261`	`261`	`}`
`262`	`262`	`if flags.Changed(flagExternalCA) {`
`263`	`263`	`spec.CAConfig.ExternalCAs = o.externalCA.Value()`
`264`		`- for _, ca := range spec.CAConfig.ExternalCAs {`
`265`		`- ca.CACert = caCert`
	`264`	`+ if caCert != nil {`
	`265`	`+ for _, ca := range spec.CAConfig.ExternalCAs {`
	`266`	`+ if ca.CACert == "" {`
	`267`	`+ ca.CACert = *caCert`
	`268`	`+ }`
	`269`	`+ }`
`266`	`270`	`}`
`267`	`271`	`}`
`268`	`272`	`}`
`269`	`273`
`270`	`274`	`func (o swarmOptions) ToSpec(flags pflag.FlagSet) swarm.Spec {`
`271`	`275`	`var spec swarm.Spec`
`272`		`- o.mergeSwarmSpec(&spec, flags, "")`
	`276`	`+ o.mergeSwarmSpec(&spec, flags, nil)`
`273`	`277`	`return spec`
`274`	`278`	`}`