Allow the external CAs to be removed entirely using the CLI

[cyli]

Allow setting --external-ca to an empty string, to allow for removing
all external CAs entirely. This will help for instance if rotating
from a fully external CA to an internal CA (if the CA's cert and
key are already in the swarm for instance).

Signed-off-by: Ying Li ying.li@docker.com

cc @billmills

[thaJeztah]

Moving this back to design review for a bit; using an empty string to remove the external CA initially sounded dangerous to me (thinking of --external-ca=$MY_VAR_THAT_WASNT_SET); on the other hand, this is only on docker swarm update, correct? (so not a day-to-day command to be using)

[cyli]

@thaJeztah swarm update and also swarm ca --rotate - you are definitely correct that having it set to an env var that's empty would be bad. The engine will reject the update though if the swarm has no signing key.

The other option is to add another flag for clearing external CAs.

[thaJeztah]

Hm, right, so possibly --external-ca-unset / --external-ca-rm (a bit ugly because we don't have an -add counterpart, but it is more safe).

Open to suggestions 👍

@vdemeester @silvin-lubecki @chris-crone ^^ happy to hear what you think

[vdemeester]

I would definitely prefer --external-ca-unset or something like that instead of an empty string 😓

[kolyshkin]

Perhaps --no-external-ca or --remove-external-ca?

[thaJeztah]

rebased in #6979, but not sure we still need it