diff --git a/vendor.conf b/vendor.conf index 6d9eb332e7..8f15435566 100644 --- a/vendor.conf +++ b/vendor.conf @@ -107,7 +107,7 @@ github.com/containerd/containerd 3addd840653146c90a254301d6c3a663c7fd6429 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4 # cluster -github.com/docker/swarmkit 1a3e510517be82d18ac04380b5f71eddf06c2fc0 +github.com/docker/swarmkit 4b872cfac8ffc0cc7fff434902cc05dbc7612da5 github.com/gogo/protobuf v0.4 github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e diff --git a/vendor/github.com/docker/swarmkit/ca/config.go b/vendor/github.com/docker/swarmkit/ca/config.go index 2aaaf78aba..a853fa6c16 100644 --- a/vendor/github.com/docker/swarmkit/ca/config.go +++ b/vendor/github.com/docker/swarmkit/ca/config.go @@ -157,6 +157,8 @@ func (s *SecurityConfig) UpdateRootCA(rootCA *RootCA, externalCARootPool *x509.C s.rootCA = rootCA s.externalCAClientRootPool = externalCARootPool + s.externalCA.UpdateRootCA(rootCA) + return s.updateTLSCredentials(s.certificate, s.issuerInfo) } diff --git a/vendor/github.com/docker/swarmkit/ca/external.go b/vendor/github.com/docker/swarmkit/ca/external.go index 6f23ff1fbf..11a6f87558 100644 --- a/vendor/github.com/docker/swarmkit/ca/external.go +++ b/vendor/github.com/docker/swarmkit/ca/external.go @@ -23,6 +23,9 @@ import ( "golang.org/x/net/context/ctxhttp" ) +// ExternalCrossSignProfile is the profile that we will be sending cross-signing CSR sign requests with +const ExternalCrossSignProfile = "CA" + // ErrNoExternalCAURLs is an error used it indicate that an ExternalCA is // configured with no URLs to which it can proxy certificate signing requests. var ErrNoExternalCAURLs = errors.New("no external CA URLs") @@ -79,8 +82,7 @@ func (eca *ExternalCA) UpdateTLSConfig(tlsConfig *tls.Config) { } } -// UpdateURLs updates the list of CSR API endpoints by setting it to the given -// urls. +// UpdateURLs updates the list of CSR API endpoints by setting it to the given urls. func (eca *ExternalCA) UpdateURLs(urls ...string) { eca.mu.Lock() defer eca.mu.Unlock() @@ -88,6 +90,13 @@ func (eca *ExternalCA) UpdateURLs(urls ...string) { eca.urls = urls } +// UpdateRootCA changes the root CA used to append intermediates +func (eca *ExternalCA) UpdateRootCA(rca *RootCA) { + eca.mu.Lock() + eca.rootCA = rca + eca.mu.Unlock() +} + // Sign signs a new certificate by proxying the given certificate signing // request to an external CFSSL API server. func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert []byte, err error) { @@ -96,6 +105,7 @@ func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert [ eca.mu.Lock() urls := eca.urls client := eca.client + intermediates := eca.rootCA.Intermediates eca.mu.Unlock() if len(urls) == 0 { @@ -114,7 +124,7 @@ func (eca *ExternalCA) Sign(ctx context.Context, req signer.SignRequest) (cert [ cert, err = makeExternalSignRequest(requestCtx, client, url, csrJSON) cancel() if err == nil { - return append(cert, eca.rootCA.Intermediates...), err + return append(cert, intermediates...), err } logrus.Debugf("unable to proxy certificate signing request to %s: %s", url, err) } @@ -157,6 +167,7 @@ func (eca *ExternalCA) CrossSignRootCA(ctx context.Context, rca RootCA) ([]byte, CN: rootCert.Subject.CommonName, Names: cfCSRObj.Names, }, + Profile: ExternalCrossSignProfile, } // cfssl actually ignores non subject alt name extensions in the CSR, so we have to add the CA extension in the signing // request as well diff --git a/vendor/github.com/docker/swarmkit/manager/manager.go b/vendor/github.com/docker/swarmkit/manager/manager.go index 005a56c33d..01c296acfe 100644 --- a/vendor/github.com/docker/swarmkit/manager/manager.go +++ b/vendor/github.com/docker/swarmkit/manager/manager.go @@ -217,7 +217,6 @@ func New(config *Config) (*Manager, error) { m := &Manager{ config: *config, - collector: metrics.NewCollector(raftNode.MemoryStore()), caserver: ca.NewServer(raftNode.MemoryStore(), config.SecurityConfig, config.RootCAPaths), dispatcher: dispatcher.New(raftNode, dispatcher.DefaultConfig()), logbroker: logbroker.New(raftNode.MemoryStore()), @@ -502,12 +501,16 @@ func (m *Manager) Run(parent context.Context) error { healthServer.SetServingStatus("Raft", api.HealthCheckResponse_SERVING) if err := m.raftNode.JoinAndStart(ctx); err != nil { + // Don't block future calls to Stop. + close(m.started) return errors.Wrap(err, "can't initialize raft node") } localHealthServer.SetServingStatus("ControlAPI", api.HealthCheckResponse_SERVING) // Start metrics collection. + + m.collector = metrics.NewCollector(m.raftNode.MemoryStore()) go func(collector *metrics.Collector) { if err := collector.Run(ctx); err != nil { log.G(ctx).WithError(err).Error("collector failed with an error") @@ -590,7 +593,10 @@ func (m *Manager) Stop(ctx context.Context, clearData bool) { m.raftNode.Cancel() - m.collector.Stop() + if m.collector != nil { + m.collector.Stop() + } + m.dispatcher.Stop() m.logbroker.Stop() m.caserver.Stop() diff --git a/vendor/github.com/docker/swarmkit/manager/state/raft/raft.go b/vendor/github.com/docker/swarmkit/manager/state/raft/raft.go index 82a550d0f6..b793374095 100644 --- a/vendor/github.com/docker/swarmkit/manager/state/raft/raft.go +++ b/vendor/github.com/docker/swarmkit/manager/state/raft/raft.go @@ -361,7 +361,7 @@ func (n *Node) JoinAndStart(ctx context.Context) (err error) { if err != nil { n.stopMu.Lock() // to shutdown transport - close(n.stopped) + n.cancelFunc() n.stopMu.Unlock() n.done() } else {