-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ca] Fix the UpdateRootCA function to also update the ExternalCA's rootCA #2210
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2210 +/- ##
==========================================
- Coverage 60.23% 60.16% -0.07%
==========================================
Files 124 124
Lines 20143 20121 -22
==========================================
- Hits 12133 12106 -27
- Misses 6647 6664 +17
+ Partials 1363 1351 -12 |
ca/config.go
Outdated
|
||
s.externalCA.mu.Lock() | ||
s.externalCA.rootCA = rootCA | ||
s.externalCA.mu.Unlock() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rootCA
field is used without holding the mutex in Sign
.
Also, could you please add a setter method for this? There is already one for URLs
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, thanks, added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not seeing the setter used here, but GitHub seems to be acting up, so maybe it's not showing the full change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Github is 500'ing for me a bunch. :| I'll force push again maybe.
8310cae
to
a771b69
Compare
since if it's not updated when getting a cert signed by an external CA, no intermediates are appended Signed-off-by: Ying Li <[email protected]>
a771b69
to
7bef8ec
Compare
LGTM |
Includes: - moby/swarmkit#2203 - moby/swarmkit#2210 - moby/swarmkit#2212 Signed-off-by: Andrea Luzzardi <[email protected]> Signed-off-by: Tibor Vass <[email protected]>
Includes: - moby/swarmkit#2203 - moby/swarmkit#2210 - moby/swarmkit#2212 Signed-off-by: Andrea Luzzardi <[email protected]> Signed-off-by: Tibor Vass <[email protected]>
Includes: - moby/swarmkit#2203 - moby/swarmkit#2210 - moby/swarmkit#2212 Signed-off-by: Andrea Luzzardi <[email protected]> Signed-off-by: Tibor Vass <[email protected]>
Includes: - moby/swarmkit#2203 - moby/swarmkit#2210 - moby/swarmkit#2212 Signed-off-by: Andrea Luzzardi <[email protected]> Signed-off-by: Tibor Vass <[email protected]>
Includes: - moby/swarmkit#2203 - moby/swarmkit#2210 - moby/swarmkit#2212 Signed-off-by: Andrea Luzzardi <[email protected]> Signed-off-by: Tibor Vass <[email protected]>
Since if it's not updated when getting a cert signed by an external CA, no intermediates are appended.
Previously the test for this (
TestRequestAndSaveNewCertificatesWithIntermediates
) passed due a combination of both this bug and a bug in how the test CA utility worked (it updated the RootCA to one without intermediates, but since updating the root CA didn't actually propagate to the external CA signing object, the external CA signer did produce a cert with intermediates).I've updated the test CA utility and the tests as well. I'll also open a PR against the 17.06 branch.
cc @aaronlehmann @diogomonica @jlhawn