Built-in Public Key Infrastructure System helps to secure the deployment of container orchestration systems. Transport Layer Security (TLS) is used in Public Key Infrastructure to communicate with other nodes in a swarm.
When a swarm is initialized with “docker swarm init” command in a docker host, root Certificate Authority (CA) with a key pair is created. This is for securing nodes that join the particular swarm.
“--external-ca” flag is used with docker swarm init command to use external root CA.
Manager node generates worker token and manager token. Each token has the digest of the root CA certificate and a randomly generated secret. When a new node joins the docker swarm with the worker token the node uses the digesting part to verify the root CA from the manager node.
While the leader node uses the secret to approve the new joining node. Manager node issues a certificate to the joining node with a randomly generated node ID
By default, swarm performs the renewal of the certificate every three months but it can be modified with the command
docker swarm update --cert-expiry <TIME PERIOD>
In case if the leader-manager node is down we can rotate the root CA within the swarm so that no nodes trust the certificate signed by old root CA. This can be done by the command
docker swarm ca --rotate
This command thus creates a cross signed certificate telling the nodes that still trusted old CA to start verification against new root CA.