Generate a swarm joining secret if none is specified

The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.

This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.

`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.

Closes #23785

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>

docs/swarm/swarm-tutorial/add-nodes.md

@@ -23,16 +23,17 @@ This tutorial uses the name `worker1`.
 the existing swarm:
 
     ```
-    docker swarm join <MANAGER-IP>:<PORT>
+    docker swarm join --secret <SECRET> <MANAGER-IP>:<PORT>
     ```
 
-    Replace `<MANAGER-IP>` with the address of the manager node and `<PORT>`
-    with the port where the manager listens.
+    Replace `<SECRET>` with the secret that was printed by `docker swarm init` in the
+    previous step. Replace `<MANAGER-IP>` with the address of the manager node
+    and `<PORT>` with the port where the manager listens.
 
     In the tutorial, the following command joins `worker1` to the swarm on `manager1`:
 
     ```
-    $ docker swarm join 192.168.99.100:2377
+    $ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb 192.168.99.100:2377
 
     This node joined a Swarm as a worker.
     ```
@@ -40,11 +41,12 @@ the existing swarm:
 3. Open a terminal and ssh into the machine where you want to run a second
 worker node. This tutorial uses the name `worker2`.
 
-4. Run `docker swarm join <MANAGER-IP>:<PORT>` to create a worker node joined to
+4. Run `docker swarm join --secret <SECRET> <MANAGER-IP>:<PORT>` to create a worker node joined to
 the existing Swarm.
 
-    Replace `<MANAGER-IP>` with the address of the manager node and `<PORT>`
-    with the port where the manager listens.
+    Replace `<SECRET>` with the secret that was printed by `docker swarm init` in the
+    previous step. Replace `<MANAGER-IP>` with the address of the manager node
+    and `<PORT>` with the port where the manager listens.
 
 5. Open a terminal and ssh into the machine where the manager node runs and run
 the `docker node ls` command to see the worker nodes:

docs/swarm/swarm-tutorial/create-swarm.md

@@ -30,8 +30,15 @@ node. For example, the tutorial uses a machine named `manager1`.
 
     ```
     $ docker swarm init --listen-addr 192.168.99.100:2377
+    No --secret provided. Generated random secret:
+	4ao565v9jsuogtq5t8s379ulb
 
     Swarm initialized: current node (dxn1zf6l61qsb1josjja83ngz) is now a manager.
+
+    To add a worker to this swarm, run the following command:
+	docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb \
+	--ca-hash sha256:07ce22bd1a7619f2adc0d63bd110479a170e7c4e69df05b67a1aa2705c88ef09 \
+	192.168.99.100:2377
     ```
 
     The `--listen-addr` flag configures the manager node to listen on port