Add documentation for external CA features in API/CLI

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>

docs/reference/api/docker_remote_api_v1.24.md

@@ -3644,8 +3644,15 @@ JSON Parameters:
           election.
     - **Dispatcher** – Configuration settings for the task dispatcher.
         - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
-    - **CAConfig** – CA configuration.
+    - **CAConfig** – Certificate authority configuration.
         - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+        - **ExternalCA** - Configuration for forwarding signing requests to an external
+          certificate authority.
+            - **Protocol** - Protocol for communication with the external CA
+              (currently only "cfssl" is supported).
+            - **URL** - URL where certificate signing requests should be sent.
+            - **Options** - An object with key/value pairs that are interpreted
+              as protocol-specific options for the external CA driver.
 
 ### Join an existing Swarm
 
@@ -3792,6 +3799,13 @@ JSON Parameters:
     - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
 - **CAConfig** – CA configuration.
     - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+    - **ExternalCA** - Configuration for forwarding signing requests to an external
+      certificate authority.
+        - **Protocol** - Protocol for communication with the external CA
+          (currently only "cfssl" is supported).
+        - **URL** - URL where certificate signing requests should be sent.
+        - **Options** - An object with key/value pairs that are interpreted
+          as protocol-specific options for the external CA driver.
 
 ## 3.8 Services
 

docs/reference/api/docker_remote_api_v1.25.md

@@ -3645,8 +3645,15 @@ JSON Parameters:
           election.
     - **Dispatcher** – Configuration settings for the task dispatcher.
         - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
-    - **CAConfig** – CA configuration.
+    - **CAConfig** – Certificate authority configuration.
         - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+        - **ExternalCA** - Configuration for forwarding signing requests to an external
+          certificate authority.
+            - **Protocol** - Protocol for communication with the external CA
+              (currently only "cfssl" is supported).
+            - **URL** - URL where certificate signing requests should be sent.
+            - **Options** - An object with key/value pairs that are interpreted
+              as protocol-specific options for the external CA driver.
 
 ### Join an existing Swarm
 
@@ -3793,6 +3800,13 @@ JSON Parameters:
     - **HeartbeatPeriod** – The delay for an agent to send a heartbeat to the dispatcher.
 - **CAConfig** – CA configuration.
     - **NodeCertExpiry** – Automatic expiry for nodes certificates.
+    - **ExternalCA** - Configuration for forwarding signing requests to an external
+      certificate authority.
+        - **Protocol** - Protocol for communication with the external CA
+          (currently only "cfssl" is supported).
+        - **URL** - URL where certificate signing requests should be sent.
+        - **Options** - An object with key/value pairs that are interpreted
+          as protocol-specific options for the external CA driver.
 
 ## 3.8 Services
 

docs/reference/commandline/swarm_init.md

@@ -17,6 +17,7 @@ parent = "smn_cli"
 
 	Options:
 	      --auto-accept value   Acceptance policy (default [worker,manager])
+	      --external-ca value   Specifications of one or more certificate signing endpoints
 	      --force-new-cluster   Force create a new cluster from current state.
 	      --help                Print usage
 	      --listen-addr value   Listen address (default 0.0.0.0:2377)
@@ -34,7 +35,7 @@ ID                           NAME      MEMBERSHIP  STATUS  AVAILABILITY  MANAGER
 1ujecd0j9n3ro9i6628smdmth *  manager1  Accepted    Ready   Active        Reachable               Yes
 ```
 
-###	--auto-accept value
+### `--auto-accept value`
 
 This flag controls node acceptance into the cluster. By default, both `worker` and `manager`
 nodes are auto accepted by the cluster. This can be changed by specifing what kinds of nodes
@@ -49,6 +50,13 @@ $ docker swarm init --listen-addr 192.168.99.121:2377 --auto-accept worker
 Swarm initialized: current node (1m8cdsylxbf3lk8qriqt07hx1) is now a manager.
 ```
 
+### `--external-ca value`
+
+This flag sets up the swarm to use an external CA to issue node certificates. The value takes
+the form `protocol=X,url=Y`. The value for `protocol` specifies what protocol should be used
+to send signing requests to the external CA. Currently, the only supported value is `cfssl`.
+The URL specifies the endpoint where signing requests should be submitted.
+
 ### `--force-new-cluster`
 
 This flag forces an existing node that was part of a quorum that was lost to restart as a single node Manager without losing its data

docs/reference/commandline/swarm_update.md

@@ -17,6 +17,7 @@ parent = "smn_cli"
 
     Options:
           --auto-accept value               Auto acceptance policy (worker, manager or none)
+          --external-ca value               Specifications of one or more certificate signing endpoints
           --dispatcher-heartbeat duration   Dispatcher heartbeat period (default 5s)
           --help                            Print usage
           --secret string                   Set secret value needed to accept nodes into cluster