Add an option to disable keyring file (#3145)

Also disables keyring file in dev mode.
2017-06-15 15:24:04 -07:00 · 2017-06-15 15:24:04 -07:00 · 5e45aec642
parent 87de6959d1
commit 5e45aec642
7 changed files with 37 additions and 11 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -887,9 +887,11 @@ func (a *Agent) makeServer() (*consul.Server, error) {
 	if err != nil {
 		return nil, err
 	}
+	if !a.config.DisableKeyringFile {
 		if err := a.setupKeyrings(config); err != nil {
 			return nil, fmt.Errorf("Failed to configure keyring: %v", err)
 		}
+	}
 	server, err := consul.NewServerLogger(config, a.logger)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to start Consul server: %v", err)
@ -903,9 +905,11 @@ func (a *Agent) makeClient() (*consul.Client, error) {
 	if err != nil {
 		return nil, err
 	}
+	if !a.config.DisableKeyringFile {
 		if err := a.setupKeyrings(config); err != nil {
 			return nil, fmt.Errorf("Failed to configure keyring: %v", err)
 		}
+	}
 	client, err := consul.NewClientLogger(config, a.logger)
 	if err != nil {
 		return nil, fmt.Errorf("Failed to start Consul client: %v", err)
--- a/agent/config.go
+++ b/agent/config.go
@ -367,6 +367,9 @@ type Config struct {
 	// Encryption key to use for the Serf communication
 	EncryptKey string `mapstructure:"encrypt" json:"-"`

+	// Disables writing the keyring to a file.
+	DisableKeyringFile bool `mapstructure:"disable_keyring_file"`
+
 	// EncryptVerifyIncoming and EncryptVerifyOutgoing are used to enforce
 	// incoming/outgoing gossip encryption and can be used to upshift to
 	// encrypted gossip on a running cluster.
@ -952,6 +955,7 @@ func DevConfig() *Config {
 	conf.DisableAnonymousSignature = true
 	conf.EnableUI = true
 	conf.BindAddr = "127.0.0.1"
+	conf.DisableKeyringFile = true

 	conf.ConsulConfig = consul.DefaultConfig()
 	conf.ConsulConfig.SerfLANConfig.MemberlistConfig.ProbeTimeout = 100 * time.Millisecond
@ -1561,6 +1565,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.EncryptKey != "" {
 		result.EncryptKey = b.EncryptKey
 	}
+	if b.DisableKeyringFile {
+		result.DisableKeyringFile = true
+	}
 	if b.EncryptVerifyIncoming != nil {
 		result.EncryptVerifyIncoming = b.EncryptVerifyIncoming
 	}
--- a/agent/config_test.go
+++ b/agent/config_test.go
@ -317,6 +317,10 @@ func TestDecodeConfig(t *testing.T) {
 			in: `{"enable_syslog":true}`,
 			c:  &Config{EnableSyslog: true},
 		},
+		{
+			in: `{"disable_keyring_file":true}`,
+			c:  &Config{DisableKeyringFile: true},
+		},
 		{
 			in: `{"encrypt_verify_incoming":true}`,
 			c:  &Config{EncryptVerifyIncoming: Bool(true)},
--- a/command/agent.go
+++ b/command/agent.go
@ -88,6 +88,8 @@ func (cmd *AgentCommand) readConfig() *agent.Config {
 	f.StringVar(&cmdCfg.UIDir, "ui-dir", "", "Path to directory containing the web UI resources.")
 	f.StringVar(&cmdCfg.PidFile, "pid-file", "", "Path to file to store agent PID.")
 	f.StringVar(&cmdCfg.EncryptKey, "encrypt", "", "Provides the gossip encryption key.")
+	f.BoolVar(&cmdCfg.DisableKeyringFile, "disable-keyring-file", false, "Disables the backing up "+
+		"of the keyring to a file.")

 	f.BoolVar(&cmdCfg.Server, "server", false, "Switches agent to server mode.")
 	f.BoolVar(&cmdCfg.NonVotingServer, "non-voting-server", false,
--- a/vendor/github.com/hashicorp/serf/serf/internal_query.go
+++ b/vendor/github.com/hashicorp/serf/serf/internal_query.go
@ -192,11 +192,13 @@ func (s *serfQueries) handleInstallKey(q *Query) {
 		goto SEND
 	}

+	if s.serf.config.KeyringFile != "" {
 		if err := s.serf.writeKeyringFile(); err != nil {
 			response.Message = err.Error()
 			s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
 			goto SEND
 		}
+	}

 	response.Result = true

--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@ -675,11 +675,11 @@
 			"revisionTime": "2017-05-25T23:15:04Z"
 		},
 		{
-			"checksumSHA1": "ZkJRgexeNzNZzpw6YnedwoJl7pE=",
+			"checksumSHA1": "3LFg00GII0KbMRpqi38MRkMhoyM=",
 			"comment": "v0.7.0-66-g6c4672d",
 			"path": "github.com/hashicorp/serf/serf",
-			"revision": "dfab144618a063232d5753eaa4250a09865106c5",
-			"revisionTime": "2017-05-26T05:01:28Z"
+			"revision": "91fd53b1d3e624389ed9a295a3fa380e5c7b9dfc",
+			"revisionTime": "2017-06-14T22:59:51Z"
 		},
 		{
 			"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -163,6 +163,10 @@ will exit with an error at startup.
  initialized with an encryption key, then the provided key is ignored and
  a warning will be displayed.

+* <a name="_disable_keyring_file"></a><a href="#_disable_keyring_file">`-disable-keyring-file`</a> - If set,
+  the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given
+  `-encrypt` key will be available on startup. This defaults to false.
+
 * <a name="_http_port"></a><a href="#_http_port">`-http-port`</a> - the HTTP API port to listen on.
  This overrides the default port 8500. This option is very useful when deploying Consul
  to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing
@ -720,6 +724,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
  (/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information.
  Defaults to true.

+* <a name="disable_keyring_file"></a><a href="#disable_keyring_file">`disable_keyring_file`</a> - Equivalent to the
+  [`-disable-keyring-file` command-line flag](#_disable_keyring_file).
+
 * <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
  PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
  This must be provided along with [`cert_file`](#cert_file).