command: use separate key files for LAN/WAN
This commit is contained in:
Ryan Uber
parent
8dc53447a3
commit
6609cb680b
|
|
@ -20,7 +20,8 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
SerfKeyring = "serf/keyring"
|
||||
SerfLANKeyring = "serf/local.keyring"
|
||||
SerfWANKeyring = "serf/remote.keyring"
|
||||
)
|
||||
|
||||
/*
|
||||
|
|
@ -174,10 +175,6 @@ func (a *Agent) consulConfig() *consul.Config {
|
|||
base.SerfLANConfig.MemberlistConfig.SecretKey = key
|
||||
base.SerfWANConfig.MemberlistConfig.SecretKey = key
|
||||
}
|
||||
if a.config.Server && a.config.keyringFilesExist() {
|
||||
path := filepath.Join(base.DataDir, SerfKeyring)
|
||||
base.SerfLANConfig.KeyringFile = path
|
||||
}
|
||||
if a.config.NodeName != "" {
|
||||
base.NodeName = a.config.NodeName
|
||||
}
|
||||
|
|
@ -276,6 +273,14 @@ func (a *Agent) setupServer() error {
|
|||
config := a.consulConfig()
|
||||
|
||||
// Load a keyring file, if present
|
||||
keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
|
||||
if _, err := os.Stat(keyfileLAN); err == nil {
|
||||
config.SerfLANConfig.KeyringFile = keyfileLAN
|
||||
}
|
||||
keyfileWAN := filepath.Join(config.DataDir, SerfWANKeyring)
|
||||
if _, err := os.Stat(keyfileWAN); err == nil {
|
||||
config.SerfWANConfig.KeyringFile = keyfileWAN
|
||||
}
|
||||
if err := loadKeyringFile(config.SerfLANConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -296,6 +301,10 @@ func (a *Agent) setupClient() error {
|
|||
config := a.consulConfig()
|
||||
|
||||
// Load a keyring file, if present
|
||||
keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
|
||||
if _, err := os.Stat(keyfileLAN); err == nil {
|
||||
config.SerfLANConfig.KeyringFile = keyfileLAN
|
||||
}
|
||||
if err := loadKeyringFile(config.SerfLANConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -218,7 +218,7 @@ func (c *Command) readConfig() *Config {
|
|||
}
|
||||
|
||||
// Error if an encryption key is passed while a keyring already exists
|
||||
if config.EncryptKey != "" && config.keyringFilesExist() {
|
||||
if config.EncryptKey != "" && config.keyringFileExists() {
|
||||
c.Ui.Error(fmt.Sprintf("Error: -encrypt specified but keyring files exist"))
|
||||
return nil
|
||||
}
|
||||
|
|
@ -592,7 +592,7 @@ func (c *Command) Run(args []string) int {
|
|||
|
||||
// Determine if gossip is encrypted
|
||||
gossipEncrypted := false
|
||||
if config.EncryptKey != "" || config.keyringFilesExist() {
|
||||
if config.EncryptKey != "" || config.keyringFileExists() {
|
||||
gossipEncrypted = true
|
||||
}
|
||||
|
||||
|
|
@ -819,7 +819,6 @@ Options:
|
|||
-log-level=info Log level of the agent.
|
||||
-node=hostname Name of this node. Must be unique in the cluster
|
||||
-protocol=N Sets the protocol version. Defaults to latest.
|
||||
-persist-keyring Enable encryption keyring persistence.
|
||||
-rejoin Ignores a previous leave and attempts to rejoin the cluster.
|
||||
-server Switches agent to server mode.
|
||||
-syslog Enables logging to syslog
|
||||
|
|
|
|||
|
|
@ -411,12 +411,22 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
|
|||
return addr.String(), nil
|
||||
}
|
||||
|
||||
// keyringFilesExist checks for existence of the keyring files for Serf
|
||||
func (c *Config) keyringFilesExist() bool {
|
||||
if _, err := os.Stat(filepath.Join(c.DataDir, SerfKeyring)); err != nil {
|
||||
// keyringFileExists determines if there are encryption key files present
|
||||
// in the data directory.
|
||||
func (c *Config) keyringFileExists() bool {
|
||||
fileLAN := filepath.Join(c.DataDir, SerfLANKeyring)
|
||||
fileWAN := filepath.Join(c.DataDir, SerfWANKeyring)
|
||||
|
||||
if _, err := os.Stat(fileLAN); err == nil {
|
||||
return true
|
||||
}
|
||||
if !c.Server {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
if _, err := os.Stat(fileWAN); err == nil {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// DecodeConfig reads the configuration from the given reader in JSON
|
||||
|
|
|
|||
|
|
@ -67,8 +67,14 @@ func (c *KeyringCommand) Run(args []string) int {
|
|||
c.Ui.Error("Must provide -data-dir")
|
||||
return 1
|
||||
}
|
||||
path := filepath.Join(dataDir, agent.SerfKeyring)
|
||||
if err := initializeKeyring(path, init); err != nil {
|
||||
|
||||
fileLAN := filepath.Join(dataDir, agent.SerfLANKeyring)
|
||||
if err := initializeKeyring(fileLAN, init); err != nil {
|
||||
c.Ui.Error(fmt.Sprintf("Error: %s", err))
|
||||
return 1
|
||||
}
|
||||
fileWAN := filepath.Join(dataDir, agent.SerfWANKeyring)
|
||||
if err := initializeKeyring(fileWAN, init); err != nil {
|
||||
c.Ui.Error(fmt.Sprintf("Error: %s", err))
|
||||
return 1
|
||||
}
|
||||
|
|
@ -84,7 +90,10 @@ func (c *KeyringCommand) Run(args []string) int {
|
|||
}
|
||||
defer client.Close()
|
||||
|
||||
// For all key-related operations, we must be querying a server node.
|
||||
// For all key-related operations, we must be querying a server node. It is
|
||||
// probably better to enforce this even for LAN pool changes, because other-
|
||||
// wise, the same exact command syntax will have different results depending
|
||||
// on where it was run.
|
||||
s, err := client.Stats()
|
||||
if err != nil {
|
||||
c.Ui.Error(fmt.Sprintf("Error: %s", err))
|
||||
|
|
@ -263,7 +272,7 @@ Options:
|
|||
operation may only be performed on keys which are
|
||||
not currently the primary key.
|
||||
-list List all keys currently in use within the cluster.
|
||||
-init=<key> Create an initial keyring file for Consul to use
|
||||
-init=<key> Create the initial keyring files for Consul to use
|
||||
containing the provided key. The -data-dir argument
|
||||
is required with this option.
|
||||
-rpc-addr=127.0.0.1:8400 RPC address of the Consul agent.
|
||||
|
|
|
|||
Loading…
Reference in New Issue