open-consul/website/source/api/operator/keyring.html.md
Sarah Adams 2f7a90bc52
add flag to allow /operator/keyring requests to only hit local servers (#6279)
Add parameter local-only to operator keyring list requests to force queries to only hit local servers (no WAN traffic).

HTTP API: GET /operator/keyring?local-only=true
CLI: consul keyring -list --local-only

Sending the local-only flag with any non-GET/list request will result in an error.
2019-08-12 11:11:11 -07:00

7.1 KiB

layout page_title sidebar_current description
api Keyring - Operator - HTTP API api-operator-keyring The /operator/keyring endpoints allow for management of the gossip encryption keyring.

Keyring Operator HTTP API

The /operator/keyring endpoints allow for management of the gossip encryption keyring. Please see the Gossip Protocol Guide for more details on the gossip protocol and its use.

List Gossip Encryption Keys

This endpoint lists the gossip encryption keys installed on both the WAN and LAN rings of every known datacenter, unless otherwise specified with the local-only query parameter (see below).

If ACLs are enabled, the client will need to supply an ACL Token with keyring read privileges.

Method Path Produces
GET /operator/keyring application/json

The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.

Blocking Queries Consistency Modes Agent Caching ACL Required
NO none none keyring:read

Parameters

  • relay-factor (int: 0) - Specifies the relay factor. Setting this to a non-zero value will cause nodes to relay their responses through this many randomly-chosen other nodes in the cluster. The maximum allowed value is 5. This is specified as part of the URL as a query parameter.
  • local-only (bool: false) - Setting local-only to true will force keyring list queries to only hit local servers (no WAN traffic). This flag can only be set for list queries. It is specified as part of the URL as a query parameter.

Sample Request

$ curl \
    http://127.0.0.1:8500/v1/operator/keyring

Sample Response

[
  {
    "WAN": true,
    "Datacenter": "dc1",
    "Segment": "",
    "Keys": {
      "0eK8RjnsGC/+I1fJErQsBA==": 1,
      "G/3/L4yOw3e5T7NTvuRi9g==": 1,
      "z90lFx3sZZLtTOkutXcwYg==": 1
    },
    "NumNodes": 1
  },
  {
    "WAN": false,
    "Datacenter": "dc1",
    "Segment": "",
    "Keys": {
      "0eK8RjnsGC/+I1fJErQsBA==": 1,
      "G/3/L4yOw3e5T7NTvuRi9g==": 1,
      "z90lFx3sZZLtTOkutXcwYg==": 1
    },
    "NumNodes": 1
  }
]
  • WAN is true if the block refers to the WAN ring of that datacenter (rather than LAN).

  • Datacenter is the datacenter the block refers to.

  • Segment is the network segment the block refers to.

  • Keys is a map of each gossip key to the number of nodes it's currently installed on.

  • NumNodes is the total number of nodes in the datacenter.

Add New Gossip Encryption Key

This endpoint installs a new gossip encryption key into the cluster.

Method Path Produces
POST /operator/keyring application/json

The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.

Blocking Queries Consistency Modes Agent Caching ACL Required
NO none none keyring:write

Parameters

  • relay-factor (int: 0) - Specifies the relay factor. Setting this to a non-zero value will cause nodes to relay their responses through this many randomly-chosen other nodes in the cluster. The maximum allowed value is 5. This is specified as part of the URL as a query parameter.

  • Key (string: <required>) - Specifies the encryption key to install into the cluster.

Sample Payload

{
  "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
}

Sample Request

$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8500/v1/operator/keyring

Change Primary Gossip Encryption Key

This endpoint changes the primary gossip encryption key. The key must already be installed before this operation can succeed.

Method Path Produces
PUT /operator/keyring application/json

The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.

Blocking Queries Consistency Modes Agent Caching ACL Required
NO none none keyring:write

Parameters

  • relay-factor (int: 0) - Specifies the relay factor. Setting this to a non-zero value will cause nodes to relay their responses through this many randomly-chosen other nodes in the cluster. The maximum allowed value is 5. This is specified as part of the URL as a query parameter.

  • Key (string: <required>) - Specifies the encryption key to begin using as primary into the cluster.

Sample Payload

{
 "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
}

Sample Request

$ curl \
    --request PUT \
    --data @payload.json \
    http://127.0.0.1:8500/v1/operator/keyring

Delete Gossip Encryption Key

This endpoint removes a gossip encryption key from the cluster. This operation may only be performed on keys which are not currently the primary key.

Method Path Produces
DELETE /operator/keyring application/json

The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.

Blocking Queries Consistency Modes Agent Caching ACL Required
NO none none keyring:write

Parameters

  • relay-factor (int: 0) - Specifies the relay factor. Setting this to a non-zero value will cause nodes to relay their responses through this many randomly-chosen other nodes in the cluster. The maximum allowed value is 5. This is specified as part of the URL as a query parameter.

  • Key (string: <required>) - Specifies the encryption key to delete.

Sample Payload

{
 "Key": "3lg9DxVfKNzI8O+IQ5Ek+Q=="
}

Sample Request

$ curl \
    --request DELETE \
    --data @payload.json \
    http://127.0.0.1:8500/v1/operator/keyring