179 lines
4.9 KiB
Go
179 lines
4.9 KiB
Go
package command
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/nomad/api"
|
|
"github.com/mitchellh/cli"
|
|
"github.com/posener/complete"
|
|
)
|
|
|
|
// OperatorKeyringCommand is a Command implementation that handles querying, installing,
|
|
// and removing gossip encryption keys from a keyring.
|
|
type OperatorKeyringCommand struct {
|
|
Meta
|
|
}
|
|
|
|
func (c *OperatorKeyringCommand) Help() string {
|
|
helpText := `
|
|
Usage: nomad operator keyring [options]
|
|
|
|
Manages encryption keys used for gossip messages between Nomad servers. Gossip
|
|
encryption is optional. When enabled, this command may be used to examine
|
|
active encryption keys in the cluster, add new keys, and remove old ones. When
|
|
combined, this functionality provides the ability to perform key rotation
|
|
cluster-wide, without disrupting the cluster.
|
|
|
|
All operations performed by this command can only be run against server nodes.
|
|
|
|
All variations of the keyring command return 0 if all nodes reply and there
|
|
are no errors. If any node fails to reply or reports failure, the exit code
|
|
will be 1.
|
|
|
|
If ACLs are enabled, this command requires a token with the 'agent:write'
|
|
capability.
|
|
|
|
General Options:
|
|
|
|
` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `
|
|
|
|
Keyring Options:
|
|
|
|
-install=<key> Install a new encryption key. This will broadcast
|
|
the new key to all members in the cluster.
|
|
-list List all keys currently in use within the cluster.
|
|
-remove=<key> Remove the given key from the cluster. This
|
|
operation may only be performed on keys which are
|
|
not currently the primary key.
|
|
-use=<key> Change the primary encryption key, which is used to
|
|
encrypt messages. The key must already be installed
|
|
before this operation can succeed.
|
|
`
|
|
return strings.TrimSpace(helpText)
|
|
}
|
|
|
|
func (c *OperatorKeyringCommand) Synopsis() string {
|
|
return "Manages gossip layer encryption keys"
|
|
}
|
|
|
|
func (c *OperatorKeyringCommand) AutocompleteFlags() complete.Flags {
|
|
return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
|
|
complete.Flags{
|
|
"-install": complete.PredictAnything,
|
|
"-list": complete.PredictNothing,
|
|
"-remove": complete.PredictAnything,
|
|
"-use": complete.PredictAnything,
|
|
})
|
|
}
|
|
func (c *OperatorKeyringCommand) AutocompleteArgs() complete.Predictor {
|
|
return complete.PredictNothing
|
|
}
|
|
|
|
func (c *OperatorKeyringCommand) Name() string { return "operator keyring" }
|
|
|
|
func (c *OperatorKeyringCommand) Run(args []string) int {
|
|
var installKey, useKey, removeKey string
|
|
var listKeys bool
|
|
|
|
flags := c.Meta.FlagSet("operator-keyring", FlagSetClient)
|
|
flags.Usage = func() { c.Ui.Output(c.Help()) }
|
|
|
|
flags.StringVar(&installKey, "install", "", "install key")
|
|
flags.StringVar(&useKey, "use", "", "use key")
|
|
flags.StringVar(&removeKey, "remove", "", "remove key")
|
|
flags.BoolVar(&listKeys, "list", false, "list keys")
|
|
|
|
if err := flags.Parse(args); err != nil {
|
|
return 1
|
|
}
|
|
|
|
c.Ui = &cli.PrefixedUi{
|
|
OutputPrefix: "",
|
|
InfoPrefix: "==> ",
|
|
ErrorPrefix: "",
|
|
Ui: c.Ui,
|
|
}
|
|
|
|
// Only accept a single argument
|
|
found := listKeys
|
|
for _, arg := range []string{installKey, useKey, removeKey} {
|
|
if found && len(arg) > 0 {
|
|
c.Ui.Error("Only a single action is allowed")
|
|
c.Ui.Error(commandErrorText(c))
|
|
return 1
|
|
}
|
|
found = found || len(arg) > 0
|
|
}
|
|
|
|
// Fail fast if no actionable args were passed
|
|
if !found {
|
|
c.Ui.Error("No actionable argument was passed")
|
|
c.Ui.Error("Either the '-install', '-use', '-remove' or '-list' flag must be set")
|
|
c.Ui.Error(commandErrorText(c))
|
|
return 1
|
|
}
|
|
|
|
// All other operations will require a client connection
|
|
client, err := c.Meta.Client()
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("Error creating nomad cli client: %s", err))
|
|
return 1
|
|
}
|
|
|
|
if listKeys {
|
|
c.Ui.Output("Gathering installed encryption keys...")
|
|
r, err := client.Agent().ListKeys()
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
return 1
|
|
}
|
|
c.handleKeyResponse(r)
|
|
return 0
|
|
}
|
|
|
|
if installKey != "" {
|
|
c.Ui.Output("Installing new gossip encryption key...")
|
|
_, err := client.Agent().InstallKey(installKey)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
return 1
|
|
}
|
|
return 0
|
|
}
|
|
|
|
if useKey != "" {
|
|
c.Ui.Output("Changing primary gossip encryption key...")
|
|
_, err := client.Agent().UseKey(useKey)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
return 1
|
|
}
|
|
return 0
|
|
}
|
|
|
|
if removeKey != "" {
|
|
c.Ui.Output("Removing gossip encryption key...")
|
|
_, err := client.Agent().RemoveKey(removeKey)
|
|
if err != nil {
|
|
c.Ui.Error(fmt.Sprintf("error: %s", err))
|
|
return 1
|
|
}
|
|
return 0
|
|
}
|
|
|
|
// Should never make it here
|
|
return 0
|
|
}
|
|
|
|
func (c *OperatorKeyringCommand) handleKeyResponse(resp *api.KeyringResponse) {
|
|
out := make([]string, len(resp.Keys)+1)
|
|
out[0] = "Key"
|
|
i := 1
|
|
for k := range resp.Keys {
|
|
out[i] = k
|
|
i = i + 1
|
|
}
|
|
c.Ui.Output(formatList(out))
|
|
}
|