Make HA in etcd off by default. (#1909)

Fixes #1908 (Doesn't really "fix" it but someone from the community needs to step up if they want to see this fixed.)
2016-09-21 14:01:36 -04:00 · 2016-09-21 14:01:36 -04:00 · 226ef5d78c
parent 5c9bd9adcb
commit 226ef5d78c
2 changed files with 16 additions and 1 deletions
--- a/physical/etcd.go
+++ b/physical/etcd.go
@ -7,6 +7,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@ -70,6 +71,7 @@ type EtcdBackend struct {
 	kAPI       client.KeysAPI
 	permitPool *PermitPool
 	logger     log.Logger
+	haEnabled  bool
 }

 // newEtcdBackend constructs a etcd backend using a given machine address.
@ -104,6 +106,12 @@ func newEtcdBackend(conf map[string]string, logger log.Logger) (Backend, error)
 		}
 	}

+	haEnabled := os.Getenv("ETCD_HA_ENABLED")
+	if haEnabled == "" {
+		haEnabled = conf["ha_enabled"]
+	}
+	haEnabledBool, _ := strconv.ParseBool(haEnabled)
+
 	// Create a new client from the supplied address and attempt to sync with the
 	// cluster.
 	var cTransport client.CancelableTransport
@ -181,6 +189,7 @@ func newEtcdBackend(conf map[string]string, logger log.Logger) (Backend, error)
 		kAPI:       kAPI,
 		permitPool: NewPermitPool(DefaultParallelOperations),
 		logger:     logger,
+		haEnabled:  haEnabledBool,
 	}, nil
 }

@ -317,7 +326,7 @@ func (c *EtcdBackend) LockWith(key, value string) (Lock, error) {
 // HAEnabled indicates whether the HA functionality should be exposed.
 // Currently always returns true.
 func (e *EtcdBackend) HAEnabled() bool {
-	return true
+	return e.haEnabled
 }

 // EtcdLock emplements a lock using and etcd backend.
--- a/website/source/docs/config/index.html.md
+++ b/website/source/docs/config/index.html.md
@ -395,6 +395,12 @@ For etcd, the following options are supported:
    "y", or "true".  Defaults to on.  Set to false if your etcd cluster is
    behind a proxy server and syncing causes Vault to fail.

+  * `ha_enabled` (optional) - Setting this to `"1"`, `"t"`, or `"true"` will
+    enable HA mode. _This is currently *known broken*._ This option can also be
+    provided via the environment variable `ETCD_HA_ENABLED`. If you are
+    upgrading from a version of Vault where HA support was enabled by default,
+    it is _very important_ that you set this parameter _before_ upgrading!
+
  * `username` (optional) - Username to use when authenticating with the etcd
    server.  May also be specified via the ETCD_USERNAME environment variable.