Merge pull request #3274 from hashicorp/tls-area-docs

Add network area TLS setting to docs
This commit is contained in:
Kyle Havlovitz 2017-07-14 17:45:53 -07:00 committed by GitHub
commit 0f02e4da52
6 changed files with 124 additions and 16 deletions

View File

@ -371,7 +371,7 @@ func NewServerLogger(config *Config, logger *log.Logger) (*Server, error) {
go s.lanEventHandler() go s.lanEventHandler()
// Add a "static route" to the WAN Serf and hook it up to Serf events. // Add a "static route" to the WAN Serf and hook it up to Serf events.
if err := s.router.AddArea(types.AreaWAN, s.serfWAN, s.connPool); err != nil { if err := s.router.AddArea(types.AreaWAN, s.serfWAN, s.connPool, s.config.VerifyOutgoing); err != nil {
s.Shutdown() s.Shutdown()
return nil, fmt.Errorf("Failed to add WAN serf route: %v", err) return nil, fmt.Errorf("Failed to add WAN serf route: %v", err)
} }

View File

@ -76,6 +76,9 @@ type areaInfo struct {
// managers maps datacenter names to managers for that datacenter in // managers maps datacenter names to managers for that datacenter in
// this area. // this area.
managers map[string]*managerInfo managers map[string]*managerInfo
// useTLS specifies whether to use TLS to communicate for this network area.
useTLS bool
} }
// NewRouter returns a new Router with the given configuration. // NewRouter returns a new Router with the given configuration.
@ -112,7 +115,7 @@ func (r *Router) Shutdown() {
} }
// AddArea registers a new network area with the router. // AddArea registers a new network area with the router.
func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger Pinger) error { func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger Pinger, useTLS bool) error {
r.Lock() r.Lock()
defer r.Unlock() defer r.Unlock()
@ -128,6 +131,7 @@ func (r *Router) AddArea(areaID types.AreaID, cluster RouterSerfCluster, pinger
cluster: cluster, cluster: cluster,
pinger: pinger, pinger: pinger,
managers: make(map[string]*managerInfo), managers: make(map[string]*managerInfo),
useTLS: useTLS,
} }
r.areas[areaID] = area r.areas[areaID] = area
@ -168,6 +172,19 @@ func (r *Router) removeManagerFromIndex(datacenter string, manager *Manager) {
panic("managers index out of sync") panic("managers index out of sync")
} }
// Returns whether TLS is enabled for the given area ID
func (r *Router) TLSEnabled(areaID types.AreaID) (bool, error) {
r.RLock()
defer r.RUnlock()
area, ok := r.areas[areaID]
if !ok {
return false, fmt.Errorf("area ID %q does not exist", areaID)
}
return area.useTLS, nil
}
// RemoveArea removes an existing network area from the router. // RemoveArea removes an existing network area from the router.
func (r *Router) RemoveArea(areaID types.AreaID) error { func (r *Router) RemoveArea(areaID types.AreaID) error {
r.Lock() r.Lock()
@ -207,6 +224,12 @@ func (r *Router) addServer(area *areaInfo, s *agent.Server) error {
go manager.Start() go manager.Start()
} }
// If TLS is enabled for the area, set it on the server so the manager
// knows to use TLS when pinging it.
if area.useTLS {
s.UseTLS = true
}
info.manager.AddServer(s) info.manager.AddServer(s)
return nil return nil
} }

View File

@ -105,7 +105,7 @@ func TestRouter_Shutdown(t *testing.T) {
// Create a WAN-looking area. // Create a WAN-looking area.
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -113,7 +113,7 @@ func TestRouter_Shutdown(t *testing.T) {
otherID := types.AreaID("other") otherID := types.AreaID("other")
other := newMockCluster(self) other := newMockCluster(self)
other.AddMember("dcY", "node1", nil) other.AddMember("dcY", "node1", nil)
if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil { if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
_, _, ok := r.FindRoute("dcY") _, _, ok := r.FindRoute("dcY")
@ -129,7 +129,7 @@ func TestRouter_Shutdown(t *testing.T) {
} }
// You can't add areas once the router is shut down. // You can't add areas once the router is shut down.
err := r.AddArea(otherID, other, &fauxConnPool{}) err := r.AddArea(otherID, other, &fauxConnPool{}, false)
if err == nil || !strings.Contains(err.Error(), "router is shut down") { if err == nil || !strings.Contains(err.Error(), "router is shut down") {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -141,7 +141,7 @@ func TestRouter_Routing(t *testing.T) {
// Create a WAN-looking area. // Create a WAN-looking area.
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -170,7 +170,7 @@ func TestRouter_Routing(t *testing.T) {
other.AddMember("dc0", "node0", nil) other.AddMember("dc0", "node0", nil)
other.AddMember("dc1", "node1", nil) other.AddMember("dc1", "node1", nil)
other.AddMember("dcY", "node1", nil) other.AddMember("dcY", "node1", nil)
if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil { if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -275,7 +275,7 @@ func TestRouter_Routing_Offline(t *testing.T) {
// Create a WAN-looking area. // Create a WAN-looking area.
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{1.0}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{1.0}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -329,7 +329,7 @@ func TestRouter_Routing_Offline(t *testing.T) {
other := newMockCluster(self) other := newMockCluster(self)
other.AddMember("dc0", "node0", nil) other.AddMember("dc0", "node0", nil)
other.AddMember("dc1", "node1", nil) other.AddMember("dc1", "node1", nil)
if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil { if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -354,7 +354,7 @@ func TestRouter_GetDatacenters(t *testing.T) {
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -386,7 +386,7 @@ func TestRouter_GetDatacentersByDistance(t *testing.T) {
// Start with just the WAN area described in the diagram above. // Start with just the WAN area described in the diagram above.
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -404,7 +404,7 @@ func TestRouter_GetDatacentersByDistance(t *testing.T) {
other := newMockCluster(self) other := newMockCluster(self)
other.AddMember("dc0", "node0", lib.GenerateCoordinate(20*time.Millisecond)) other.AddMember("dc0", "node0", lib.GenerateCoordinate(20*time.Millisecond))
other.AddMember("dc1", "node1", lib.GenerateCoordinate(21*time.Millisecond)) other.AddMember("dc1", "node1", lib.GenerateCoordinate(21*time.Millisecond))
if err := r.AddArea(otherID, other, &fauxConnPool{}); err != nil { if err := r.AddArea(otherID, other, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
@ -423,7 +423,7 @@ func TestRouter_GetDatacenterMaps(t *testing.T) {
self := "node0.dc0" self := "node0.dc0"
wan := testCluster(self) wan := testCluster(self)
if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}); err != nil { if err := r.AddArea(types.AreaWAN, wan, &fauxConnPool{}, false); err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }

View File

@ -64,12 +64,16 @@ The table below shows this endpoint's support for
If this list is not supplied, joining can be done with a call to the If this list is not supplied, joining can be done with a call to the
[join endpoint](#area-join) once the network area is created. [join endpoint](#area-join) once the network area is created.
- `UseTLS` `(bool: <optional>)` - Specifies whether gossip over this area should be
encrypted with TLS if possible.
### Sample Payload ### Sample Payload
```json ```json
{ {
"PeerDatacenter": "dc2", "PeerDatacenter": "dc2",
"RetryJoin": [ "10.1.2.3", "10.1.2.4", "10.1.2.5" ] "RetryJoin": [ "10.1.2.3", "10.1.2.4", "10.1.2.5" ],
"UseTLS": false
} }
``` ```
@ -132,6 +136,49 @@ $ curl \
] ]
``` ```
## Update Network Area
This endpoint updates a network area to the given configuration.
| Method | Path | Produces |
| ------ | ---------------------------- | -------------------------- |
| `PUT` | `/operator/area/:uuid` | `application/json` |
The table below shows this endpoint's support for
[blocking queries](/api/index.html#blocking-queries),
[consistency modes](/api/index.html#consistency-modes), and
[required ACLs](/api/index.html#acls).
| Blocking Queries | Consistency Modes | ACL Required |
| ---------------- | ----------------- | ---------------- |
| `NO` | `none` | `operator:write` |
### Parameters
- `dc` `(string: "")` - Specifies the datacenter to query. This will default to
the datacenter of the agent being queried. This is specified as a URL query
parameter.
- `UseTLS` `(bool: <optional>)` - Specifies whether gossip over this area should be
encrypted with TLS if possible.
### Sample Payload
```json
{
"UseTLS": true
}
```
### Sample Request
```text
$ curl \
--request PUT \
--data @payload.json \
https://consul.rocks/v1/operator/area/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
```
## List Specific Network Area ## List Specific Network Area
This endpoint lists a specific network area. This endpoint lists a specific network area.

View File

@ -123,8 +123,11 @@ options are set to `false`. HTTPS for the API can be enabled at this point by
setting the [`https`](/docs/agent/options.html#http_port) port. setting the [`https`](/docs/agent/options.html#http_port) port.
2. Perform a rolling restart of each agent in the cluster. After this step, TLS should be enabled 2. Perform a rolling restart of each agent in the cluster. After this step, TLS should be enabled
everywhere but the agents will not yet be enforcing TLS. everywhere but the agents will not yet be enforcing TLS.
3. Change the `verify_incoming` and `verify_outgoing` settings (as well as `verify_server_hostname` 3. (Optional, Enterprise-only) If applicable, set the `UseTLS` setting in any network areas to `true`.
This can be done either through the [`consul operator area update`](/docs/commands/operator/area.html)
command or the [Operator API](api/operator/area.html).
4. Change the `verify_incoming` and `verify_outgoing` settings (as well as `verify_server_hostname`
if applicable) to `true`. if applicable) to `true`.
4. Perform another rolling restart of each agent in the cluster. 5. Perform another rolling restart of each agent in the cluster.
At this point, full TLS encryption for RPC communication should be enabled. At this point, full TLS encryption for RPC communication should be enabled.

View File

@ -42,6 +42,7 @@ Subcommands:
join Join Consul servers into an existing network area join Join Consul servers into an existing network area
list List network areas list List network areas
members Display Consul server members present in network areas members Display Consul server members present in network areas
update Update the configuration of a network area
``` ```
If ACLs are enabled, the client will need to supply an ACL Token with `operator` If ACLs are enabled, the client will need to supply an ACL Token with `operator`
@ -67,6 +68,9 @@ where the area was created, and the peer datacenter. This is required.
* `-retry-join=<value>` Specifies the address of a Consul server to join to, such as an IP * `-retry-join=<value>` Specifies the address of a Consul server to join to, such as an IP
or hostname with an optional port number. This is optional and can be specified multiple times. or hostname with an optional port number. This is optional and can be specified multiple times.
* `-use-tls=<value>` Specifies whether gossip over this area should be encrypted with
TLS if possible. Must be either `true` or `false`.
The output looks like this, displaying the ID of the newly-created network area: The output looks like this, displaying the ID of the newly-created network area:
``` ```
@ -216,3 +220,34 @@ to the given server, in a human-readable format. This is computed using
[network coordinates](/docs/internals/coordinates.html). [network coordinates](/docs/internals/coordinates.html).
The return code will indicate success or failure. The return code will indicate success or failure.
## update
This command updates the configuration of network area.
Usage: `consul operator area update [options]`
#### API Options
<%= partial "docs/commands/http_api_options_client" %>
<%= partial "docs/commands/http_api_options_server" %>
#### Command Options
* `-id=<value>` - Looks up the area to operate on by its ID. This can be given
instead of a peer datacenter.
* `-peer-datacenter=<value>` - Declares the peer Consul datacenter that will make up the other
side of this network area. Network areas always involve a pair of datacenters: the datacenter
where the area was created, and the peer datacenter. This is required.
* `-use-tls=<value>` Specifies whether gossip over this area should be encrypted with
TLS if possible. Must be either `true` or `false`.
The output looks like this:
```
Updated area "d2872ec5-68ea-b862-b75d-0bee99aca100"
```
The return code will indicate success or failure.