Add an option to disable keyring file (#3145)

Also disables keyring file in dev mode.
This commit is contained in:
Kyle Havlovitz 2017-06-15 15:24:04 -07:00 committed by GitHub
parent 5507a310dd
commit 5d99ee80ca
7 changed files with 37 additions and 11 deletions

View File

@ -887,8 +887,10 @@ func (a *Agent) makeServer() (*consul.Server, error) {
if err != nil {
return nil, err
}
if err := a.setupKeyrings(config); err != nil {
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
if !a.config.DisableKeyringFile {
if err := a.setupKeyrings(config); err != nil {
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
}
}
server, err := consul.NewServerLogger(config, a.logger)
if err != nil {
@ -903,8 +905,10 @@ func (a *Agent) makeClient() (*consul.Client, error) {
if err != nil {
return nil, err
}
if err := a.setupKeyrings(config); err != nil {
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
if !a.config.DisableKeyringFile {
if err := a.setupKeyrings(config); err != nil {
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
}
}
client, err := consul.NewClientLogger(config, a.logger)
if err != nil {

View File

@ -367,6 +367,9 @@ type Config struct {
// Encryption key to use for the Serf communication
EncryptKey string `mapstructure:"encrypt" json:"-"`
// Disables writing the keyring to a file.
DisableKeyringFile bool `mapstructure:"disable_keyring_file"`
// EncryptVerifyIncoming and EncryptVerifyOutgoing are used to enforce
// incoming/outgoing gossip encryption and can be used to upshift to
// encrypted gossip on a running cluster.
@ -952,6 +955,7 @@ func DevConfig() *Config {
conf.DisableAnonymousSignature = true
conf.EnableUI = true
conf.BindAddr = "127.0.0.1"
conf.DisableKeyringFile = true
conf.ConsulConfig = consul.DefaultConfig()
conf.ConsulConfig.SerfLANConfig.MemberlistConfig.ProbeTimeout = 100 * time.Millisecond
@ -1561,6 +1565,9 @@ func MergeConfig(a, b *Config) *Config {
if b.EncryptKey != "" {
result.EncryptKey = b.EncryptKey
}
if b.DisableKeyringFile {
result.DisableKeyringFile = true
}
if b.EncryptVerifyIncoming != nil {
result.EncryptVerifyIncoming = b.EncryptVerifyIncoming
}

View File

@ -317,6 +317,10 @@ func TestDecodeConfig(t *testing.T) {
in: `{"enable_syslog":true}`,
c: &Config{EnableSyslog: true},
},
{
in: `{"disable_keyring_file":true}`,
c: &Config{DisableKeyringFile: true},
},
{
in: `{"encrypt_verify_incoming":true}`,
c: &Config{EncryptVerifyIncoming: Bool(true)},

View File

@ -88,6 +88,8 @@ func (cmd *AgentCommand) readConfig() *agent.Config {
f.StringVar(&cmdCfg.UIDir, "ui-dir", "", "Path to directory containing the web UI resources.")
f.StringVar(&cmdCfg.PidFile, "pid-file", "", "Path to file to store agent PID.")
f.StringVar(&cmdCfg.EncryptKey, "encrypt", "", "Provides the gossip encryption key.")
f.BoolVar(&cmdCfg.DisableKeyringFile, "disable-keyring-file", false, "Disables the backing up "+
"of the keyring to a file.")
f.BoolVar(&cmdCfg.Server, "server", false, "Switches agent to server mode.")
f.BoolVar(&cmdCfg.NonVotingServer, "non-voting-server", false,

View File

@ -192,10 +192,12 @@ func (s *serfQueries) handleInstallKey(q *Query) {
goto SEND
}
if err := s.serf.writeKeyringFile(); err != nil {
response.Message = err.Error()
s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
goto SEND
if s.serf.config.KeyringFile != "" {
if err := s.serf.writeKeyringFile(); err != nil {
response.Message = err.Error()
s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
goto SEND
}
}
response.Result = true

6
vendor/vendor.json vendored
View File

@ -675,11 +675,11 @@
"revisionTime": "2017-05-25T23:15:04Z"
},
{
"checksumSHA1": "ZkJRgexeNzNZzpw6YnedwoJl7pE=",
"checksumSHA1": "3LFg00GII0KbMRpqi38MRkMhoyM=",
"comment": "v0.7.0-66-g6c4672d",
"path": "github.com/hashicorp/serf/serf",
"revision": "dfab144618a063232d5753eaa4250a09865106c5",
"revisionTime": "2017-05-26T05:01:28Z"
"revision": "91fd53b1d3e624389ed9a295a3fa380e5c7b9dfc",
"revisionTime": "2017-06-14T22:59:51Z"
},
{
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",

View File

@ -163,6 +163,10 @@ will exit with an error at startup.
initialized with an encryption key, then the provided key is ignored and
a warning will be displayed.
* <a name="_disable_keyring_file"></a><a href="#_disable_keyring_file">`-disable-keyring-file`</a> - If set,
the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given
`-encrypt` key will be available on startup. This defaults to false.
* <a name="_http_port"></a><a href="#_http_port">`-http-port`</a> - the HTTP API port to listen on.
This overrides the default port 8500. This option is very useful when deploying Consul
to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing
@ -720,6 +724,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
(/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information.
Defaults to true.
* <a name="disable_keyring_file"></a><a href="#disable_keyring_file">`disable_keyring_file`</a> - Equivalent to the
[`-disable-keyring-file` command-line flag](#_disable_keyring_file).
* <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
This must be provided along with [`cert_file`](#cert_file).