mirror of https://github.com/status-im/consul.git
Add an option to disable keyring file (#3145)
Also disables keyring file in dev mode.
This commit is contained in:
parent
5507a310dd
commit
5d99ee80ca
|
@ -887,8 +887,10 @@ func (a *Agent) makeServer() (*consul.Server, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if err := a.setupKeyrings(config); err != nil {
|
if !a.config.DisableKeyringFile {
|
||||||
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
if err := a.setupKeyrings(config); err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
server, err := consul.NewServerLogger(config, a.logger)
|
server, err := consul.NewServerLogger(config, a.logger)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -903,8 +905,10 @@ func (a *Agent) makeClient() (*consul.Client, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if err := a.setupKeyrings(config); err != nil {
|
if !a.config.DisableKeyringFile {
|
||||||
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
if err := a.setupKeyrings(config); err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
client, err := consul.NewClientLogger(config, a.logger)
|
client, err := consul.NewClientLogger(config, a.logger)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -367,6 +367,9 @@ type Config struct {
|
||||||
// Encryption key to use for the Serf communication
|
// Encryption key to use for the Serf communication
|
||||||
EncryptKey string `mapstructure:"encrypt" json:"-"`
|
EncryptKey string `mapstructure:"encrypt" json:"-"`
|
||||||
|
|
||||||
|
// Disables writing the keyring to a file.
|
||||||
|
DisableKeyringFile bool `mapstructure:"disable_keyring_file"`
|
||||||
|
|
||||||
// EncryptVerifyIncoming and EncryptVerifyOutgoing are used to enforce
|
// EncryptVerifyIncoming and EncryptVerifyOutgoing are used to enforce
|
||||||
// incoming/outgoing gossip encryption and can be used to upshift to
|
// incoming/outgoing gossip encryption and can be used to upshift to
|
||||||
// encrypted gossip on a running cluster.
|
// encrypted gossip on a running cluster.
|
||||||
|
@ -952,6 +955,7 @@ func DevConfig() *Config {
|
||||||
conf.DisableAnonymousSignature = true
|
conf.DisableAnonymousSignature = true
|
||||||
conf.EnableUI = true
|
conf.EnableUI = true
|
||||||
conf.BindAddr = "127.0.0.1"
|
conf.BindAddr = "127.0.0.1"
|
||||||
|
conf.DisableKeyringFile = true
|
||||||
|
|
||||||
conf.ConsulConfig = consul.DefaultConfig()
|
conf.ConsulConfig = consul.DefaultConfig()
|
||||||
conf.ConsulConfig.SerfLANConfig.MemberlistConfig.ProbeTimeout = 100 * time.Millisecond
|
conf.ConsulConfig.SerfLANConfig.MemberlistConfig.ProbeTimeout = 100 * time.Millisecond
|
||||||
|
@ -1561,6 +1565,9 @@ func MergeConfig(a, b *Config) *Config {
|
||||||
if b.EncryptKey != "" {
|
if b.EncryptKey != "" {
|
||||||
result.EncryptKey = b.EncryptKey
|
result.EncryptKey = b.EncryptKey
|
||||||
}
|
}
|
||||||
|
if b.DisableKeyringFile {
|
||||||
|
result.DisableKeyringFile = true
|
||||||
|
}
|
||||||
if b.EncryptVerifyIncoming != nil {
|
if b.EncryptVerifyIncoming != nil {
|
||||||
result.EncryptVerifyIncoming = b.EncryptVerifyIncoming
|
result.EncryptVerifyIncoming = b.EncryptVerifyIncoming
|
||||||
}
|
}
|
||||||
|
|
|
@ -317,6 +317,10 @@ func TestDecodeConfig(t *testing.T) {
|
||||||
in: `{"enable_syslog":true}`,
|
in: `{"enable_syslog":true}`,
|
||||||
c: &Config{EnableSyslog: true},
|
c: &Config{EnableSyslog: true},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
in: `{"disable_keyring_file":true}`,
|
||||||
|
c: &Config{DisableKeyringFile: true},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
in: `{"encrypt_verify_incoming":true}`,
|
in: `{"encrypt_verify_incoming":true}`,
|
||||||
c: &Config{EncryptVerifyIncoming: Bool(true)},
|
c: &Config{EncryptVerifyIncoming: Bool(true)},
|
||||||
|
|
|
@ -88,6 +88,8 @@ func (cmd *AgentCommand) readConfig() *agent.Config {
|
||||||
f.StringVar(&cmdCfg.UIDir, "ui-dir", "", "Path to directory containing the web UI resources.")
|
f.StringVar(&cmdCfg.UIDir, "ui-dir", "", "Path to directory containing the web UI resources.")
|
||||||
f.StringVar(&cmdCfg.PidFile, "pid-file", "", "Path to file to store agent PID.")
|
f.StringVar(&cmdCfg.PidFile, "pid-file", "", "Path to file to store agent PID.")
|
||||||
f.StringVar(&cmdCfg.EncryptKey, "encrypt", "", "Provides the gossip encryption key.")
|
f.StringVar(&cmdCfg.EncryptKey, "encrypt", "", "Provides the gossip encryption key.")
|
||||||
|
f.BoolVar(&cmdCfg.DisableKeyringFile, "disable-keyring-file", false, "Disables the backing up "+
|
||||||
|
"of the keyring to a file.")
|
||||||
|
|
||||||
f.BoolVar(&cmdCfg.Server, "server", false, "Switches agent to server mode.")
|
f.BoolVar(&cmdCfg.Server, "server", false, "Switches agent to server mode.")
|
||||||
f.BoolVar(&cmdCfg.NonVotingServer, "non-voting-server", false,
|
f.BoolVar(&cmdCfg.NonVotingServer, "non-voting-server", false,
|
||||||
|
|
|
@ -192,10 +192,12 @@ func (s *serfQueries) handleInstallKey(q *Query) {
|
||||||
goto SEND
|
goto SEND
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := s.serf.writeKeyringFile(); err != nil {
|
if s.serf.config.KeyringFile != "" {
|
||||||
response.Message = err.Error()
|
if err := s.serf.writeKeyringFile(); err != nil {
|
||||||
s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
|
response.Message = err.Error()
|
||||||
goto SEND
|
s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
|
||||||
|
goto SEND
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
response.Result = true
|
response.Result = true
|
||||||
|
|
|
@ -675,11 +675,11 @@
|
||||||
"revisionTime": "2017-05-25T23:15:04Z"
|
"revisionTime": "2017-05-25T23:15:04Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "ZkJRgexeNzNZzpw6YnedwoJl7pE=",
|
"checksumSHA1": "3LFg00GII0KbMRpqi38MRkMhoyM=",
|
||||||
"comment": "v0.7.0-66-g6c4672d",
|
"comment": "v0.7.0-66-g6c4672d",
|
||||||
"path": "github.com/hashicorp/serf/serf",
|
"path": "github.com/hashicorp/serf/serf",
|
||||||
"revision": "dfab144618a063232d5753eaa4250a09865106c5",
|
"revision": "91fd53b1d3e624389ed9a295a3fa380e5c7b9dfc",
|
||||||
"revisionTime": "2017-05-26T05:01:28Z"
|
"revisionTime": "2017-06-14T22:59:51Z"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
||||||
|
|
|
@ -163,6 +163,10 @@ will exit with an error at startup.
|
||||||
initialized with an encryption key, then the provided key is ignored and
|
initialized with an encryption key, then the provided key is ignored and
|
||||||
a warning will be displayed.
|
a warning will be displayed.
|
||||||
|
|
||||||
|
* <a name="_disable_keyring_file"></a><a href="#_disable_keyring_file">`-disable-keyring-file`</a> - If set,
|
||||||
|
the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given
|
||||||
|
`-encrypt` key will be available on startup. This defaults to false.
|
||||||
|
|
||||||
* <a name="_http_port"></a><a href="#_http_port">`-http-port`</a> - the HTTP API port to listen on.
|
* <a name="_http_port"></a><a href="#_http_port">`-http-port`</a> - the HTTP API port to listen on.
|
||||||
This overrides the default port 8500. This option is very useful when deploying Consul
|
This overrides the default port 8500. This option is very useful when deploying Consul
|
||||||
to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing
|
to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing
|
||||||
|
@ -720,6 +724,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
||||||
(/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information.
|
(/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information.
|
||||||
Defaults to true.
|
Defaults to true.
|
||||||
|
|
||||||
|
* <a name="disable_keyring_file"></a><a href="#disable_keyring_file">`disable_keyring_file`</a> - Equivalent to the
|
||||||
|
[`-disable-keyring-file` command-line flag](#_disable_keyring_file).
|
||||||
|
|
||||||
* <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
|
* <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
|
||||||
PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
|
PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
|
||||||
This must be provided along with [`cert_file`](#cert_file).
|
This must be provided along with [`cert_file`](#cert_file).
|
||||||
|
|
Loading…
Reference in New Issue