mirror of https://github.com/status-im/consul.git
Add an option to disable keyring file (#3145)
Also disables keyring file in dev mode.
This commit is contained in:
parent
5507a310dd
commit
5d99ee80ca
|
@ -887,9 +887,11 @@ func (a *Agent) makeServer() (*consul.Server, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !a.config.DisableKeyringFile {
|
||||
if err := a.setupKeyrings(config); err != nil {
|
||||
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
||||
}
|
||||
}
|
||||
server, err := consul.NewServerLogger(config, a.logger)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to start Consul server: %v", err)
|
||||
|
@ -903,9 +905,11 @@ func (a *Agent) makeClient() (*consul.Client, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !a.config.DisableKeyringFile {
|
||||
if err := a.setupKeyrings(config); err != nil {
|
||||
return nil, fmt.Errorf("Failed to configure keyring: %v", err)
|
||||
}
|
||||
}
|
||||
client, err := consul.NewClientLogger(config, a.logger)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to start Consul client: %v", err)
|
||||
|
|
|
@ -367,6 +367,9 @@ type Config struct {
|
|||
// Encryption key to use for the Serf communication
|
||||
EncryptKey string `mapstructure:"encrypt" json:"-"`
|
||||
|
||||
// Disables writing the keyring to a file.
|
||||
DisableKeyringFile bool `mapstructure:"disable_keyring_file"`
|
||||
|
||||
// EncryptVerifyIncoming and EncryptVerifyOutgoing are used to enforce
|
||||
// incoming/outgoing gossip encryption and can be used to upshift to
|
||||
// encrypted gossip on a running cluster.
|
||||
|
@ -952,6 +955,7 @@ func DevConfig() *Config {
|
|||
conf.DisableAnonymousSignature = true
|
||||
conf.EnableUI = true
|
||||
conf.BindAddr = "127.0.0.1"
|
||||
conf.DisableKeyringFile = true
|
||||
|
||||
conf.ConsulConfig = consul.DefaultConfig()
|
||||
conf.ConsulConfig.SerfLANConfig.MemberlistConfig.ProbeTimeout = 100 * time.Millisecond
|
||||
|
@ -1561,6 +1565,9 @@ func MergeConfig(a, b *Config) *Config {
|
|||
if b.EncryptKey != "" {
|
||||
result.EncryptKey = b.EncryptKey
|
||||
}
|
||||
if b.DisableKeyringFile {
|
||||
result.DisableKeyringFile = true
|
||||
}
|
||||
if b.EncryptVerifyIncoming != nil {
|
||||
result.EncryptVerifyIncoming = b.EncryptVerifyIncoming
|
||||
}
|
||||
|
|
|
@ -317,6 +317,10 @@ func TestDecodeConfig(t *testing.T) {
|
|||
in: `{"enable_syslog":true}`,
|
||||
c: &Config{EnableSyslog: true},
|
||||
},
|
||||
{
|
||||
in: `{"disable_keyring_file":true}`,
|
||||
c: &Config{DisableKeyringFile: true},
|
||||
},
|
||||
{
|
||||
in: `{"encrypt_verify_incoming":true}`,
|
||||
c: &Config{EncryptVerifyIncoming: Bool(true)},
|
||||
|
|
|
@ -88,6 +88,8 @@ func (cmd *AgentCommand) readConfig() *agent.Config {
|
|||
f.StringVar(&cmdCfg.UIDir, "ui-dir", "", "Path to directory containing the web UI resources.")
|
||||
f.StringVar(&cmdCfg.PidFile, "pid-file", "", "Path to file to store agent PID.")
|
||||
f.StringVar(&cmdCfg.EncryptKey, "encrypt", "", "Provides the gossip encryption key.")
|
||||
f.BoolVar(&cmdCfg.DisableKeyringFile, "disable-keyring-file", false, "Disables the backing up "+
|
||||
"of the keyring to a file.")
|
||||
|
||||
f.BoolVar(&cmdCfg.Server, "server", false, "Switches agent to server mode.")
|
||||
f.BoolVar(&cmdCfg.NonVotingServer, "non-voting-server", false,
|
||||
|
|
|
@ -192,11 +192,13 @@ func (s *serfQueries) handleInstallKey(q *Query) {
|
|||
goto SEND
|
||||
}
|
||||
|
||||
if s.serf.config.KeyringFile != "" {
|
||||
if err := s.serf.writeKeyringFile(); err != nil {
|
||||
response.Message = err.Error()
|
||||
s.logger.Printf("[ERR] serf: Failed to write keyring file: %s", err)
|
||||
goto SEND
|
||||
}
|
||||
}
|
||||
|
||||
response.Result = true
|
||||
|
||||
|
|
|
@ -675,11 +675,11 @@
|
|||
"revisionTime": "2017-05-25T23:15:04Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "ZkJRgexeNzNZzpw6YnedwoJl7pE=",
|
||||
"checksumSHA1": "3LFg00GII0KbMRpqi38MRkMhoyM=",
|
||||
"comment": "v0.7.0-66-g6c4672d",
|
||||
"path": "github.com/hashicorp/serf/serf",
|
||||
"revision": "dfab144618a063232d5753eaa4250a09865106c5",
|
||||
"revisionTime": "2017-05-26T05:01:28Z"
|
||||
"revision": "91fd53b1d3e624389ed9a295a3fa380e5c7b9dfc",
|
||||
"revisionTime": "2017-06-14T22:59:51Z"
|
||||
},
|
||||
{
|
||||
"checksumSHA1": "ZhK6IO2XN81Y+3RAjTcVm1Ic7oU=",
|
||||
|
|
|
@ -163,6 +163,10 @@ will exit with an error at startup.
|
|||
initialized with an encryption key, then the provided key is ignored and
|
||||
a warning will be displayed.
|
||||
|
||||
* <a name="_disable_keyring_file"></a><a href="#_disable_keyring_file">`-disable-keyring-file`</a> - If set,
|
||||
the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given
|
||||
`-encrypt` key will be available on startup. This defaults to false.
|
||||
|
||||
* <a name="_http_port"></a><a href="#_http_port">`-http-port`</a> - the HTTP API port to listen on.
|
||||
This overrides the default port 8500. This option is very useful when deploying Consul
|
||||
to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing
|
||||
|
@ -720,6 +724,9 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
|
|||
(/docs/agent/encryption.html#configuring-gossip-encryption-on-an-existing-cluster) for more information.
|
||||
Defaults to true.
|
||||
|
||||
* <a name="disable_keyring_file"></a><a href="#disable_keyring_file">`disable_keyring_file`</a> - Equivalent to the
|
||||
[`-disable-keyring-file` command-line flag](#_disable_keyring_file).
|
||||
|
||||
* <a name="key_file"></a><a href="#key_file">`key_file`</a> This provides a the file path to a
|
||||
PEM-encoded private key. The key is used with the certificate to verify the agent's authenticity.
|
||||
This must be provided along with [`cert_file`](#cert_file).
|
||||
|
|
Loading…
Reference in New Issue