Enable serf encryption #1791
Enable serf encryption #1791
Conversation
diptanu
force-pushed
the
f-serf-encrypt
branch
from
203b1bb to
2c115a2
Compare
diptanu
force-pushed
the
f-serf-encrypt
branch
from
a3b34ea to
b269804
Compare
diptanu
force-pushed
the
f-serf-encrypt
branch
from
5e854c7 to
8514abe
Compare
| @@ -68,6 +68,7 @@ server { | |||
| retry_max = 3 | |||
| retry_interval = "15s" | |||
| rejoin_after_leave = true | |||
| encrypt = "abc" | |||
| // KeyringResponse is a unified key response and can be used for install, | ||
| // remove, use, as well as listing key queries. | ||
| type KeyringResponse struct { | ||
| Messages map[string]string |
| helpText := ` | ||
| Usage: nomad keyring [options] | ||
|
|
||
| Manages encryption keys used for gossip messages between nomad servers. Gossip |
| } | ||
| var resp KeyringResponse | ||
| _, err := a.client.write("/v1/agent/keyring/install", &args, &resp, nil) | ||
| return &resp, err |
There was a problem hiding this comment.
Above you do the extra if err != nil { return nil, err } check, so maybe keep all of these methods consistent in what they return?
| } | ||
|
|
||
| // KeyringRequest is request objects for serf key operations. | ||
| type KeyringRequest struct { |
There was a problem hiding this comment.
Unused? Looks like you use structs.KeyringRequest instead.
| @@ -68,6 +68,7 @@ server { | |||
| retry_max = 3 | |||
| retry_interval = "15s" | |||
| rejoin_after_leave = true | |||
| encrypt = "abc" | |||
| } | ||
| defer fh.Close() | ||
|
|
||
| if _, err := fh.Write(keyringBytes); err != nil { |
There was a problem hiding this comment.
You could just use ioutil.WriteFile instead of OpenFile+Write, but you'd still need the Remove on error.
| @@ -16,6 +18,19 @@ type Agent struct { | |||
| region string | |||
| } | |||
|
|
|||
| // KeyringResponse is a unified key response and can be used for install, | |||
| // remove, use, as well as listing key queries. | |||
| type KeyringResponse struct { | |||
There was a problem hiding this comment.
Maybe just use the struct package's KeyringResponse instead?
There was a problem hiding this comment.
@schmichael The API package mimics the structs package largely but gives a separation between internal and external structs
There was a problem hiding this comment.
Well that explains it! Thanks. (Wish I could mark comments as addressed in this new PR mode without full on deleting them...)
| @@ -391,6 +391,16 @@ configured on client nodes. | |||
| join any nodes when it starts up. Addresses can be given as an IP, a domain | |||
| name, or an IP:Port pair. If the port isn't specified the default Serf port, | |||
| 4648, is used. DNS names may also be used. | |||
| * <a id="encrypt">`encrypt`</a> Specifies the secret key to use for encryption | |||
| of Nomad server's gossip network traffic. This key must be 16-bytes that are | |||
There was a problem hiding this comment.
or 24 or 32? Or do we not even want to bother mentioning the aes 192 & 256 support?
| # Command: `keyring` | ||
|
|
||
| The `keyring` command is used to examine and modify the encryption keys used in | ||
| Nomad server. It is capable of |
| t.Fatalf("bad: %v", kresp) | ||
| } | ||
| }) | ||
| } |
There was a problem hiding this comment.
Does it make sense to also add a test for use operation?
|
@diptanu Looks great! Does it make sense to add general options to the |
|
@Gerrrr Definitely, good catch! I can do that, only have internet access via cybercafes at the moment as I am on vacation, but consider it done by the time we make the final 0.5 release. |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
@dadgar @slackpad for review.
@Gerrrr Please help us test this feature if you can!