Make HA in etcd off by default.

Fixes #1908 (Doesn't really "fix" it but someone from the community needs to step up if they want to see this fixed.)
hashicorp · Sep 21, 2016 · 47a0905 · 47a0905
1 parent e618e8a
commit 47a0905
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/physical/etcd.go b/physical/etcd.go
@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -70,6 +71,7 @@ type EtcdBackend struct {
 	kAPI       client.KeysAPI
 	permitPool *PermitPool
 	logger     log.Logger
+	haEnabled  bool
 }
 
 // newEtcdBackend constructs a etcd backend using a given machine address.
@@ -104,6 +106,12 @@ func newEtcdBackend(conf map[string]string, logger log.Logger) (Backend, error)
 		}
 	}
 
+	haEnabled := os.Getenv("ETCD_HA_ENABLED")
+	if haEnabled == "" {
+		haEnabled = conf["ha_enabled"]
+	}
+	haEnabledBool, _ := strconv.ParseBool(haEnabled)
+
 	// Create a new client from the supplied address and attempt to sync with the
 	// cluster.
 	var cTransport client.CancelableTransport
@@ -181,6 +189,7 @@ func newEtcdBackend(conf map[string]string, logger log.Logger) (Backend, error)
 		kAPI:       kAPI,
 		permitPool: NewPermitPool(DefaultParallelOperations),
 		logger:     logger,
+		haEnabled:  haEnabledBool,
 	}, nil
 }
 
@@ -317,7 +326,7 @@ func (c *EtcdBackend) LockWith(key, value string) (Lock, error) {
 // HAEnabled indicates whether the HA functionality should be exposed.
 // Currently always returns true.
 func (e *EtcdBackend) HAEnabled() bool {
-	return true
+	return e.haEnabled
 }
 
 // EtcdLock emplements a lock using and etcd backend.

diff --git a/website/source/docs/config/index.html.md b/website/source/docs/config/index.html.md
@@ -395,6 +395,12 @@ For etcd, the following options are supported:
     "y", or "true".  Defaults to on.  Set to false if your etcd cluster is
     behind a proxy server and syncing causes Vault to fail.
 
+  * `ha_enabled` (optional) - Setting this to `"1"`, `"t"`, or `"true"` will
+    enable HA mode. _This is currently *known broken*._ This option can also be
+    provided via the environment variable `ETCD_HA_ENABLED`. If you are
+    upgrading from a version of Vault where HA support was enabled by default,
+    it is _very important_ that you set this parameter _before_ upgrading!
+
   * `username` (optional) - Username to use when authenticating with the etcd
     server.  May also be specified via the ETCD_USERNAME environment variable.