command: use separate key files for LAN/WAN

10 years ago · 353b67826a
4 changed files with 43 additions and 16 deletions
--- a/command/agent/agent.go
+++ b/command/agent/agent.go
@ -20,7 +20,8 @@ import (
 )

 const (
-	SerfKeyring = "serf/keyring"
+	SerfLANKeyring = "serf/local.keyring"
+	SerfWANKeyring = "serf/remote.keyring"
 )

 /*
@ -174,10 +175,6 @@ func (a *Agent) consulConfig() *consul.Config {
 		base.SerfLANConfig.MemberlistConfig.SecretKey = key
 		base.SerfWANConfig.MemberlistConfig.SecretKey = key
 	}
-	if a.config.Server && a.config.keyringFilesExist() {
-		path := filepath.Join(base.DataDir, SerfKeyring)
-		base.SerfLANConfig.KeyringFile = path
-	}
 	if a.config.NodeName != "" {
 		base.NodeName = a.config.NodeName
 	}
@ -276,6 +273,14 @@ func (a *Agent) setupServer() error {
 	config := a.consulConfig()

 	// Load a keyring file, if present
+	keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
+	if _, err := os.Stat(keyfileLAN); err == nil {
+		config.SerfLANConfig.KeyringFile = keyfileLAN
+	}
+	keyfileWAN := filepath.Join(config.DataDir, SerfWANKeyring)
+	if _, err := os.Stat(keyfileWAN); err == nil {
+		config.SerfWANConfig.KeyringFile = keyfileWAN
+	}
 	if err := loadKeyringFile(config.SerfLANConfig); err != nil {
 		return err
 	}
@ -296,6 +301,10 @@ func (a *Agent) setupClient() error {
 	config := a.consulConfig()

 	// Load a keyring file, if present
+	keyfileLAN := filepath.Join(config.DataDir, SerfLANKeyring)
+	if _, err := os.Stat(keyfileLAN); err == nil {
+		config.SerfLANConfig.KeyringFile = keyfileLAN
+	}
 	if err := loadKeyringFile(config.SerfLANConfig); err != nil {
 		return err
 	}
--- a/command/agent/command.go
+++ b/command/agent/command.go
@ -218,7 +218,7 @@ func (c *Command) readConfig() *Config {
 	}

 	// Error if an encryption key is passed while a keyring already exists
-	if config.EncryptKey != "" && config.keyringFilesExist() {
+	if config.EncryptKey != "" && config.keyringFileExists() {
 		c.Ui.Error(fmt.Sprintf("Error: -encrypt specified but keyring files exist"))
 		return nil
 	}
@ -592,7 +592,7 @@ func (c *Command) Run(args []string) int {

 	// Determine if gossip is encrypted
 	gossipEncrypted := false
-	if config.EncryptKey != "" || config.keyringFilesExist() {
+	if config.EncryptKey != "" || config.keyringFileExists() {
 		gossipEncrypted = true
 	}

@ -819,7 +819,6 @@ Options:
  -log-level=info          Log level of the agent.
  -node=hostname           Name of this node. Must be unique in the cluster
  -protocol=N              Sets the protocol version. Defaults to latest.
-  -persist-keyring         Enable encryption keyring persistence.
  -rejoin                  Ignores a previous leave and attempts to rejoin the cluster.
  -server                  Switches agent to server mode.
  -syslog                  Enables logging to syslog
--- a/command/agent/config.go
+++ b/command/agent/config.go
@ -411,12 +411,22 @@ func (c *Config) ClientListenerAddr(override string, port int) (string, error) {
 	return addr.String(), nil
 }

-// keyringFilesExist checks for existence of the keyring files for Serf
-func (c *Config) keyringFilesExist() bool {
-	if _, err := os.Stat(filepath.Join(c.DataDir, SerfKeyring)); err != nil {
+// keyringFileExists determines if there are encryption key files present
+// in the data directory.
+func (c *Config) keyringFileExists() bool {
+	fileLAN := filepath.Join(c.DataDir, SerfLANKeyring)
+	fileWAN := filepath.Join(c.DataDir, SerfWANKeyring)
+
+	if _, err := os.Stat(fileLAN); err == nil {
+		return true
+	}
+	if !c.Server {
 		return false
 	}
-	return true
+	if _, err := os.Stat(fileWAN); err == nil {
+		return true
+	}
+	return false
 }

 // DecodeConfig reads the configuration from the given reader in JSON
--- a/command/keyring.go
+++ b/command/keyring.go
@ -67,8 +67,14 @@ func (c *KeyringCommand) Run(args []string) int {
 			c.Ui.Error("Must provide -data-dir")
 			return 1
 		}
-		path := filepath.Join(dataDir, agent.SerfKeyring)
-		if err := initializeKeyring(path, init); err != nil {
+
+		fileLAN := filepath.Join(dataDir, agent.SerfLANKeyring)
+		if err := initializeKeyring(fileLAN, init); err != nil {
+			c.Ui.Error(fmt.Sprintf("Error: %s", err))
+			return 1
+		}
+		fileWAN := filepath.Join(dataDir, agent.SerfWANKeyring)
+		if err := initializeKeyring(fileWAN, init); err != nil {
 			c.Ui.Error(fmt.Sprintf("Error: %s", err))
 			return 1
 		}
@ -84,7 +90,10 @@ func (c *KeyringCommand) Run(args []string) int {
 	}
 	defer client.Close()

-	// For all key-related operations, we must be querying a server node.
+	// For all key-related operations, we must be querying a server node. It is
+	// probably better to enforce this even for LAN pool changes, because other-
+	// wise, the same exact command syntax will have different results depending
+	// on where it was run.
 	s, err := client.Stats()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error: %s", err))
@ -263,7 +272,7 @@ Options:
                            operation may only be performed on keys which are
                            not currently the primary key.
  -list                     List all keys currently in use within the cluster.
-  -init=<key>               Create an initial keyring file for Consul to use
+  -init=<key>               Create the initial keyring files for Consul to use
                            containing the provided key. The -data-dir argument
                            is required with this option.
  -rpc-addr=127.0.0.1:8400  RPC address of the Consul agent.