-
Notifications
You must be signed in to change notification settings - Fork 2k
/
operator_keyring.go
175 lines (147 loc) · 4.84 KB
/
operator_keyring.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
package command
import (
"fmt"
"strings"
"github.com/hashicorp/nomad/api"
"github.com/mitchellh/cli"
"github.com/posener/complete"
)
// OperatorKeyringCommand is a Command implementation that handles querying, installing,
// and removing gossip encryption keys from a keyring.
type OperatorKeyringCommand struct {
Meta
}
func (c *OperatorKeyringCommand) Help() string {
helpText := `
Usage: nomad operator keyring [options]
Manages encryption keys used for gossip messages between Nomad servers. Gossip
encryption is optional. When enabled, this command may be used to examine
active encryption keys in the cluster, add new keys, and remove old ones. When
combined, this functionality provides the ability to perform key rotation
cluster-wide, without disrupting the cluster.
All operations performed by this command can only be run against server nodes.
All variations of the keyring command return 0 if all nodes reply and there
are no errors. If any node fails to reply or reports failure, the exit code
will be 1.
General Options:
` + generalOptionsUsage() + `
Keyring Options:
-install=<key> Install a new encryption key. This will broadcast
the new key to all members in the cluster.
-list List all keys currently in use within the cluster.
-remove=<key> Remove the given key from the cluster. This
operation may only be performed on keys which are
not currently the primary key.
-use=<key> Change the primary encryption key, which is used to
encrypt messages. The key must already be installed
before this operation can succeed.
`
return strings.TrimSpace(helpText)
}
func (c *OperatorKeyringCommand) Synopsis() string {
return "Manages gossip layer encryption keys"
}
func (c *OperatorKeyringCommand) AutocompleteFlags() complete.Flags {
return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
complete.Flags{
"-install": complete.PredictAnything,
"-list": complete.PredictNothing,
"-remove": complete.PredictAnything,
"-use": complete.PredictAnything,
})
}
func (c *OperatorKeyringCommand) AutocompleteArgs() complete.Predictor {
return complete.PredictNothing
}
func (c *OperatorKeyringCommand) Name() string { return "operator keyring" }
func (c *OperatorKeyringCommand) Run(args []string) int {
var installKey, useKey, removeKey string
var listKeys bool
flags := c.Meta.FlagSet("operator-keyring", FlagSetClient)
flags.Usage = func() { c.Ui.Output(c.Help()) }
flags.StringVar(&installKey, "install", "", "install key")
flags.StringVar(&useKey, "use", "", "use key")
flags.StringVar(&removeKey, "remove", "", "remove key")
flags.BoolVar(&listKeys, "list", false, "list keys")
if err := flags.Parse(args); err != nil {
return 1
}
c.Ui = &cli.PrefixedUi{
OutputPrefix: "",
InfoPrefix: "==> ",
ErrorPrefix: "",
Ui: c.Ui,
}
// Only accept a single argument
found := listKeys
for _, arg := range []string{installKey, useKey, removeKey} {
if found && len(arg) > 0 {
c.Ui.Error("Only a single action is allowed")
c.Ui.Error(commandErrorText(c))
return 1
}
found = found || len(arg) > 0
}
// Fail fast if no actionable args were passed
if !found {
c.Ui.Error("No actionable argument was passed")
c.Ui.Error("Either the '-install', '-use', '-remove' or '-list' flag must be set")
c.Ui.Error(commandErrorText(c))
return 1
}
// All other operations will require a client connection
client, err := c.Meta.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error creating nomad cli client: %s", err))
return 1
}
if listKeys {
c.Ui.Output("Gathering installed encryption keys...")
r, err := client.Agent().ListKeys()
if err != nil {
c.Ui.Error(fmt.Sprintf("error: %s", err))
return 1
}
c.handleKeyResponse(r)
return 0
}
if installKey != "" {
c.Ui.Output("Installing new gossip encryption key...")
_, err := client.Agent().InstallKey(installKey)
if err != nil {
c.Ui.Error(fmt.Sprintf("error: %s", err))
return 1
}
return 0
}
if useKey != "" {
c.Ui.Output("Changing primary gossip encryption key...")
_, err := client.Agent().UseKey(useKey)
if err != nil {
c.Ui.Error(fmt.Sprintf("error: %s", err))
return 1
}
return 0
}
if removeKey != "" {
c.Ui.Output("Removing gossip encryption key...")
_, err := client.Agent().RemoveKey(removeKey)
if err != nil {
c.Ui.Error(fmt.Sprintf("error: %s", err))
return 1
}
return 0
}
// Should never make it here
return 0
}
func (c *OperatorKeyringCommand) handleKeyResponse(resp *api.KeyringResponse) {
out := make([]string, len(resp.Keys)+1)
out[0] = "Key"
i := 1
for k := range resp.Keys {
out[i] = fmt.Sprintf("%s", k)
i = i + 1
}
c.Ui.Output(formatList(out))
}