Allow for a a more graceful transition from plaintext gossip to encrypted gossip #2141
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ted without loss of availability
|
Hi @rboyer thanks for the PR! This is a common use case so I think we want something like this. Once we get 0.7.0 out I'll give this some cycles. |
|
Sorry this didn't make it in for 0.8 :-( |
slackpad
added
the
theme/operator-usability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently if you brought up a multi-dc set of wan-joined consul clusters and forgot to enable gossip encryption, the only way to transition to encrypting the gossip causes a temporary rolling gossip split-brain until every server and agent has been bounced.
This patch (which crosses over into
hashicorp/memberlist, too) adds two new config settings that work in conjunction withencrypt:allow_insecure_incoming_gossip(requiresencryption=true)prohibit_secure_outgoing_gossip(requiresencryption=true)The rollout order to avoid a crypto-related gossip split-brain is:
encrypt="", allow_insecure_incoming_gossip=false, prohibit_secure_outgoing_gossip=falseby default; no encrypted messagesencrypt="KEY", allow_insecure_incoming_gossip=true, prohibit_secure_outgoing_gossip=true; no encrypted messages, but everybody COULD decryptencrypt="KEY", allow_insecure_incoming_gossip=true, prohibit_secure_outgoing_gossip=false; some encrypted messages, and everyone can decryptencrypt="KEY", allow_insecure_incoming_gossip=false, prohibit_secure_outgoing_gossip=false; everything is encrypted, no security holes anymore (equivalent to stock encrypted gossip)This is a pretty edge case need, so I'm fine with this not being merged. If that's so, it would be terrific if someone could point out any issues with the above as I may need to use this in production as a custom build to transition some clusters regardless of a merge.