Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to restrict servers that can join a given Serf Consul cluster. #7628

Merged
merged 4 commits into from
May 20, 2020
Merged

Allow to restrict servers that can join a given Serf Consul cluster. #7628

merged 4 commits into from
May 20, 2020

Conversation

pierresouchay
Copy link
Contributor

Based on work done in hashicorp/memberlist#196
This allows restricting the IP ranges that can join a given Serf cluster and be a member of the cluster.

Restrictions on IPs can be done separately using 2 new differents flags and config options to restrict IPs for both LAN and WAN Serf.

This will allow to secure a bit more clusters as well as protecting non-encrypted clusters from an agent in dev mode to join clusters and thus fixing #5916

@pierresouchay pierresouchay force-pushed the block_memberlist_using_cidr branch 5 times, most recently from a7749c2 to 58715e9 Compare April 9, 2020 22:55
@pierresouchay
Copy link
Contributor Author

Hello @mkeeler,

Since you were part of discussions in #5916 and memberlist, do you think it might work?

Have a good day

@pierresouchay pierresouchay mentioned this pull request May 1, 2020
Merged
@hanshasselberg
Copy link
Member

This PR looks good. Could you rebase so that I can review?

@pierresouchay pierresouchay force-pushed the block_memberlist_using_cidr branch from 58715e9 to 1139a46 Compare May 12, 2020 21:07
@pierresouchay
Copy link
Contributor Author

pierresouchay commented May 12, 2020
edited
Loading

@i0rek DONE: had to revamp doc.
Frontend tests are not working, but not due to the patch

@pierresouchay pierresouchay mentioned this pull request May 15, 2020
Closed
hanshasselberg
hanshasselberg reviewed May 19, 2020
View reviewed changes
Copy link
Member

@hanshasselberg hanshasselberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Could you add a test in runtime_test.go for the hcl and json conversion?

@hanshasselberg hanshasselberg self-assigned this May 19, 2020
@hanshasselberg hanshasselberg added the waiting-reply Waiting on response from Original Poster or another individual in the thread label May 19, 2020
@pierresouchay
Copy link
Contributor Author

@i0rek Done, added the new Unit test for HCL/JSON serialization

@ghost ghost removed waiting-reply Waiting on response from Original Poster or another individual in the thread labels May 19, 2020
@pierresouchay
Allow to restrict servers that can join a given Serf Consul cluster.
91fb586 
Based on work done in hashicorp/memberlist#196
this allows to restrict the IP ranges that can join a given Serf cluster
and be a member of the cluster.

Restrictions on IPs can be done separatly using 2 new differents flags
and config options to restrict IPs for LAN and WAN Serf.
@pierresouchay
Added unit test TestServer_JoinLAN_SerfAllowedCIDRs()
24f850f 
This test does check that blocking IPs works on LAN
@pierresouchay
Added comments for unit test as it requires setup on some OSes
bfdfde5
@pierresouchay pierresouchay force-pushed the block_memberlist_using_cidr branch from e6e62e6 to d19e8c4 Compare May 19, 2020 10:20
@pierresouchay
Copy link
Contributor Author

@i0rek The test failing is TestAutopilot_MinQuorum and has nothing to do with the patch... re-force-pushing

@pierresouchay pierresouchay force-pushed the block_memberlist_using_cidr branch from d19e8c4 to 14ad95c Compare May 19, 2020 14:15
hanshasselberg
hanshasselberg approved these changes May 20, 2020
View reviewed changes
Copy link
Member

@hanshasselberg hanshasselberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your work!

@hanshasselberg hanshasselberg merged commit e9d176d into hashicorp:master May 20, 2020
rboyer pushed a commit that referenced this pull request Jun 1, 2020
@pierresouchay @rboyer
Allow to restrict servers that can join a given Serf Consul cluster. (#…
876ee89 
…7628)

Based on work done in hashicorp/memberlist#196
this allows to restrict the IP ranges that can join a given Serf cluster
and be a member of the cluster.

Restrictions on IPs can be done separatly using 2 new differents flags
and config options to restrict IPs for LAN and WAN Serf.
freddygv added a commit that referenced this pull request Jun 18, 2020
@freddygv
Revert "Allow to restrict servers that can join a given Serf Consul c…
c6a6fe6 
…luster. (#7628)"

This reverts commit e9d176d.
@hanshasselberg hanshasselberg mentioned this pull request Jul 2, 2020
Merged
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hanshasselberg hanshasselberg hanshasselberg approved these changes

Assignees

@hanshasselberg hanshasselberg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pierresouchay @hanshasselberg