github.com/hhrutter/nomad@v0.6.0-rc2.0.20170723054333-80c4b03f0705/command/keyring.go (about) 1 package command 2 3 import ( 4 "fmt" 5 "strings" 6 7 "github.com/hashicorp/nomad/api" 8 "github.com/mitchellh/cli" 9 ) 10 11 // KeyringCommand is a Command implementation that handles querying, installing, 12 // and removing gossip encryption keys from a keyring. 13 type KeyringCommand struct { 14 Meta 15 } 16 17 func (c *KeyringCommand) Run(args []string) int { 18 var installKey, useKey, removeKey, token string 19 var listKeys bool 20 21 flags := c.Meta.FlagSet("keys", FlagSetClient) 22 flags.Usage = func() { c.Ui.Output(c.Help()) } 23 24 flags.StringVar(&installKey, "install", "", "install key") 25 flags.StringVar(&useKey, "use", "", "use key") 26 flags.StringVar(&removeKey, "remove", "", "remove key") 27 flags.BoolVar(&listKeys, "list", false, "list keys") 28 flags.StringVar(&token, "token", "", "acl token") 29 30 if err := flags.Parse(args); err != nil { 31 return 1 32 } 33 34 c.Ui = &cli.PrefixedUi{ 35 OutputPrefix: "", 36 InfoPrefix: "==> ", 37 ErrorPrefix: "", 38 Ui: c.Ui, 39 } 40 41 // Only accept a single argument 42 found := listKeys 43 for _, arg := range []string{installKey, useKey, removeKey} { 44 if found && len(arg) > 0 { 45 c.Ui.Error("Only a single action is allowed") 46 return 1 47 } 48 found = found || len(arg) > 0 49 } 50 51 // Fail fast if no actionable args were passed 52 if !found { 53 c.Ui.Error(c.Help()) 54 return 1 55 } 56 57 // All other operations will require a client connection 58 client, err := c.Meta.Client() 59 if err != nil { 60 c.Ui.Error(fmt.Sprintf("Error creating nomad cli client: %s", err)) 61 return 1 62 } 63 64 if listKeys { 65 c.Ui.Info("Gathering installed encryption keys...") 66 r, err := client.Agent().ListKeys() 67 if err != nil { 68 c.Ui.Error(fmt.Sprintf("error: %s", err)) 69 return 1 70 } 71 c.handleKeyResponse(r) 72 return 0 73 } 74 75 if installKey != "" { 76 c.Ui.Info("Installing new gossip encryption key...") 77 _, err := client.Agent().InstallKey(installKey) 78 if err != nil { 79 c.Ui.Error(fmt.Sprintf("error: %s", err)) 80 return 1 81 } 82 return 0 83 } 84 85 if useKey != "" { 86 c.Ui.Info("Changing primary gossip encryption key...") 87 _, err := client.Agent().UseKey(useKey) 88 if err != nil { 89 c.Ui.Error(fmt.Sprintf("error: %s", err)) 90 return 1 91 } 92 return 0 93 } 94 95 if removeKey != "" { 96 c.Ui.Info("Removing gossip encryption key...") 97 _, err := client.Agent().RemoveKey(removeKey) 98 if err != nil { 99 c.Ui.Error(fmt.Sprintf("error: %s", err)) 100 return 1 101 } 102 return 0 103 } 104 105 // Should never make it here 106 return 0 107 } 108 109 func (c *KeyringCommand) handleKeyResponse(resp *api.KeyringResponse) { 110 out := make([]string, len(resp.Keys)+1) 111 out[0] = "Key" 112 i := 1 113 for k := range resp.Keys { 114 out[i] = fmt.Sprintf("%s", k) 115 i = i + 1 116 } 117 c.Ui.Output(formatList(out)) 118 } 119 120 func (c *KeyringCommand) Help() string { 121 helpText := ` 122 Usage: nomad keyring [options] 123 124 Manages encryption keys used for gossip messages between Nomad servers. Gossip 125 encryption is optional. When enabled, this command may be used to examine 126 active encryption keys in the cluster, add new keys, and remove old ones. When 127 combined, this functionality provides the ability to perform key rotation 128 cluster-wide, without disrupting the cluster. 129 130 All operations performed by this command can only be run against server nodes. 131 132 All variations of the keyring command return 0 if all nodes reply and there 133 are no errors. If any node fails to reply or reports failure, the exit code 134 will be 1. 135 136 General Options: 137 138 ` + generalOptionsUsage() + ` 139 140 Keyring Options: 141 142 -install=<key> Install a new encryption key. This will broadcast 143 the new key to all members in the cluster. 144 -list List all keys currently in use within the cluster. 145 -remove=<key> Remove the given key from the cluster. This 146 operation may only be performed on keys which are 147 not currently the primary key. 148 -use=<key> Change the primary encryption key, which is used to 149 encrypt messages. The key must already be installed 150 before this operation can succeed. 151 ` 152 return strings.TrimSpace(helpText) 153 } 154 155 func (c *KeyringCommand) Synopsis() string { 156 return "Manages gossip layer encryption keys" 157 }