Add new node in a cluster with gossip encryption enabled
267 views
Skip to first unread message
PJ
Apr 6, 2016, 2:05:13 PM4/6/16
to Consul
I have a 3 node consul cluster with gossip encryption enabled. I was wondering what are the best practices to add new nodes in the gossip encrypted consul cluster?
I can think of following steps:
1. Install new key in the key ring for existing consul cluster
2. Start using it for encryption
3. Configure the same key to be used by new nodes
4. Join new consul nodes to the cluster
Is the right way to go forward or would you recommend an easier way?
I can think of following steps:
1. Install new key in the key ring for existing consul cluster
consul keyring -install=<new_key>
2. Start using it for encryption
consul keyring -use=<new_key>
3. Configure the same key to be used by new nodes
consul agent -encrypt=<new_key>4. Join new consul nodes to the cluster
consul join <Ip1> <Ip2> ... <Ipn>
Is the right way to go forward or would you recommend an easier way?
Ryan Uber
Apr 6, 2016, 8:40:15 PM4/6/16
to consu...@googlegroups.com
Hey PJ,
A key rotation is not actually required to join a new node into the cluster. You probably know this, but you can just specify the current primary key and new agents should be able to connect up and start talking without problems.
Typically what we see is the "current" key is tracked some place and configured on new boxes as they join. It is not important after the node has joined since it will be stored in the keyring file for later use, so if you want to rotate the key immediately after joining up some new nodes for good measure that would also be reasonable.
It is also important to use "consul keyring -remove" to revoke old keys once you are done with them! Otherwise, members with the old key can still send messages successfully to other members in the cluster. The best practice here is just to make sure your "consul keyring -install" finishes successfully before calling with "-remove" so that you can be sure the key was distributed successfully.
Hope that helps!
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/e2117296-5bc6-4fd7-9e51-377f529568df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages