Closed patoarvizu closed 6 years ago
patoarvizu
commented
6 years ago Mmhh... now that I'm thinking about it, I might want to switch to use ca_path instead of ca_file. I'll add that change, but I'd still welcome feedback for the change in general.
patoarvizu
commented
6 years ago Hi! Just checking... any other issues I should work on here?
I forgot to mention I tested running the example using both images created by Packer (Ubuntu and Amazon Linux), both with and without encryption and it worked fine.
brikis98
commented
6 years ago
This should address #41.
Modified
run-consulto add 5 optional flags:----enable-gossip-encryption,--gossip-encryption-key,--enable-rpc-encryption,--ca-file-path,--cert-file-pathand--key-file-path. As their names imply, they're used to enable gossip and/or RPC encryption, as per the Consul encryption documentation.I also added a separate example with sample certificates (and a note that they're insecure and shouldn't be used in production). One thing I debated about adding or not was hard-coding a sample gossip encryption key in the example. I decided against it, but I can add it if you think that would be useful or would make it easier to run the example
For what it's worth, I was able to upgrade an existing Vault/Cluster setup with no encryption on the Consul agents to using both gossip and RPC encryption with no downtime using the changes I'm proposing and the process outlined in the Consul encryption document linked above.
Let me know if there's anything you feel I should change or add.