Added some docs

hashicorp · Oct 5, 2016 · 8514abe · 8514abe
1 parent e3dea06
commit 8514abe
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 8 deletions.
diff --git a/command/agent/keyring_test.go b/command/agent/keyring_test.go
@@ -48,7 +48,7 @@ func TestAgent_InitKeyring(t *testing.T) {
 	key2 := "4leC33rgtXKIVUr9Nr0snQ=="
 	expected := fmt.Sprintf(`["%s"]`, key1)
 
-	dir, err := ioutil.TempDir("", "consul")
+	dir, err := ioutil.TempDir("", "nomad")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}

diff --git a/command/keygen.go b/command/keygen.go
@@ -35,7 +35,7 @@ func (c *KeygenCommand) Synopsis() string {
 
 func (c *KeygenCommand) Help() string {
 	helpText := `
-Usage: consul keygen
+Usage: nomad keygen
 
   Generates a new encryption key that can be used to configure the
   agent to encrypt traffic. The output of this command is already

diff --git a/command/keyring.go b/command/keyring.go
@@ -75,34 +75,31 @@ func (c *KeyringCommand) Run(args []string) int {
 
 	if installKey != "" {
 		c.Ui.Info("Installing new gossip encryption key...")
-		r, err := client.Agent().InstallKey(installKey)
+		_, err := client.Agent().InstallKey(installKey)
 		if err != nil {
 			c.Ui.Error(fmt.Sprintf("error: %s", err))
 			return 1
 		}
-		c.handleKeyResponse(r)
 		return 0
 	}
 
 	if useKey != "" {
 		c.Ui.Info("Changing primary gossip encryption key...")
-		r, err := client.Agent().UseKey(useKey)
+		_, err := client.Agent().UseKey(useKey)
 		if err != nil {
 			c.Ui.Error(fmt.Sprintf("error: %s", err))
 			return 1
 		}
-		c.handleKeyResponse(r)
 		return 0
 	}
 
 	if removeKey != "" {
 		c.Ui.Info("Removing gossip encryption key...")
-		r, err := client.Agent().RemoveKey(removeKey)
+		_, err := client.Agent().RemoveKey(removeKey)
 		if err != nil {
 			c.Ui.Error(fmt.Sprintf("error: %s", err))
 			return 1
 		}
-		c.handleKeyResponse(r)
 		return 0
 	}
 

diff --git a/website/source/docs/agent/config.html.md b/website/source/docs/agent/config.html.md
@@ -391,6 +391,16 @@ configured on client nodes.
     join any nodes when it starts up. Addresses can be given as an IP, a domain
     name, or an IP:Port pair. If the port isn't specified the default Serf port,
     4648, is used.  DNS names may also be used.
+  * <a id="encrypt">`encrypt`</a> Specifies the secret key to use for encryption
+    of Nomad server's gossip network traffic. This key must be 16-bytes that are
+    Base64-encoded. The easiest way to create an encryption key is to use nomad
+    keygen. All the servers within a cluster must share the same encryption key
+    to communicate. The provided key is automatically persisted to the data
+    directory and loaded automatically whenever the agent is restarted. This
+    means that to encrypt Nomad server's gossip protocol, this option only needs
+    to be provided once on each agent's initial startup sequence. If it is
+    provided after Nomad has been initialized with an encryption key, then the
+    provided key is ignored and a warning will be displayed.
 
 ## Client-specific Options
 

diff --git a/website/source/docs/commands/keygen.html.md.erb b/website/source/docs/commands/keygen.html.md.erb
@@ -0,0 +1,30 @@
+---
+layout: "docs"
+page_title: "Commands: keygen"
+sidebar_current: "docs-commands-keygen"
+description: >
+  The `keygen` command generates an encryption key that can be used for Nomad
+  server's gossip traffic encryption. The keygen command uses a
+  cryptographically strong pseudo-random number generator to generate the key.
+---
+
+
+# Command: `keygen`
+
+The `keygen` command generates an encryption key that can be used for Nomad
+server's gossip traffic encryption.  The keygen command uses a cryptographically
+strong pseudo-random number generator to generate the key.
+
+## Usage 
+
+```
+nomad keygen
+```
+
+## Example
+
+```
+nomad keygen
+YgZOXLMhC7TtZqeghMT8+w==
+```
+
diff --git a/website/source/docs/commands/keyring.html.md.erb b/website/source/docs/commands/keyring.html.md.erb
@@ -0,0 +1,58 @@
+---
+layout: "docs"
+page_title: "Commands: keyring"
+sidebar_current: "docs-commands-keyring"
+---
+
+# Command: `keyring`
+
+The `keyring` command is used to examine and modify the encryption keys used in
+Nomad server. It is capable of
+distributing new encryption keys to the cluster, retiring old encryption keys,
+and changing the keys used by the cluster to encrypt messages.
+
+Nomad allows multiple encryption keys to be in use simultaneously. This is
+intended to provide a transition state while the cluster converges. It is the
+responsibility of the operator to ensure that only the required encryption keys
+are installed on the cluster. You can review the installed keys using the
+`-list` argument, and remove unneeded keys with `-remove`.
+
+All operations performed by this command can only be run against server nodes
+and will effect the entire cluster.
+
+All variations of the `keyring` command return 0 if all nodes reply and there
+are no errors. If any node fails to reply or reports failure, the exit code
+will be 1.
+
+
+## Usage
+
+Usage: `nomad keyring [options]`
+
+Only one actionable argument may be specified per run, including `-list`,
+`-install`, `-remove`, and `-use`.
+
+The list of available flags are:
+
+* `-list` - List all keys currently in use within the cluster.
+
+* `-install` - Install a new encryption key. This will broadcast the new key to
+  all members in the cluster.
+
+* `-use` - Change the primary encryption key, which is used to encrypt messages.
+  The key must already be installed before this operation can succeed.
+
+* `-remove` - Remove the given key from the cluster. This operation may only be
+  performed on keys which are not currently the primary key.
+
+## Output
+
+The output of the `nomad keyring -list` command consolidates information from
+all the Nomad servers from all datacenters and regions to provide a simple and
+easy to understand view of the cluster. 
+
+```
+==> Gathering installed encryption keys...
+Key
+PGm64/neoebUBqYR/lZTbA==
+```