Serf encryption

[Gerrrr]

Following the discussion at #469, this is the first PR which enables serf encryption.
Most of the code is taken from Consul codebase.

User-visible changes:

• new server-specific CLI option for nomad agent - -encrypt
• new server-specific configuration option encrypt
• new CLI option nomad keygen which generates new encryption keys

Example configuration:

server.hcl

data_dir = "/var/lib/nomad"
server {
    encrypt = "pd3LCI6Um4o6KrxEva7ylw=="
    enabled = true
    bootstrap_expect = 3
    start_join = ["172.28.128.3", "172.28.128.4", "172.28.128.5"]
}

server01.hcl

bind_addr = "172.28.128.3"

server02.hcl

bind_addr = "172.28.128.4"

server03.hcl

bind_addr = "172.28.128.5"

[dadgar]

Should this go in setupKeyring?

[dadgar]

This branch does not build properly

[kevincox]

It built fine for me.

[kevincox]

So it seems to be working for me. I'm going to try running a job but status commands and the like are working.

Also IIUC this only encrypts serf traffic? Do you have plans for HTTP and RPC encryption in this PR or will that be coming at a different time?

[Gerrrr]

@kevincox yes, this PR only adds Serf traffic encryption. I am also working on the PR for RPC traffic encryption, probably will publish it this week.

[dadgar]

@kevincox The tests don't build, I should have clarified

[kevincox]

@dadgar Ah, I see. I guess I just built the binary.

@Gerrrr Awesome. I would be ready to start running it "in production" once RPC is also done. Even if the HTTP isn't protected. I'll open an issue for the HTTP as there should probably be a discussion on the best way to do that. (#1639)

[Gerrrr]

@dadgar Can you please take another look at the PR?

[dadgar]

nomad

[dadgar]

Added some more comments. Before this can be merged we will have to also document the new config fields and flags and new commands in the website/docs

[dadgar]

json:"-"?

[dadgar]

Hey Aleksandr,

Appreciate the work you have done so far. Within the next couple days we will have some bandwidth to take this PR over. I think it is pretty core feature and think it is best if we complete the rest of the work. Please just leave this PR open and we will branch from it.

Thanks,
Alex

[diptanu]

Closing in favor of #1791

@Gerrrr Thanks for your hard work on this. Please review the new PR I have opened, and let us know what you think. We implemented a few things differently than how Consul has implemented this feature especially our API around key management is http based instead of Consul's RPC based interface.

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.