Add gossip encryption configuration to Consul
What does this MR do?
This MR adds attributes for configuring Serf gossip encryption on Consul agents. By default encryption is not enabled. For enabling encryption, a shared encryption key is required. This MR adds a keygen sub-command to gitlab-ctl consul for generating the key. It also allows the user to control encrypt_verify_outgoing and encrypt_verify_incoming configuration on Consul agents to enable encryption in an existing datacenter. These attributes work on both client and server nodes:
# Must be 32-bytes, Base64 encoded, shared on all agents.
consul['encryption_key'] = nil
# Must be `true` or `false`. By default `nil` falls back to Consul default values (which is `true`).
# Must be set manually for rolling update on existing Consul datacenter.
consul['encryption_verify_incoming'] = nil
consul['encryption_verify_outgoing'] = nilRelated issues
Related to #6237
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-packagehas a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Edited by Hossein Pursultani