Skip to content

Commit 65da65c

Browse files
mreifersonmreiferson
committed
nsqd: share TLS key with serf
1 parent d4e4346 commit 65da65c

File tree

2 files changed

+49
-2
lines changed

2 files changed

+49
-2
lines changed

nsqd/gossip.go

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ package nsqd
22

33
import (
44
"bytes"
5+
"crypto/rand"
6+
"encoding/base64"
57
"encoding/json"
68
"net"
79
"os"
@@ -62,7 +64,8 @@ func initSerf(opts *Options,
6264
tcpAddr *net.TCPAddr,
6365
httpAddr *net.TCPAddr,
6466
httpsAddr *net.TCPAddr,
65-
broadcastAddr *net.TCPAddr) (*serf.Serf, error) {
67+
broadcastAddr *net.TCPAddr,
68+
key []byte) (*serf.Serf, error) {
6669

6770
hostname, err := os.Hostname()
6871
if err != nil {
@@ -93,6 +96,9 @@ func initSerf(opts *Options,
9396
serfConfig.MemberlistConfig.GossipInterval = 100 * time.Millisecond
9497
serfConfig.MemberlistConfig.GossipNodes = 5
9598
serfConfig.MemberlistConfig.LogOutput = logWriter{opts.Logger, []byte("memberlist:")}
99+
if len(key) != 0 {
100+
serfConfig.MemberlistConfig.SecretKey = key
101+
}
96102
serfConfig.EventCh = serfEventChan
97103
serfConfig.EventBuffer = 1024
98104
serfConfig.ReconnectTimeout = time.Hour
@@ -286,6 +292,13 @@ func (n *NSQD) gossipLoop() {
286292
var topicName string
287293
var channelName string
288294

295+
if n.serf.EncryptionEnabled() {
296+
err := n.rotateGossipKey()
297+
n.logf("FATAL: could not rotate gossip key - %s", err)
298+
n.Exit()
299+
return
300+
}
301+
289302
regossipTicker := time.NewTicker(n.getOpts().GossipRegossipInterval)
290303

291304
if len(n.getOpts().GossipSeedAddresses) > 0 {
@@ -363,3 +376,34 @@ exit:
363376
regossipTicker.Stop()
364377
n.logf("GOSSIP: exiting")
365378
}
379+
380+
func (n *NSQD) initialGossipKey() []byte {
381+
var key []byte
382+
if n.tlsConfig != nil && len(n.tlsConfig.Certificates) > 0 {
383+
key = n.tlsConfig.Certificates[0].Leaf.Signature
384+
}
385+
if n.gossipKey == nil {
386+
n.gossipKey = key
387+
}
388+
return key
389+
}
390+
391+
func (n *NSQD) rotateGossipKey() error {
392+
if n.gossipKey == nil {
393+
return nil
394+
}
395+
396+
key := make([]byte, 32)
397+
_, err := rand.Reader.Read(key)
398+
strKey := base64.StdEncoding.EncodeToString(key)
399+
_, err = n.serf.KeyManager().InstallKey(strKey)
400+
if err != nil {
401+
return err
402+
}
403+
_, err = n.serf.KeyManager().UseKey(strKey)
404+
if err != nil {
405+
return err
406+
}
407+
_, err = n.serf.KeyManager().RemoveKey(string(n.gossipKey))
408+
return err
409+
}

nsqd/nsqd.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ type NSQD struct {
6666
serf *serf.Serf
6767
serfEventChan chan serf.Event
6868
gossipChan chan interface{}
69+
gossipKey []byte
6970
rdb *registrationdb.RegistrationDB
7071

7172
idChan chan MessageID
@@ -295,7 +296,9 @@ func (n *NSQD) Main() {
295296
n.RealTCPAddr(),
296297
n.RealHTTPAddr(),
297298
httpsAddr,
298-
broadcastAddr)
299+
broadcastAddr,
300+
n.initialGossipKey(),
301+
)
299302
if err != nil {
300303
n.logf("FATAL: failed to initialize Serf - %s", err)
301304
os.Exit(1)

0 commit comments

Comments
 (0)