How to programmatically rotate encryption keys?

[rosenhouse]

Hello,

We'd like to write some Go code that rotates the encryption keys used by our Consul cluster. We don't see a way to do this via the HTTP API or the Go api package and we'd like to avoid shelling out to the consul CLI keyring command. We've considered reaching into the RPCClient in the command package used by the CLI, but are concerned about taking a dependency on something that isn't supported for public consumption.

What is the recommended way to programmatically rotate encryption keys?

Thanks!

cc @zaksoup

[highlyunavailable]

The RPC client is a public interface though:

https://consul.io/docs/agent/rpc.html

There's nothing explicitly "internal" about it other than the key ring commands aren't documented on that page.

[rosenhouse]

Great, thank you.

[zaksoup]

@highlyunavailable We're attempting to create fakes in order to unit test consumers of the agent.RPCClient. The problem we have now run into is that agent.RPCClient.InstallKey() returns a keyringResponse which is unexported. It seems like significant portions of the RPCClient (really, any of the various methods around keys) are actually unexported and therefor not necessarily suitable for 3rd party use.

[rosenhouse]

Appears to be addressed by #1867 (comment)