Communication between the different parts of your cluster is secured and authenticated via TLS. This guide will show you how to generate and distribute the following:
Before you begin to configure authentication for your cluster, you will need to have completed the following:
flocker-cli
on your local machine.flocker-node
on each of your nodes.Create a directory for your certificates on all nodes.
First you need to create a /etc/flocker
directory on each node.
This includes the control service node, and on all the Flocker agent nodes in your cluster.
mkdir /etc/flocker
This directory is where you will place your certificates.
Generate your cluster certificates.
It is the cluster certificates which allow you (as the administrator of the cluster) to create new nodes on the cluster securely.
Using the machine on which you installed the flocker-cli
package, run the following command to generate your cluster’s root certificate authority, replacing <mycluster>
with the name you will use to uniquely identify this cluster:
flocker-ca initialize <mycluster>
You should now find cluster.key
and cluster.crt
in your working directory.
Note
This command creates cluster.key
and cluster.crt
.
Please keep cluster.key
secret, as anyone who can access it will be able to control your cluster.
The file cluster.key
should be kept only by the cluster administrator; it does not need to be copied anywhere.
Generate your control service certificates.
Now that you have your cluster certificates you can generate authentication certificates for the control service and each of your Flocker agent nodes.
With the following command you will generate the control service certificates (you will create node certificates in a later step). Before running the command though, you will need to note the following:
<hostname>
with the hostname of your control service node; this hostname should match the hostname you will give to HTTP API clients.<hostname>
should be a valid DNS name that HTTPS clients can resolve, as they will use it as part of TLS validation.<hostname>
, as it can break some HTTPS clients.Run the following command from the directory containing your authority certificate (as generated in Step 2):
flocker-ca create-control-certificate <hostname>
You should now also find control-<hostname>.key
and control-<hostname>.crt
in your working directory.
Copy certificates to the control service node.
You can now copy the following files to the /etc/flocker
directory on the control service node via a secure communication medium, such as SSH, SCP or SFTP:
control-<hostname>.crt
control-<hostname>.key
cluster.crt
(as created by the flocker-ca initialize step)For example:
scp control-<hostname>.crt root@<hostname>:/etc/flocker/ scp control-<hostname>.key root@<hostname>:/etc/flocker/ scp cluster.crt root@<hostname>:/etc/flocker/
Warning
Only copy the file cluster.crt
to the control service and node machines, not the cluster.key
file, which must kept only by the cluster administrator.
Rename the files that are now on the control service node.
control-<hostname>.crt
to control-service.crt
control-<hostname>.key
to control-service.key
Change the permissions on the control service node folder and key file.
You will need to change the permissions on the /etc/flocker
directory, and the control-service.key
file:
chmod 0700 /etc/flocker chmod 0600 /etc/flocker/control-service.key
Generate node authentication certificates.
Note
You will need to run the following command as many times as you have nodes.
For example, if you have two nodes in your cluster, you will need to run this command twice. This step should be repeated on all nodes on the cluster, including the machine running the control service.
Run the following command in the same directory containing the certificate authority files you generated in the Step 2:
flocker-ca create-node-certificate
This will create a .crt
file and a .key
file, which will look like:
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key
The actual file names you generate in this step will vary from these, as a UUID for a node is generated to uniquely identify it on the cluster and the files produced are named with that UUID.
Copy certificates onto the Flocker agent node.
You can now copy the following files to the Flocker agent node in directory /etc/flocker
via a secure communication medium, such as SSH, SCP or SFTP:
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key
cluster.crt
(as created by the flocker-ca initialize step)For example:
scp <yourUUID>.crt root@<hostname>:/etc/flocker/ scp <yourUUID>.key root@<hostname>:/etc/flocker/ scp cluster.crt root@<hostname>:/etc/flocker/
Rename the files on the Flocker agent node.
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt
to node.crt
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key
to node.key
Change the permissions on the folder and key file.
You will need to change the permissions on the /etc/flocker
directory, and the node.key
file:
chmod 0700 /etc/flocker chmod 0600 /etc/flocker/node.key
Repeat the node authentication steps for each node.
If you haven’t done this already, you’ll need to repeat steps 7, 8, 9 and 10 for each node (including the control service node if it is acting as a Flocker agent node).