Configuring Cluster Authentication¶

Prerequisites¶

Before you begin to configure authentication for your cluster, you will need to have completed the following:

• Installed the flocker-cli on your local machine.
• Installed flocker-node on each of your nodes.
• Chosen on which of your nodes you want to host the Flocker control service.

Generating and Distributing Certificates¶

1. Create a directory for your certificates on all nodes.

   First you need to create a /etc/flocker directory on each node. This includes the control service node, and on all the Flocker agent nodes in your cluster.

   mkdir /etc/flocker
   

   This directory is where you will place your certificates.

2. Generate your cluster certificates.

   It is the cluster certificates which allow you (as the administrator of the cluster) to create new nodes on the cluster securely.

   Using the machine on which you installed the flocker-cli package, run the following command to generate your cluster’s root certificate authority, replacing <mycluster> with the name you will use to uniquely identify this cluster:

   flocker-ca initialize <mycluster>
   

   You should now find cluster.key and cluster.crt in your working directory.

   Note

   This command creates cluster.key and cluster.crt. Please keep cluster.key secret, as anyone who can access it will be able to control your cluster.

   The file cluster.key should be kept only by the cluster administrator; it does not need to be copied anywhere.

3. Generate your control service certificates.

   Now that you have your cluster certificates you can generate authentication certificates for the control service and each of your Flocker agent nodes.

   With the following command you will generate the control service certificates (you will create node certificates in a later step). Before running the command though, you will need to note the following:

   • You should replace <hostname> with the hostname of your control service node; this hostname should match the hostname you will give to HTTP API clients.
   • The <hostname> should be a valid DNS name that HTTPS clients can resolve, as they will use it as part of TLS validation.
   • It is not recommended as an IP address for the <hostname>, as it can break some HTTPS clients.

   Run the following command from the directory containing your authority certificate (as generated in Step 2):

   flocker-ca create-control-certificate <hostname>
   

   You should now also find control-<hostname>.key and control-<hostname>.crt in your working directory.

4. Copy certificates to the control service node.

   You can now copy the following files to the /etc/flocker directory on the control service node via a secure communication medium, such as SSH, SCP or SFTP:

   • control-<hostname>.crt
   • control-<hostname>.key
   • cluster.crt (as created by the flocker-ca initialize step)

   For example:

   scp control-<hostname>.crt root@<hostname>:/etc/flocker/
   scp control-<hostname>.key root@<hostname>:/etc/flocker/
   scp cluster.crt root@<hostname>:/etc/flocker/
   

   Warning

   Only copy the file cluster.crt to the control service and node machines, not the cluster.key file, which must kept only by the cluster administrator.

5. Rename the files that are now on the control service node.

   • Rename control-<hostname>.crt to control-service.crt
   • Rename control-<hostname>.key to control-service.key

6. Change the permissions on the control service node folder and key file.

   You will need to change the permissions on the /etc/flocker directory, and the control-service.key file:

   chmod 0700 /etc/flocker
   chmod 0600 /etc/flocker/control-service.key
   

7. Generate node authentication certificates.

   Note

   You will need to run the following command as many times as you have nodes.

   For example, if you have two nodes in your cluster, you will need to run this command twice. This step should be repeated on all nodes on the cluster, including the machine running the control service.

   Run the following command in the same directory containing the certificate authority files you generated in the Step 2:

   flocker-ca create-node-certificate
   

   This will create a .crt file and a .key file, which will look like:

   • 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt
   • 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key

   The actual file names you generate in this step will vary from these, as a UUID for a node is generated to uniquely identify it on the cluster and the files produced are named with that UUID.

8. Copy certificates onto the Flocker agent node.

   You can now copy the following files to the Flocker agent node in directory /etc/flocker via a secure communication medium, such as SSH, SCP or SFTP:

   • Your version of 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt
   • Your version of 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key
   • cluster.crt (as created by the flocker-ca initialize step)

   For example:

   scp <yourUUID>.crt root@<hostname>:/etc/flocker/
   scp <yourUUID>.key root@<hostname>:/etc/flocker/
   scp cluster.crt root@<hostname>:/etc/flocker/
   

9. Rename the files on the Flocker agent node.

   • Rename 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt to node.crt
   • Rename 8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key to node.key

10. Change the permissions on the folder and key file.

    You will need to change the permissions on the /etc/flocker directory, and the node.key file:

    chmod 0700 /etc/flocker
    chmod 0600 /etc/flocker/node.key
    

11. Repeat the node authentication steps for each node.

    If you haven’t done this already, you’ll need to repeat steps 7, 8, 9 and 10 for each node (including the control service node if it is acting as a Flocker agent node).

Next Step¶

Or, return to the installation menu.