Communication between the different parts of your cluster is secured and authenticated via TLS. This guide will show you how to generate and distribute the following:
Before you begin to configure authentication for your cluster, you will need to have completed the following:
flocker-cli on your local machine.flocker-node on each of your nodes.Create a directory for your certificates on all nodes.
First you need to create a /etc/flocker directory on each node.
This includes the control service node, and on all the Flocker agent nodes in your cluster.
mkdir /etc/flocker
This directory is where you will place your certificates.
Generate your cluster certificates.
It is the cluster certificates which allow you (as the administrator of the cluster) to create new nodes on the cluster securely.
Using the machine on which you installed the flocker-cli package, run the following command to generate your cluster’s root certificate authority, replacing <mycluster> with the name you will use to uniquely identify this cluster:
flocker-ca initialize <mycluster>
You should now find cluster.key and cluster.crt in your working directory.
Note
This command creates cluster.key and cluster.crt.
Please keep cluster.key secret, as anyone who can access it will be able to control your cluster.
The file cluster.key should be kept only by the cluster administrator; it does not need to be copied anywhere.
Generate your control service certificates.
Now that you have your cluster certificates you can generate authentication certificates for the control service and each of your Flocker agent nodes.
With the following command you will generate the control service certificates (you will create node certificates in a later step). Before running the command though, you will need to note the following:
<hostname> with the hostname of your control service node; this hostname should match the hostname you will give to HTTP API clients.<hostname> should be a valid DNS name that HTTPS clients can resolve, as they will use it as part of TLS validation.<hostname>, as it can break some HTTPS clients.Run the following command from the directory containing your authority certificate (as generated in Step 2):
flocker-ca create-control-certificate <hostname>
You should now also find control-<hostname>.key and control-<hostname>.crt in your working directory.
Copy certificates to the control service node.
You can now copy the following files to the /etc/flocker directory on the control service node via a secure communication medium, such as SSH, SCP or SFTP:
control-<hostname>.crtcontrol-<hostname>.keycluster.crt (as created by the flocker-ca initialize step)For example:
scp control-<hostname>.crt root@<hostname>:/etc/flocker/ scp control-<hostname>.key root@<hostname>:/etc/flocker/ scp cluster.crt root@<hostname>:/etc/flocker/
Warning
Only copy the file cluster.crt to the control service and node machines, not the cluster.key file, which must kept only by the cluster administrator.
Rename the files that are now on the control service node.
control-<hostname>.crt to control-service.crtcontrol-<hostname>.key to control-service.keyChange the permissions on the control service node folder and key file.
You will need to change the permissions on the /etc/flocker directory, and the control-service.key file:
chmod 0700 /etc/flocker chmod 0600 /etc/flocker/control-service.key
Generate node authentication certificates.
Note
You will need to run the following command as many times as you have nodes.
For example, if you have two nodes in your cluster, you will need to run this command twice. This step should be repeated on all nodes on the cluster, including the machine running the control service.
Run the following command in the same directory containing the certificate authority files you generated in the Step 2:
flocker-ca create-node-certificate
This will create a .crt file and a .key file, which will look like:
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.keyThe actual file names you generate in this step will vary from these, as a UUID for a node is generated to uniquely identify it on the cluster and the files produced are named with that UUID.
Copy certificates onto the Flocker agent node.
You can now copy the following files to the Flocker agent node in directory /etc/flocker via a secure communication medium, such as SSH, SCP or SFTP:
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.keycluster.crt (as created by the flocker-ca initialize step)For example:
scp <yourUUID>.crt root@<hostname>:/etc/flocker/ scp <yourUUID>.key root@<hostname>:/etc/flocker/ scp cluster.crt root@<hostname>:/etc/flocker/
Rename the files on the Flocker agent node.
8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.crt to node.crt8eab4b8d-c0a2-4ce2-80aa-0709277a9a7a.key to node.keyChange the permissions on the folder and key file.
You will need to change the permissions on the /etc/flocker directory, and the node.key file:
chmod 0700 /etc/flocker chmod 0600 /etc/flocker/node.key
Repeat the node authentication steps for each node.
If you haven’t done this already, you’ll need to repeat steps 7, 8, 9 and 10 for each node (including the control service node if it is acting as a Flocker agent node).