mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-21 14:41:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
talos/docs/content/configuration/osd.md
Andrew Rynhard 8c73c38b8a chore: enforce one sentence per line in Markdown files 
This is widely considered best practice, we should enforce it.

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
2019-08-17 10:15:27 -07:00

101 lines
3.2 KiB
Markdown
Raw Blame History

---
title: "osd"
date: 2018-11-03T17:14:49-07:00
draft: false
weight: 10
menu:
docs:
identifier: "osd-configuration"
parent: 'configuration'
weight: 10
---
The `osd` service enforces a high level of security by using mutual TLS for authentication and authorization.
In this section we will configure mutual TLS by generating the certificates for the servers (`osd`) and clients (`osctl`).
### Cluster Owners
We recommend that the configuration of `osd` be performed by a cluster owner.
A cluster owner should be a person of authority within an organization, perhaps a director, manager, or senior member of a team.
They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.
### Cluster Administrators
The authorization to use `osctl` should be granted to a person responsible for cluster administration.
As a cluster administrator, the user gains access to the out-of-band management tools offered by Talos.
## Configuring `osd`
To configure `osd`, we will need:
- static IP addresses for each node that will participate as a master
- and a root CA
The following steps should be performed by a cluster owner.
### Generating the Root CA
The root CA can be generated by running:
```bash
osctl gen ca --hours <hours> --organization <organization>
```
The cluster owner should store the generated private key (`<organization>.key`) in a safe place, that only other cluster owners have access to.
The public certificate (`<organization>.crt`) should be made available to cluster administrators because, as we will see shortly, it is required to configure `osctl`.
{{% note %}}The `--rsa` flag should _not_ be specified for the generation of the `osd` CA.{{% /note %}}
### Generating the Identity Certificates
Talos provides automation for generating each node's certificate.
## Configuring `osctl`
To configure `osctl`, we will need:
- the root CA we generated above
- and a certificate signed by the root CA specific to the user
The process for setting up `osctl` is done in part between a cluster owner and a user requesting to become a cluster administrator.
### Generating the User Certificate
The user requesting cluster administration access runs the following:
```bash
osctl gen key --name <user>
osctl gen csr --ip 127.0.0.1 --key <user>.key
```
Now, the cluster owner must generate a certificate from the above CSR.
To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:
```bash
osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>
```
The generated certificate is then sent to the requesting user using a secure channel.
### The Configuration File
With all the above steps done, the new cluster administrator can now create the configuration file for `osctl`.
```bash
cat <organization>.crt | base64
cat <user>.crt | base64
cat <user>.key | base64
```
Now, create `~/.talos/config` with the following contents:
```yaml
context: <context>
contexts:
<context>:
target: <node-ip>
ca: <base 64 encoded root public certificate>
crt: <base 64 encoded user public certificate>
key: <base 64 encoded user private key>
```
Reference in New Issue View Git Blame Copy Permalink