mirror of
https://github.com/siderolabs/talos.git
synced 2025-08-10 08:37:03 +02:00
389 lines
15 KiB
HTML
389 lines
15 KiB
HTML
<!DOCTYPE html>
|
|
|
|
<head>
|
|
|
|
|
|
<meta charset="utf-8">
|
|
<title>Autonomy</title>
|
|
<meta name="description" content="">
|
|
<meta name="author" content="andrew.rynhard@autonomy.io">
|
|
|
|
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
|
|
<link href="https://fonts.googleapis.com/css?family=Raleway|Fira+Mono|Roboto:300" rel="stylesheet">
|
|
|
|
|
|
<link rel="icon" type="image/png" href="https://talos.autonomy.io/img/favicon.png">
|
|
|
|
|
|
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/fuse.js/3.2.0/fuse.min.js"></script>
|
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/mark.js/8.11.1/jquery.mark.min.js"></script>
|
|
<script src="https://talos.autonomy.io/js/search.js"></script>
|
|
|
|
|
|
<link rel="stylesheet" href="https://talos.autonomy.io//css/milligram.min.css">
|
|
<link rel="stylesheet" href="https://talos.autonomy.io/css/main.css">
|
|
</head>
|
|
<nav class="navbar">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="column column-50">
|
|
<ul class="navbar-list navbar-left">
|
|
<li class="navbar-item">
|
|
<a class="navbar-link logo" href="/">
|
|
<img src="https://talos.autonomy.io//img/logo.svg" class="logo">
|
|
</a>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="column column-50">
|
|
<ul class="navbar-list navbar-right">
|
|
<li class="navbar-item">
|
|
|
|
<a class="navbar-link navbar-logo" rel="noopener noreferrer" href="https://github.com/autonomy/talos" target="_blank">
|
|
<span class="octicon octicon-mark-github"></span>
|
|
</a>
|
|
|
|
</li>
|
|
<li class="navbar-item">
|
|
|
|
<a class="navbar-link navbar-logo" rel="noopener noreferrer" href="https://hub.docker.com/u/autonomy" target="_blank">
|
|
<span class="fab fa-docker"></span>
|
|
</a>
|
|
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</nav>
|
|
<script id="search-result-template" type="text/x-js-template">
|
|
<li class="sidebar-item">
|
|
<div id="summary-${key}">
|
|
<a class="sidebar-link" href="${link}">${title}</a>
|
|
<p class="search-result-item">${preview}</p>
|
|
</div>
|
|
</li>
|
|
</script>
|
|
|
|
<nav class="sidebar">
|
|
|
|
<div class="row">
|
|
<div class="column">
|
|
<span>
|
|
<a class="logo" href="https://talos.autonomy.io/">
|
|
<img src="https://talos.autonomy.io//img/logo.svg" class="logo">
|
|
</a>
|
|
</span>
|
|
</div>
|
|
</div>
|
|
<hr>
|
|
|
|
<div class="row">
|
|
<div class="column">
|
|
|
|
<div class="button-group button-group-center">
|
|
<a class="button" href="https://github.com/autonomy/talos/fork">
|
|
<span class="octicon octicon-repo-forked"></span>
|
|
Fork
|
|
</a>
|
|
<a class="button" href="https://github.com/autonomy/talos/stargazers">
|
|
<span class="octicon octicon-star"></span>
|
|
Star
|
|
</a>
|
|
</div>
|
|
|
|
</div>
|
|
</div>
|
|
<hr>
|
|
|
|
<div class="row search-area">
|
|
<form class="search-form" action="" onSubmit="return">
|
|
<input class="search-box" id="search-query" name="s" type="text" placeholder="search" />
|
|
</form>
|
|
<ul class="sidebar-list search-results" id="search-results">
|
|
</ul>
|
|
</div>
|
|
<div class="row">
|
|
<div class="column">
|
|
<ul class="sidebar-list parent">
|
|
|
|
|
|
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link sidebar-link-parent"
|
|
href="https://talos.autonomy.io/components/" >
|
|
Components
|
|
</a>
|
|
<ul class="sidebar-list">
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/kernel/" >
|
|
kernel
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/init/" >
|
|
init
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/kubeadm/" >
|
|
kubeadm
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/trustd/" >
|
|
trustd
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/proxyd/" >
|
|
proxyd
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/osd/" >
|
|
osd
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/osctl/" >
|
|
osctl
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/components/blockd/" >
|
|
blockd
|
|
</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link sidebar-link-parent active"
|
|
href="https://talos.autonomy.io/configuration/" >
|
|
Configuration
|
|
</a>
|
|
<ul class="sidebar-list active">
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link active"
|
|
href="https://talos.autonomy.io/configuration/osd/" >
|
|
osd
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/configuration/masters/" >
|
|
Masters
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/configuration/workers/" >
|
|
Workers
|
|
</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link sidebar-link-parent"
|
|
href="https://talos.autonomy.io/examples/" >
|
|
Examples
|
|
</a>
|
|
<ul class="sidebar-list">
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/examples/aws/" >
|
|
AWS
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/examples/kvm/" >
|
|
KVM
|
|
</a>
|
|
</li>
|
|
|
|
<li class="sidebar-item">
|
|
<a class="sidebar-link"
|
|
href="https://talos.autonomy.io/examples/xen/" >
|
|
Xen
|
|
</a>
|
|
</li>
|
|
|
|
</ul>
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</nav>
|
|
<body>
|
|
<div class="container">
|
|
<div class="content">
|
|
<div class="row ">
|
|
<div class="column column-10">
|
|
|
|
</div>
|
|
<div class="column document">
|
|
<section class="document">
|
|
<h1 class="title">osd</h1>
|
|
<p>
|
|
|
|
<p>The <code>osd</code> service enforces a high level of security by utilizing mutual TLS for authentication and authorization.
|
|
In this section we will configure mutual TLS by generating the certificates for the servers (<code>osd</code>) and clients (<code>osctl</code>).</p>
|
|
|
|
<h3 id="cluster-owners">Cluster Owners</h3>
|
|
|
|
<p>We recommend that the configuration of <code>osd</code> be performed by a cluster owner.
|
|
A cluster owner should be a person of authority within an organization.
|
|
Perhaps a director, manager, or senior member of a team.
|
|
They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.</p>
|
|
|
|
<h3 id="cluster-administrators">Cluster Administrators</h3>
|
|
|
|
<p>The authorization to use <code>osctl</code> should be granted to a person fit for cluster administration.
|
|
As a cluster administrator, the user gains access to the out-of-band management tools offered by Talos.</p>
|
|
|
|
<h2 id="configuring-osd">Configuring <code>osd</code></h2>
|
|
|
|
<p>To configure <code>osd</code>, we will need:</p>
|
|
|
|
<ul>
|
|
<li>static IP addresses for each node that will participate as a master</li>
|
|
<li>a root CA</li>
|
|
<li>and identity certificates for each node participating as a master signed by the root CA</li>
|
|
</ul>
|
|
|
|
<p>The following steps should be performed by a cluster owner.</p>
|
|
|
|
<h3 id="generating-the-root-ca">Generating the Root CA</h3>
|
|
|
|
<p>The root CA can be generated by running:</p>
|
|
|
|
<pre><code class="language-bash">osctl gen ca --hours <hours> --organization <organization>
|
|
</code></pre>
|
|
|
|
<p>The cluster owner should store the generated private key (<code><organization>.key</code>) in a safe place, that only other cluster owners have access to.
|
|
The public certificate (<code><organization>.crt</code>) should be made available to cluster administrators because, as we will see shortly, it is required to configure <code>osctl</code>.</p>
|
|
|
|
<blockquote class="note " >
|
|
<p>Note: The <code>--rsa</code> flag should <em>not</em> be specified for the generation of the <code>osd</code> CA.</p>
|
|
</blockquote>
|
|
|
|
|
|
<h3 id="generating-the-identity-certificates">Generating the Identity Certificates</h3>
|
|
|
|
<p>Now that we have our root CA, we must create certificates that identify the node.
|
|
As the cluster owner, run:</p>
|
|
|
|
<pre><code class="language-bash">osctl gen key --name <node-name>
|
|
osctl gen csr --ip <node-ip> --key <node-name>.key
|
|
osctl gen crt --hours <hours> --ca <organization> --csr <node-name>.csr --name <node-name>
|
|
</code></pre>
|
|
|
|
<p>Repeat this process for each node that will participate as a master.</p>
|
|
|
|
<h2 id="configuring-osctl">Configuring <code>osctl</code></h2>
|
|
|
|
<p>To configure <code>osctl</code>, we will need:</p>
|
|
|
|
<ul>
|
|
<li>the root CA we generated above</li>
|
|
<li>and a certificate signed by the root CA specific to the user</li>
|
|
</ul>
|
|
|
|
<p>The process for setting up <code>osctl</code> is done in part between a cluster owner and a user requesting to become a cluster administrator.</p>
|
|
|
|
<h3 id="generating-the-user-certificate">Generating the User Certificate</h3>
|
|
|
|
<p>The user requesting cluster administration access runs the following:</p>
|
|
|
|
<pre><code class="language-bash">osctl gen key --name <user>
|
|
osctl gen csr --ip 127.0.0.1 --key <user>.key
|
|
</code></pre>
|
|
|
|
<p>Now, the cluster owner must generate a certificate from the above CSR.
|
|
To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:</p>
|
|
|
|
<pre><code class="language-bash">osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>
|
|
</code></pre>
|
|
|
|
<p>The generated certificate is then sent to the requesting user using a secure channel.</p>
|
|
|
|
<h3 id="the-configuration-file">The Configuration File</h3>
|
|
|
|
<p>With all the above steps done, the new cluster administrator can now create the configuration file for <code>osctl</code>.</p>
|
|
|
|
<pre><code class="language-bash">cat <organization>.crt | base64
|
|
cat <user>.crt | base64
|
|
cat <user>.key | base64
|
|
</code></pre>
|
|
|
|
<p>Now, create <code>~/.talos/config</code> with the following contents:</p>
|
|
|
|
<pre><code class="language-yaml">context: <context>
|
|
contexts:
|
|
<context>:
|
|
target: <node-ip>
|
|
ca: <base 64 encoded root public certificate>
|
|
crt: <base 64 encoded user public certificate>
|
|
key: <base 64 encoded user private key>
|
|
</code></pre>
|
|
</p>
|
|
</section>
|
|
</div>
|
|
<div class="column column-10">
|
|
|
|
<a class="navigation navigation-next" href="https://talos.autonomy.io/configuration/masters/">
|
|
<i class="fa fa-chevron-right"></i>
|
|
</a>
|
|
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
|
|
<div class="footer">
|
|
<aside class="copyright">
|
|
|
|
© 2019 Released under Mozilla Public License 2.0
|
|
|
|
</aside>
|
|
</div>
|
|
|