Customer Login
Contact Us

TLS Security in the LINSTOR SDS & Piraeus Kubernetes Operator

Posted on
ByDevin Vance
TLS Security

LINSTOR® has featured TLS and SSL security for some time. This security is for communication between the LINSTOR nodes and the client to the API. However, implementing this was not trivial. If you want to see the nitty-gritty details, peep a snapshot of the LINSTOR User’s Guide on the Wayback Machine before March 2022.

The gist of it, though, was that you had to generate a whole PKI with ‘keytool’. Then import those keys with ‘keytool’ and stuff those keys into a Kubernetes secret. You had to do this for both the controller and satellites. Then you had to repeat this process for the SSL for the client to API communication. This resulted in a procedure of 14 lengthy commands you had to run before issuing your ‘helm install.’

The procedure described above is no longer the only way to secure your LINSTOR deployment in Kubernetes. Here’s a link to our recent patch to our operator (many thanks to Andrei Kvapil!).

All that is needed is to simply tell helm to use TLS security and SSL security. Then, helm will automatically generate and import all the required keys and certs. Please note you can use either ‘helm’ or ‘cert-manager’. The latter requires cert-manager to be installed in the cluster. Allow me to demonstrate.

# helm install -f override.yaml --set linstorHttpsMethod=helm --set linstorSslMethod=helm linstor-op linstor/linstor

That’s all there is to it, now. Just set those two options to helm, and helm will generate the keys, import them, and utilize them. When you make a LINSTOR node list, you’ll see the (SSL) next to the node names to indicate the nodes are now communicating with SSL encryption.

 / $ linstor node list
╭───────────────────────────────────────────────────────────────────────────╮ 
┊ Node                    ┊ NodeType   ┊ Addresses                 ┊ State  ┊
╞═══════════════════════════════════════════════════════════════════════════╡
┊ kube-0                  ┊ SATELLITE  ┊ 192.168.222.40:3367 (SSL) ┊ Online ┊
┊ kube-1                  ┊ SATELLITE  ┊ 192.168.222.41:3367 (SSL) ┊ Online ┊
┊ kube-2                  ┊ SATELLITE  ┊ 192.168.222.42:3367 (SSL) ┊ Online ┊
┊ linstor-op-cs-controller┊ CONTROLLER ┊ 172.16.126.67:3367 (SSL)  ┊ Online ┊
┊ -547467669c-gwlk7       ┊            ┊                           ┊        ┊
╰───────────────────────────────────────────────────────────────────────────╯

Securing communication between LINSTOR components, especially the client communication to the API, can be an invaluable security measure. The LINSTOR Controller is a sensitive resource. A malicious party could make calls to the API in an insecure environment that could destroy data by deleting or removing volumes managed by LINSTOR.

Share this post

Recent Posts
Recent Posts
More to Explore
Devin Vance

Devin Vance

First introduced to Linux back in 1996, and using Linux almost exclusively by 2005, Devin has years of Linux administration and systems engineering under his belt. He has been deploying and improving clusters with LINBIT since 2011. When not at the keyboard, you can usually find Devin wrenching on an American motorcycle or down at one of the local bowling alleys.

Talk to us

LINBIT is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick above to say how you would like us to contact you.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow LINBIT to store and process the personal information submitted above to provide you the content requested.

Talk to us

LINBIT is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick above to say how you would like us to contact you.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow LINBIT to store and process the personal information submitted above to provide you the content requested.

LINBIT Logo

As the world’s leading provider of Software-Defined Storage, High Availability, and Disaster Recovery software, LINBIT adds server clustering capabilities to any containerized, virtualized, or bare metal environment.

Copyright © 2024 LINBIT

All rights reserved. The words LINSTOR®, DRBD®, LINBIT®, and the logo LINSTOR®, DRBD®, and LINBIT® are trademarks or registered trademarks of LINBIT HA-Solutions GmbH.

Legal

Resources

Company

Copyright © 2023 LINBIT

All rights reserved. The words LINSTOR®, DRBD®, LINBIT®, and the logo LINSTOR®, DRBD®, and LINBIT® are trademarks or registered trademarks of LINBIT HA-Solutions GmbH and LINBIT USA LLC.

Login
Request a demo
Twitter Linkedin Facebook Youtube Github Wikipedia-w Slack