LINSTOR has featured TLS and SSL security for some time. This security is for communication between the LINSTOR nodes and the client to the API. However, implementing this was not trivial. If you want to see the nitty-gritty details, peep a snapshot of the LINSTOR User’s Guide on the Wayback Machine before March 2022.
The gist of it, though, was that you had to generate a whole PKI with ‘keytool’. Then import those keys with ‘keytool’ and stuff those keys into a Kubernetes secret. You had to do this for both the controller and satellites. Then you had to repeat this process for the SSL for the client to API communication. This resulted in a procedure of 14 lengthy commands you had to run before issuing your ‘helm install.’
The procedure described above is no longer the only way to secure your LINSTOR deployment in Kubernetes. Here’s a link to our recent patch to our operator (many thanks to Andrei Kvapil!).
All that is needed is to simply tell helm to use TLS security and SSL security. Then, helm will automatically generate and import all the required keys and certs. Please note you can use either ‘helm’ or ‘cert-manager’. The latter requires cert-manager to be installed in the cluster. Allow me to demonstrate.
# helm install -f override.yaml --set linstorHttpsMethod=helm --set linstorSslMethod=helm linstor-op linstor/linstor
That’s all there is to it, now. Just set those two options to helm, and helm will generate the keys, import them, and utilize them. When you make a LINSTOR node list, you’ll see the (SSL) next to the node names to indicate the nodes are now communicating with SSL encryption.
$ linstor node list ╭──────────────────────────────────────────────────────────────────────────────╮ ┊ Node ┊ NodeType ┊ Addresses ┊ State ┊ ╞══════════════════════════════════════════════════════════════════════════════╡ ┊ kube-0 ┊ SATELLITE ┊ 192.168.222.40:3367 (SSL) ┊ Online ┊ ┊ kube-1 ┊ SATELLITE ┊ 192.168.222.41:3367 (SSL) ┊ Online ┊ ┊ kube-2 ┊ SATELLITE ┊ 192.168.222.42:3367 (SSL) ┊ Online ┊ ┊ linstor-op-cs-controller ┊ CONTROLLER ┊ 172.16.126.67:3367 (SSL) ┊ Online ┊ ┊ -547467669c-gwlk7 ┊ ┊ ┊ ┊ ╰──────────────────────────────────────────────────────────────────────────────╯
Securing communication between LINSTOR components, especially the client communication to the API, can be an invaluable security measure. The LINSTOR Controller is a sensitive resource. A malicious party could make calls to the API in an insecure environment that could destroy data by deleting or removing volumes managed by LINSTOR.