TLS Security in the LINSTOR SDS & Piraeus Kubernetes Operator

TLS Security

LINSTOR has featured TLS and SSL security for some time. This security is for communication between the LINSTOR nodes and the client to the API. However, implementing this was not trivial. If you want to see the nitty-gritty details, peep a snapshot of the LINSTOR User’s Guide on the Wayback Machine before March 2022.

The gist of it, though, was that you had to generate a whole PKI with ‘keytool’. Then import those keys with ‘keytool’ and stuff those keys into a Kubernetes secret. You had to do this for both the controller and satellites. Then you had to repeat this process for the SSL for the client to API communication. This resulted in a procedure of 14 lengthy commands you had to run before issuing your ‘helm install.’

The procedure described above is no longer the only way to secure your LINSTOR deployment in Kubernetes. Here’s a link to our recent patch to our operator (many thanks to Andrei Kvapil!).

All that is needed is to simply tell helm to use TLS security and SSL security. Then, helm will automatically generate and import all the required keys and certs. Please note you can use either ‘helm’ or ‘cert-manager’. The latter requires cert-manager to be installed in the cluster. Allow me to demonstrate.

# helm install -f override.yaml --set linstorHttpsMethod=helm --set linstorSslMethod=helm linstor-op linstor/linstor

That’s all there is to it, now. Just set those two options to helm, and helm will generate the keys, import them, and utilize them. When you make a LINSTOR node list, you’ll see the (SSL) next to the node names to indicate the nodes are now communicating with SSL encryption.

 

$ linstor node list
╭──────────────────────────────────────────────────────────────────────────────╮
┊ Node                       ┊ NodeType   ┊ Addresses                 ┊ State  ┊
╞══════════════════════════════════════════════════════════════════════════════╡
┊ kube-0                     ┊ SATELLITE  ┊ 192.168.222.40:3367 (SSL) ┊ Online ┊
┊ kube-1                     ┊ SATELLITE  ┊ 192.168.222.41:3367 (SSL) ┊ Online ┊
┊ kube-2                     ┊ SATELLITE  ┊ 192.168.222.42:3367 (SSL) ┊ Online ┊
┊ linstor-op-cs-controller   ┊ CONTROLLER ┊ 172.16.126.67:3367 (SSL)  ┊ Online ┊
┊ -547467669c-gwlk7          ┊            ┊                           ┊        ┊
╰──────────────────────────────────────────────────────────────────────────────╯

Securing communication between LINSTOR components, especially the client communication to the API, can be an invaluable security measure. The LINSTOR Controller is a sensitive resource. A malicious party could make calls to the API in an insecure environment that could destroy data by deleting or removing volumes managed by LINSTOR.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on whatsapp
Share on vk
Share on email

Share this post

Devin

Devin

First introduced to Linux back in 1996, and using Linux almost exclusively by 2005, Devin has years of Linux administration and systems engineering under his belt. He has been deploying and improving clusters with LINBIT since 2011. When not at the keyboard, you can usually find Devin wrenching on an American motorcycle or down at one of the local bowling alleys.

Talk to us

LINBIT is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick above to say how you would like us to contact you.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow LINBIT to store and process the personal information submitted above to provide you the content requested.

Talk to us

LINBIT is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick above to say how you would like us to contact you.

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow LINBIT to store and process the personal information submitted above to provide you the content requested.