diff options
Diffstat (limited to 'docs/usecases/contiv/SECURITY.md')
| -rw-r--r-- | docs/usecases/contiv/SECURITY.md | 104 |
1 files changed, 0 insertions, 104 deletions
diff --git a/docs/usecases/contiv/SECURITY.md b/docs/usecases/contiv/SECURITY.md deleted file mode 100644 index 40c5250e311..00000000000 --- a/docs/usecases/contiv/SECURITY.md +++ /dev/null @@ -1,104 +0,0 @@ -# Security - -There are two types of security that are utilized in Contiv, and are discussed in this section: [HTTP](#http-security) and [ETCD](#etcd-security). - -## HTTP Security - -By default, the access to endpoints (liveness, readiness probe, prometheus stats, ...) served by Contiv-vswitch and -Contiv-ksr is open to anybody. Contiv-vswitch exposes endpoints using port `9999` and contiv-ksr uses `9191`. - -To secure access to the endpoints, the SSL/TLS server certificate and basic auth (username password) can be configured. - -In Contiv-VPP, this can be done using the Helm charts in [k8s/contiv-vpp folder](https://github.com/contiv/vpp/tree/master/k8s/contiv-vpp). - -To generate server certificate the approach described in [ETCD security](#etcd-security) can be leveraged. - -## ETCD Security - -By default, the access to Contiv-VPP ETCD is open to anybody. ETCD gets deployed -on the master node, on port `12379`, and is exposed using the NodePort service -on port `32379`, on each node. - -To secure access to ETCD, we recommend using the SSL/TLS certificates to authenticate -both the client and server side, and encrypt the communication. In Contiv-VPP, this can be done using the Helm charts in [k8s/contiv-vpp folder](https://github.com/contiv/vpp/tree/master/k8s/contiv-vpp). - -The prerequisite for that is the generation of SSL certificates. - - -### Generate Self-Signed Certificates -In order to secure ETCD, we need to create our own certificate authority, -and then generate the private keys and certificates for both the ETCD server and ETCD clients. - -This guide uses CloudFlare's [cfssl](https://github.com/cloudflare/cfssl) tools to do this job. -It follows the steps described in this [CoreOS guide](https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md). - -Perform the following steps to generate private keys and certificates: - -##### 1. Install cfssl -``` -mkdir ~/bin -curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -chmod +x ~/bin/{cfssl,cfssljson} -export PATH=$PATH:~/bin -``` - -##### 2. Initialize a Certificate Authority -``` -echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca - -echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json -``` - -##### 3. Generate Server Key + Certificate -Replace the IP address `10.0.2.15` below with the IP address of your master node: -``` -export ADDRESS=127.0.0.1,10.0.2.15 -export NAME=server -echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME -``` - -##### 4. Generate Client Key + Certificate -``` -export ADDRESS= -export NAME=client -echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME -``` - -The above commands produce the following files that will be needed in order to secure ETCD: - - `ca.pem`: certificate of the certificate authority - - `server.pem`: certificate of the ETCD server - - `server-key.pem`: private key of the ETCD server - - `client.pem`: certificate for the ETCD clients - - `client-key.pem`: private key for the ETCD clients - - -### Distribute Certificates and Generate Contiv-VPP Deployment Yaml -There are two options for distributing the certificates to all nodes in a k8s cluster. -You can either distribute the certificates -[manually](#distribute-certificates-manually), or embed the certificates into the deployment yaml file and -distribute them as [k8s secrets](https://kubernetes.io/docs/concepts/configuration/secret/). - -##### Distribute Certificates Manually -In this case, you need to copy the `ca.pem`, `client.pem` and `client-key.pem` files -into a specific folder (`/var/contiv/etcd-secrets` by default) on each worker node. -On the master node, you also need to add the `server.pem` and `server-key.pem` into that location. - -Then you can generate the Contiv-VPP deployment YAML as follows: -``` -cd k8s -helm template --name my-release contiv-vpp --set etcd.secureTransport=True > contiv-vpp.yaml -``` -Then you can go ahead and deploy Contiv-VPP using this yaml file. - -##### Embed the certificates into deployment the yaml and use k8s secret to distribute them {: #Embed-certificates } -In this case, you need to copy all 5 generated files into the folder with helm definitions -(`k8s/contiv-vpp`) and generate the Contiv-VPP deployment YAML as follows: -``` -cd k8s -helm template --name my-release contiv-vpp --set etcd.secureTransport=True --set etcd.secrets.mountFromHost=False > contiv-vpp.yaml -``` -Then just deploy Contiv-VPP using this yaml file. - -Please note that the path of the mount folder with certificates, as well as the certificate -file names can be customized using the config parameters of the Contiv-VPP chart, -as described in [this README](https://github.com/contiv/vpp/blob/master/k8s/contiv-vpp/README.md).
\ No newline at end of file |