From 1ecc26bccc91dde21367f9cacd0ed597c4b159c9 Mon Sep 17 00:00:00 2001 From: Ivaylo Novakov Date: Fri, 8 Jan 2021 11:43:32 +0100 Subject: [PATCH] Secure CockroachDB. --- README.md | 36 ++++++++++++++++++++++++++ docker-compose.yml | 6 +++-- setup-scripts/setup-docker-services.sh | 2 ++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f4adde6f..a4f85a95 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,42 @@ While you can directly put the output of this programme into the file mentioned above, you can also remove the public key from the set and change the `kid` of the private key to not include the prefix `private:`. + +### CockroachDB Setup + +Kratos uses CockroachDB to store its data. For that data to be shared across all +nodes that comprise your portal cluster setup, we need to set up a CockroachDB +cluster, complete with secure communication. + +#### Generate the certificates for secure communication + +For a detailed walk-through, please check [this guide](https://www.cockroachlabs.com/docs/v20.2/secure-a-cluster.html) out. + +Steps: +1. Start a local cockroach docker instance: + `docker run -d -v ":/cockroach/cockroach-secure" --name=crdb cockroachdb/cockroach start --insecure` +1. Get a shall into that instance: `docker exec -it crdb /bin/bash` +1. Go to the directory we which we mapped to a local dir: `cd /cockroach/cockroach-secure` +1. Create the subdirectories in which to create certificates and keys: `mkdir certs my-safe-directory` +1. Create the CA (Certificate Authority) certificate and key pair: `cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key` +1. Create a client certificate and key pair for the root user: `cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key` +1. Create the certificate and key pair for your nodes: `cockroach cert create-node mynode.siasky.net --certs-dir=certs --ca-key=my-safe-directory/ca.key` + 1. If you want to create certificates for more nodes, just delete the `node.*` + files (after you've finished the next step!) and re-run the above + command with the new node name. +1. Put the contents of the `certs` folder in `.certs/` under your portal's root + dir and store the content of `my-safe-directory` somewhere safe. + +#### Configure your CockroachDB node + +There is some configuration that needs to be added to your `.env`file, namely: +1. CR_NODE - the name of your node +1. CR_IP - the public IP of your node +1. CR_CLUSTER_NODES - a list of IPs and ports which make up your cluster, e.g. + `95.216.13.185:26257,147.135.37.21:26257,144.76.136.122:26257`. This will be + the list of nodes that will make up your cluster, so make sure those are + accurate. + ## Contributing ### Testing Your Code diff --git a/docker-compose.yml b/docker-compose.yml index ee10ec1c..2c0c6a5b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -280,12 +280,14 @@ services: ipv4_address: 10.10.10.83 cockroachd: - image: cockroachdb/cockroach:v20.1.0 + image: cockroachdb/cockroach:v20.1.10 container_name: cockroachd - command: start --insecure + command: start --advertise-addr=$CR_IP --join=$CR_CLUSTER_NODES --certs-dir=/certs --listen-addr=0.0.0.0:26257 --http-addr=0.0.0.0:8080 volumes: - kratos-sqlite:/cockroach/cockroach-data + - ./.cr_certs:/certs expose: + - 8080 - 26257 networks: shared: diff --git a/setup-scripts/setup-docker-services.sh b/setup-scripts/setup-docker-services.sh index c95ddc7a..18065686 100755 --- a/setup-scripts/setup-docker-services.sh +++ b/setup-scripts/setup-docker-services.sh @@ -37,6 +37,8 @@ docker-compose --version # sanity check # * COOKIE_DOMAIN - (optional) if using `accounts` this is the domain to which your cookies will be issued # * COOKIE_HASH_KEY - (optional) if using `accounts` hashing secret, at least 32 bytes # * COOKIE_ENC_KEY - (optional) if using `accounts` encryption key, at least 32 bytes +# * CR_IP - (optional) if using `accounts` the public IP/domain of your server, e.g. `helsinki.siasky.net` +# * CR_CLUSTER_NODES - (optional) if using `accounts` the list of servers (with ports) which make up your CockroachDB cluster, e.g. `helsinki.siasky.net:26257,germany.siasky.net:26257,us-east.siasky.net:26257` if ! [ -f /home/user/skynet-webportal/.env ]; then HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake printf "DOMAIN_NAME=example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env