Secure CockroachDB.

This commit is contained in:
Ivaylo Novakov 2021-01-08 11:43:32 +01:00
parent ed95ef6585
commit 1ecc26bccc
No known key found for this signature in database
GPG Key ID: 06B9354AB08BE9C6
3 changed files with 42 additions and 2 deletions

View File

@ -111,6 +111,42 @@ While you can directly put the output of this programme into the file mentioned
above, you can also remove the public key from the set and change the `kid` of above, you can also remove the public key from the set and change the `kid` of
the private key to not include the prefix `private:`. the private key to not include the prefix `private:`.
### CockroachDB Setup
Kratos uses CockroachDB to store its data. For that data to be shared across all
nodes that comprise your portal cluster setup, we need to set up a CockroachDB
cluster, complete with secure communication.
#### Generate the certificates for secure communication
For a detailed walk-through, please check [this guide](https://www.cockroachlabs.com/docs/v20.2/secure-a-cluster.html) out.
Steps:
1. Start a local cockroach docker instance:
`docker run -d -v "<local dir>:/cockroach/cockroach-secure" --name=crdb cockroachdb/cockroach start --insecure`
1. Get a shall into that instance: `docker exec -it crdb /bin/bash`
1. Go to the directory we which we mapped to a local dir: `cd /cockroach/cockroach-secure`
1. Create the subdirectories in which to create certificates and keys: `mkdir certs my-safe-directory`
1. Create the CA (Certificate Authority) certificate and key pair: `cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key`
1. Create a client certificate and key pair for the root user: `cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key`
1. Create the certificate and key pair for your nodes: `cockroach cert create-node mynode.siasky.net --certs-dir=certs --ca-key=my-safe-directory/ca.key`
1. If you want to create certificates for more nodes, just delete the `node.*`
files (after you've finished the next step!) and re-run the above
command with the new node name.
1. Put the contents of the `certs` folder in `.certs/` under your portal's root
dir and store the content of `my-safe-directory` somewhere safe.
#### Configure your CockroachDB node
There is some configuration that needs to be added to your `.env`file, namely:
1. CR_NODE - the name of your node
1. CR_IP - the public IP of your node
1. CR_CLUSTER_NODES - a list of IPs and ports which make up your cluster, e.g.
`95.216.13.185:26257,147.135.37.21:26257,144.76.136.122:26257`. This will be
the list of nodes that will make up your cluster, so make sure those are
accurate.
## Contributing ## Contributing
### Testing Your Code ### Testing Your Code

View File

@ -280,12 +280,14 @@ services:
ipv4_address: 10.10.10.83 ipv4_address: 10.10.10.83
cockroachd: cockroachd:
image: cockroachdb/cockroach:v20.1.0 image: cockroachdb/cockroach:v20.1.10
container_name: cockroachd container_name: cockroachd
command: start --insecure command: start --advertise-addr=$CR_IP --join=$CR_CLUSTER_NODES --certs-dir=/certs --listen-addr=0.0.0.0:26257 --http-addr=0.0.0.0:8080
volumes: volumes:
- kratos-sqlite:/cockroach/cockroach-data - kratos-sqlite:/cockroach/cockroach-data
- ./.cr_certs:/certs
expose: expose:
- 8080
- 26257 - 26257
networks: networks:
shared: shared:

View File

@ -37,6 +37,8 @@ docker-compose --version # sanity check
# * COOKIE_DOMAIN - (optional) if using `accounts` this is the domain to which your cookies will be issued # * COOKIE_DOMAIN - (optional) if using `accounts` this is the domain to which your cookies will be issued
# * COOKIE_HASH_KEY - (optional) if using `accounts` hashing secret, at least 32 bytes # * COOKIE_HASH_KEY - (optional) if using `accounts` hashing secret, at least 32 bytes
# * COOKIE_ENC_KEY - (optional) if using `accounts` encryption key, at least 32 bytes # * COOKIE_ENC_KEY - (optional) if using `accounts` encryption key, at least 32 bytes
# * CR_IP - (optional) if using `accounts` the public IP/domain of your server, e.g. `helsinki.siasky.net`
# * CR_CLUSTER_NODES - (optional) if using `accounts` the list of servers (with ports) which make up your CockroachDB cluster, e.g. `helsinki.siasky.net:26257,germany.siasky.net:26257,us-east.siasky.net:26257`
if ! [ -f /home/user/skynet-webportal/.env ]; then if ! [ -f /home/user/skynet-webportal/.env ]; then
HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake
printf "DOMAIN_NAME=example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env printf "DOMAIN_NAME=example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env