Encrypting communication with Etcd
StorageOS supports secure communication with an external etcd cluster using mutual TLS (mTLS). With mTLS both StorageOS and etcd authenticate each other ensuring that communication only happens between mutually authenticated end points, and that all communication is encrypted.
StorageOS uses the certificates and keys from a Secret to cypher and authenticate Etcd traffic.
How to create the certificates Secret
The client auth certificates need the following file names, in the Secret.
- etcd-client-ca.crt - containing the etcd Certificate Authority certificate
- etcd-client.crt - containing the etcd Client certificate
- etcd-client.key - containing the etcd Client key
kubectl create secret -n storageos-etcd generic \
etcd-client-tls \
--from-file="etcd-client-ca.crt" \
--from-file="etcd-client.crt" \
--from-file="etcd-client.key"
How to use the mTLS certificates Secret with StorageOS
Below is an example StorageOSCluster resource that can be used to setup StorageOS with etcd using mTLS.
apiVersion: storageos.com/v1
kind: StorageOSCluster
metadata:
name: storageos-cluster
namespace: "storageos-operator"
spec:
# StorageOS Pods are in kube-system by default
secretRefName: "storageos-api"
secretRefNamespace: "default"
images:
nodeContainer: "storageos/node:v2.4.4"
namespace: "storageos"
# External mTLS secured etcd cluster specific properties
tlsEtcdSecretRefName: "etcd-client-tls" # Secret containing etcd client certificates
tlsEtcdSecretRefNamespace: "etcd" # Namespace of the client certificates secret
kvBackend:
address: "https://storageos-etcd-cluster-client.storagos-etcd.svc:2379" # Etcd client service address.
backend: "etcd" # Backend type
tlsEtcdSecretRefName
and tlsEtcdSecretRefNamespace
are used to pass a
reference to the Secret.
The StorageOS operator uses the etcd secret that contains the client certificates, to build a secret in the StorageOS installation namespace. This secret contains the certificate filenames and certificate file contents. The StorageOS daemonset that is created by the operator mounts the secret as a volume so that the certificate files are available inside the pod. Environment variables containing the file paths are passed to the StorageOS process in order to use the files from the mounted path.
A worked example of setting up StorageOS with external etcd using mTLS is available here. For ease of use the example uses the CoreOS etcd operator and the CoreOS guide The example uses the CoreOS etcd operator and follows the CoreOS guide for Cluster TLS.