Deploy SSL Enabled CockroachDB Cluster on Docker
Happy devSecOps
Background
In my previous post I have discussed about deploying multi rejoin CockroachDB cluster with Kubernetes
. In this post I’m gonna discuss about deploying SSL enabled CockroachDB cluster on Docker. All the deployments which related to this post available on gitlab. Please clone the repo and continue the post.
Cluster Setup
I’m deploying three node CockroachDB cluster on Docker. In this example I have deployed all three nodes in same machine. But you can easily deploy them on different machines as your wish. Following is the cluster configuration. I have deployed docker with Minkube
in my local macOS machine(In my previous post I have discussed detailed information about setting-up docker with Minikube). The 192.168.64.52
IP address is the Minikube IP of my local docker environment, which is similar to local machine IP in Linux. Each CockroachDB node has given the same IP address since I’m deploying the cluster on same machine. When you deploying cluster on different machine(e.g AWS cloud instance) you could use the IP addresses of different machines.
Generate Certificates
To setup SSL enabled cluster, first I have to generate the SSL certificates. There are three main types of certificates I need. 1) Certificate of the Certificate Authority(CA)
, 2) Certificates for the CockroachDB nodes
, 3) Certificates for the clients
. Certificates can be generated with the cockroach cert
command which provides by the CockroachDB. We can access the cockroach cert
commands from the running CockroachDB docker instance(inside the container). For initial setup you could start single CockroachDB instance in insecure mode, connect to it and generate the certificates via cockroach cert
command. Following is the way to generate different certificates.
Copy Certificates to Nodes
To start a CockroachDB node with enabling SSL, we need to specify the certificate location in the cockroach start
command. For that, certificates(CA certificate
, node certificate
and client certificate
) need to be copied into each and every node in the cluster. In this scenario I have copied the the certificates into docker containers. To copy certificates inside into the docker container, I have used docker volumes. I created docker volume directories for each and every CockroachDB instance in the host machine and copied the certificates into that directories. Following are the certificate directory docker volumes I have created inside the host machine. These volumes has been mapped to /certs
directory inside the CockroachDB docker containers.
Cluster Deployment
Following is the docker-compose.yml
deployment of the cluster. When starting the nodes, I’m passing certificate directory path( —-certs-dir=/certs
) which resides in the container. It mapped /private/var/services/librum/cockroach*
directory inside the host. The first node is the seed node
of the cluster. When starting second and third nodes, I’m specifying the seed node with —-join=${COCKROACH1_HOST}:26257
. Two docker volumes mapped with each container, data directory
and certificate directory
.
Following is the .env
file which defines the environment variables related to CockroachDB instances. It mainly defines seed node IP, CockroachDB instances host IP addresses and volume paths.
Start Cluster
Following is the way to start the cluster. First start the seed node and then start second, third nodes. Once start the cluster, I have to connect to one cluster node, init the cluster and create a user. By using the created user, I can connect to CockroachDB web frontend and view the cluster status.
Reference
- https://www.techrepublic.com/article/deploy-cockroachdb-cluster-secure-mode/
- https://www.howtoforge.com/how-to-deploy-secure-cockroachdb-cluster-on-ubuntu-server/
- https://upcloud.com/community/tutorials/install-cockroachdb-secure-database-cluster/
- https://www.cockroachlabs.com/docs/stable/cockroach-cert.html
- https://www.digitalocean.com/community/tutorials/how-to-deploy-cockroachdb-on-a-three-node-cluster-on-ubuntu-16-04
- https://medium.com/rahasak/multi-region-cockroachdb-cluster-on-kubernetes-32c95263d802
- https://kb.objectrocket.com/cockroachdb/install-and-run-the-cockroachdb-client-part-2-1384