Deploy SSL Enabled CockroachDB Cluster on Docker

Happy devSecOps

(λx.x)eranga

Published in

Effectz.AI

3 min readMay 24, 2022

Background

In my previous post I have discussed about deploying multi rejoin CockroachDB cluster with Kubernetes. In this post I’m gonna discuss about deploying SSL enabled CockroachDB cluster on Docker. All the deployments which related to this post available on gitlab. Please clone the repo and continue the post.

Cluster Setup

I’m deploying three node CockroachDB cluster on Docker. In this example I have deployed all three nodes in same machine. But you can easily deploy them on different machines as your wish. Following is the cluster configuration. I have deployed docker with Minkube in my local macOS machine(In my previous post I have discussed detailed information about setting-up docker with Minikube). The 192.168.64.52 IP address is the Minikube IP of my local docker environment, which is similar to local machine IP in Linux. Each CockroachDB node has given the same IP address since I’m deploying the cluster on same machine. When you deploying cluster on different machine(e.g AWS cloud instance) you could use the IP addresses of different machines.

Generate Certificates

To setup SSL enabled cluster, first I have to generate the SSL certificates. There are three main types of certificates I need. 1) Certificate of the Certificate Authority(CA), 2) Certificates for the CockroachDB nodes, 3) Certificates for the clients. Certificates can be generated with the cockroach cert command which provides by the CockroachDB. We can access the cockroach cert commands from the running CockroachDB docker instance(inside the container). For initial setup you could start single CockroachDB instance in insecure mode, connect to it and generate the certificates via cockroach cert command. Following is the way to generate different certificates.

Copy Certificates to Nodes

To start a CockroachDB node with enabling SSL, we need to specify the certificate location in the cockroach start command. For that, certificates(CA certificate, node certificate and client certificate) need to be copied into each and every node in the cluster. In this scenario I have copied the the certificates into docker containers. To copy certificates inside into the docker container, I have used docker volumes. I created docker volume directories for each and every CockroachDB instance in the host machine and copied the certificates into that directories. Following are the certificate directory docker volumes I have created inside the host machine. These volumes has been mapped to /certs directory inside the CockroachDB docker containers.

Cluster Deployment

Following is the docker-compose.yml deployment of the cluster. When starting the nodes, I’m passing certificate directory path( —-certs-dir=/certs) which resides in the container. It mapped /private/var/services/librum/cockroach* directory inside the host. The first node is the seed node of the cluster. When starting second and third nodes, I’m specifying the seed node with —-join=${COCKROACH1_HOST}:26257. Two docker volumes mapped with each container, data directory and certificate directory.

Following is the .env file which defines the environment variables related to CockroachDB instances. It mainly defines seed node IP, CockroachDB instances host IP addresses and volume paths.

Start Cluster

Following is the way to start the cluster. First start the seed node and then start second, third nodes. Once start the cluster, I have to connect to one cluster node, init the cluster and create a user. By using the created user, I can connect to CockroachDB web frontend and view the cluster status.