Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crypto all the things #1234

Closed
fsouza opened this issue Jul 11, 2015 · 2 comments
Closed

Crypto all the things #1234

fsouza opened this issue Jul 11, 2015 · 2 comments
Labels
brainstorm

Comments

@fsouza
Copy link
Contributor

fsouza commented Jul 11, 2015

I've been thinking about we would add TLS and encryption in every layer. Currently, there are two kinds of services: internal services, consumed by tsuru components, and external services, consumed by external clients (tsuru API and the router).

External services require a valid certificate, issued by a CA of trust to all external clients. Internal services could use a CA trusted only by tsuru components.

tsuru API already supports TLS. #1206 is open to address TLS in the router (if the router supports SNI, or something like that). I'd like to propose extending TLS support to other components.

Gandalf does not support TLS yet (see tsuru/gandalf#192). The information that flows through Gandalf is not very sensitive (public SSH keys, user emails and repository names), but it would be nice to have

Application containers can terminate TLS today, as long as they provide their own certificate and private key, which isn't nice (imagine an open source application that is also deployed on tsuru).

Docker and Docker Registry also support TLS, but we don't use it today.
#1223 should address some kind of certificate management in tsuru, because Docker Machine will spawn TLS-enabled Docker hosts. Docker and Docker Registry are both internal services, consumed only by tsuru components.

What I propose here, for internal services, is:

  • create a CA for tsuru, and ensure that all components trust this authority
  • automatically generate private keys and certificates for application (i.e. each application will have a private key and a certificate stored inside the containers, so application could terminate TLS without having to )
  • automatically generate private keys and certificates for Docker nodes created via the IaaS interface (including Docker Machine)
  • use a certificate generated by tsuru CA for Docker Registry, Gandalf and other TLS-capable internal services (e.g.: vulcand admin API)

Any thoughts on this?
@saliceti
Copy link

saliceti commented Sep 5, 2015

https://github.com/tsuru/dockerized-setup uses docker-machine to create the tsuru admin docker node.
Then we should be able to add new docker nodes via docker-machine.
But it doesn't work because the nodes are created with TLS verification and tsuru doesn't support it.

@fsouza fsouza mentioned this issue Oct 14, 2015
Closed
@fititnt fititnt mentioned this issue Jun 21, 2019
Closed
@github-actions
Copy link

This issue is 2568 days old, marking as stale! cc: @fsouza

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
brainstorm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fsouza @saliceti