From d94042bd6532a1fa43f34ae636ae162c59419a3d Mon Sep 17 00:00:00 2001 From: Thomas Kooi Date: Sat, 28 Apr 2018 18:51:26 +0200 Subject: [PATCH] Add tls example --- README.md | 2 +- examples/remote-api-tls/README.md | 57 +++++++++++++++++++++++++++++++ examples/remote-api-tls/main.tf | 55 +++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 examples/remote-api-tls/README.md create mode 100644 examples/remote-api-tls/main.tf diff --git a/README.md b/README.md index c410225..479e3e5 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ You can expose the Docker API to interact with the cluster remotely. This is don ```hcl module "swarm_mode_cluster" { - source = "github.com/thojkooi/terraform-digitalocean-swarm-managers?ref=v0.3.0" + source = "github.com/thojkooi/terraform-digitalocean-swarm-managers?ref=v0.2.0" domain = "do.example.com" total_instances = 3 diff --git a/examples/remote-api-tls/README.md b/examples/remote-api-tls/README.md new file mode 100644 index 0000000..0ae1e16 --- /dev/null +++ b/examples/remote-api-tls/README.md @@ -0,0 +1,57 @@ +# Remote API TLS + +Create managers and expose the Docker Remote API over TLS. + +For this, you need to create certificates and keys. + +### Creating CA and server certificates + +This is an example using cfssl, following the [CoreOS self signed certificates](https://coreos.com/os/docs/latest/generate-self-signed-certificates.html) docs. + +More references can be found: + +- https://coreos.com/os/docs/latest/generate-self-signed-certificates.html +- https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl + + +```bash +echo '{"CN":"CA","key":{"algo":"rsa","size":4096}}' | cfssl gencert -initca - | cfssljson -bare ca - +echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json +export ADDRESS=example.com +export NAME=server +echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":4096}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME +``` + +Upgrade the `ADDRESS` variable to match the host name / address used to access the Docker API. + +### Create the client certificates + +```bash +export ADDRESS= +export NAME=client +echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":4096}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - | cfssljson -bare $NAME +``` + +### Create the managers + +``` +$ terraform apply + +data.template_file.provision_manager: Refreshing state... +data.template_file.provision_first_manager: Refreshing state... + +An execution plan has been generated and is shown below. +Resource actions are indicated with the following symbols: + + create + <= read (data resources) +.... +Plan: 18 to add, 0 to change, 0 to destroy. + +Do you want to perform these actions? + Terraform will perform the actions described above. + Only 'yes' will be accepted to approve. + + Enter a value: +``` + +You can use the client certificates to access the docker api. diff --git a/examples/remote-api-tls/main.tf b/examples/remote-api-tls/main.tf new file mode 100644 index 0000000..ad04e1f --- /dev/null +++ b/examples/remote-api-tls/main.tf @@ -0,0 +1,55 @@ +variable "do_token" {} + +variable "ssh_keys" { + type = "list" +} + +provider "digitalocean" { + token = "${var.do_token}" +} + +resource "digitalocean_tag" "manager" { + name = "swarm-mode-manager" +} + +module "managers" { + source = "github.com/thojkooi/terraform-digitalocean-swarm-managers?ref=support-remote-api" + + domain = "do.example.com" + total_instances = 3 + ssh_keys = ["${var.ssh_keys}"] + + remote_api_ca = "${path.module}/ca.pem" + remote_api_certificate = "${path.module}/server.pem" + remote_api_key = "${path.module}/server-key.pem" + + size = "s-2vcpu-4gb" + + tags = ["${digitalocean_tag.manager.id}"] + + providers = {} +} + +module "basic-fw-rules" { + source = "thojkooi/firewall-rules/digitalocean" + version = "1.0.0" + + prefix = "do-example-com" + tags = ["${digitalocean_tag.manager.id}"] +} + +module "api-access-firewall" { + source = "github.com/thojkooi/terraform-digitalocean-firewall-docker-api?ref=v0.1.2" + prefix = "do-example-com" + tags = ["${digitalocean_tag.manager.id}"] + api_access_from_adresses = ["0.0.0.0/0", "::/0"] +} + +module "swarm-mode-firewall" { + source = "thojkooi/docker-swarm-firewall/digitalocean" + version = "1.0.0" + + prefix = "do-example-com" + cluster_droplet_ids = [] + cluster_tags = ["${digitalocean_tag.manager.id}"] +}