github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/tls.md

github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/tls.md (about)

     1  ---
     2  title: "Securing communication between Cortex components with TLS"
     3  linkTitle: "Securing communication between Cortex components with TLS"
     4  weight: 10
     5  slug: tls
     6  ---
     7  
     8  Cortex is a distributed system with significant traffic between its services.
     9  To allow for secure communication, Cortex supports TLS between all its
    10  components. This guide describes the process of setting up TLS.
    11  
    12  ### Generation of certs to configure TLS
    13  
    14  The first step to securing inter-service communication in Cortex with TLS is
    15  generating certificates. A Certifying Authority (CA) will be used for this
    16  purpose which should be private to the organization, as any certificates signed
    17  by this CA will have permissions to communicate with the cluster.
    18  
    19  We will use the following script to generate self signed certs for the cluster:
    20  
    21  ```
    22  # keys
    23  openssl genrsa -out root.key
    24  openssl genrsa -out client.key
    25  openssl genrsa -out server.key
    26  
    27  # root cert / certifying authority
    28  openssl req -x509 -new -nodes -key root.key -subj "/C=US/ST=KY/O=Org/CN=root" -sha256 -days 100000 -out root.crt
    29  
    30  # csrs - certificate signing requests
    31  openssl req -new -sha256 -key client.key -subj "/C=US/ST=KY/O=Org/CN=client" -out client.csr
    32  openssl req -new -sha256 -key server.key -subj "/C=US/ST=KY/O=Org/CN=localhost" -out server.csr
    33  
    34  # certificates
    35  openssl x509 -req -in client.csr -CA root.crt -CAkey root.key -CAcreateserial -out client.crt -days 100000 -sha256
    36  openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 100000 -sha256
    37  ```
    38  
    39  Note that the above script generates certificates that are valid for 100000 days.
    40  This can be changed by adjusting the `-days` option in the above commands.
    41  It is recommended that the certs be replaced atleast once every 2 years.
    42  
    43  The above script generates keys `client.key, server.key` and certs
    44  `client.crt, server.crt` for both the client and server. The CA cert is
    45  generated as `root.crt`.
    46  
    47  ### Load certs into the HTTP/GRPC server/client
    48  
    49  Every HTTP/GRPC link between Cortex components supports TLS configuration
    50  through the following config parameters:
    51  
    52  #### Server flags
    53  
    54  ```
    55      # Path to the TLS Cert for the HTTP Server
    56      -server.http-tls-cert-path=/path/to/server.crt
    57  
    58      # Path to the TLS Key for the HTTP Server
    59      -server.http-tls-key-path=/path/to/server.key
    60  
    61      # Type of Client Auth for the HTTP Server
    62      -server.http-tls-client-auth="RequireAndVerifyClientCert"
    63  
    64      # Path to the Client CA Cert for the HTTP Server
    65      -server.http-tls-ca-path="/path/to/root.crt"
    66  
    67      # Path to the TLS Cert for the GRPC Server
    68      -server.grpc-tls-cert-path=/path/to/server.crt
    69  
    70      # Path to the TLS Key for the GRPC Server
    71      -server.grpc-tls-key-path=/path/to/server.key
    72  
    73      # Type of Client Auth for the GRPC Server
    74      -server.grpc-tls-client-auth="RequireAndVerifyClientCert"
    75  
    76      # Path to the Client CA Cert for the GRPC Server
    77      -server.grpc-tls-ca-path=/path/to/root.crt
    78  ```
    79  
    80  #### Client flags
    81  
    82  Client flags are component specific.
    83  
    84  For an HTTP client in the Alertmanager:
    85  ```
    86      # Path to the TLS Cert for the HTTP Client
    87      -alertmanager.configs.tls-cert-path=/path/to/client.crt
    88  
    89      # Path to the TLS Key for the HTTP Client
    90      -alertmanager.configs.tls-key-path=/path/to/client.key
    91  
    92      # Path to the TLS CA for the HTTP Client
    93      -alertmanager.configs.tls-ca-path=/path/to/root.crt
    94  ```
    95  
    96  For a GRPC client in the Querier:
    97  ```
    98      # Path to the TLS Cert for the GRPC Client
    99      -querier.frontend-client.tls-cert-path=/path/to/client.crt
   100  
   101      # Path to the TLS Key for the GRPC Client
   102      -querier.frontend-client.tls-key-path=/path/to/client.key
   103  
   104      # Path to the TLS CA for the GRPC Client
   105      -querier.frontend-client.tls-ca-path=/path/to/root.crt
   106  ```
   107  
   108  Similarly, for the GRPC Ingester Client:
   109  ```
   110      # Path to the TLS Cert for the GRPC Client
   111      -ingester.client.tls-cert-path=/path/to/client.crt
   112  
   113      # Path to the TLS Key for the GRPC Client
   114      -ingester.client.tls-key-path=/path/to/client.key
   115  
   116      # Path to the TLS CA for the GRPC Client
   117      -ingester.client.tls-ca-path=/path/to/root.crt
   118  ```
   119  
   120  TLS can be configured in a similar fashion for other HTTP/GRPC clients in Cortex.