- Deploy a secure three-node CockroachDB cluster in Google Cloud Platform.
- Create two certificate authorities (CAs), one each for clients and for cluster nodes
- Define PKI roles for CockroachDB nodes and clients
- Issue private key/public certificate pairs for use by our CockroachDB cluster nodes
- Issue a private key/public certificate pair for use by the CockroachDB client
- Access the cluster using the client credentials
Before you begin
- Review .
- Vault:
- You must have access to a Vault cluster. This can be a cluster provisioned online through HashiCorp Cloud Platform (HCP), a Vault cluster deployed by your organization, or a quickstart Vault cluster you deploy yourself in “dev” mode.
- You need permissions on the Vault cluster to enable secrets engines and create policies, either via the root access token for this cluster or through a custom policy.
- Google Cloud Platform (GCP):
- Create a new GCP account and project.
- Install and configure the Google Cloud CLI (gcloud) and enable Google CA Service.
Introduction
PKI can be implemented in many ways; key pairs can be generated and certificates signed using many different commands or tools, including OpenSSL, the CockroachDB CLI, or other utilities or services. Similarly, there are multiple ways to safely distribute those credentials to servers and clients.PKI strategy
The key elements of the strategy here are:- To leverage the strength of Vault’s secrets engines to manage the certificates.
- To enforce short validity durations for all issued certificates, rather than employing the more heavy-weight option of .
Short-lived credentials
If credentials are obtained by malicious actors, they can be used to impersonate (spoof) a client or server. Any PKI implementation must prevent this type of impersonation:- By using a revocation mechanism, so that existing certificates can be invalidated. Two standard solutions are Certificate Revocation Lists (CRLS) and the Online Certificate Status Protocol (OCSP).
- By issuing only certificates with short validity durations, so that any compromised certificate quickly becomes unusable.
Task personas
The work described here can be divided up into three chunks, each of which might be performed by a different team or individual, and each of which might require access to different resources in both GCP and Vault. Each of the three personas in the following table correspond to a GCP service account and a Vault policy.| persona | tasks | Vault permissions | GCP Permissions |
|---|---|---|---|
ca-admin |
|
|
|
node-operator |
|
| |
client-operator |
|
|
Resources
Our cluster will contain three classes of compute instance:- The CA administrative jumpbox, where sensitive credentials will be handled and secure operations related to certificate authority performed.
- Database nodes. These examples use a three-node cluster.
- A client, which could represent, in a more realistic scenario, either an operations jumpbox for database administrators, or an application server.
Admin operations
Provision and configure your GCP resources
-
Create the CA admin jumpbox.
Specify the ca-admin service account, and grant the
cloud-platformscope, so that files can be sent with SCP from here to the nodes to be provisioned. -
Configure cluster firewall rules.
Our rules will allow nodes to send requests to each other, and to receive requests from clients (as specified with tags).
-
Create node instances
Create three compute instances to use as CockroachDB nodes. Follow the guidelines described in , and additionally, specify the
node-operatorservice account as the managing service account. Here we add the network tag ‘roach-node’, which will allow our firewall rule to apply to the nodes instances. -
Create the client instance.
Here we add the network tag ‘roach-client’, which will allow our the client to reach the nodes, according to our firewall rule.
- Create or designate a load balancer endpoint. You can do this either by creating a TCP load balancer with a static IP address, or, as a short-cut in development, by simply designating one of the nodes as your load balancer:
-
Option 1: Create a TCP load balancer. Visit the load balancer page in the GCP console, and create a TCP load balancer, selecting your node instances as targets for a new back-end service, and reserving a static IP address for your front-end service. This IP address will serve as the load balancer IP,
lb_ip, in the configuration manifest in the following step. -
Option 2: Use one of the nodes as a load balancer. Any node in a CockroachDB cluster handle SQL requests, which includes load-balancing work across nodes in the cluster. As a development mode short, cut, simply use the
INTERNAL_IPfor one of your nodes aslb_ipin the configuration manifest in the following step.
-
Compile an environment manifest
Collect the network names and IP addresses of the resources, which you should be able to glean from the output of
gcloud compute instances list:For ease of use, save the required information in a file, for example calledcockroach-cluster.env. Then initialize your shell by pasting in the contents or runningsource cockroach-cluster.env.
Provision the certificate authorities (CAs) with Vault
The operations in this section are performed by theca-admin persona, and therefore require admin Vault access and SSH access to the CA admin jumpbox.
Step 1: Access and prepare the CA admin jumpbox
-
Connect to the CA admin jumpbox using SSH.
-
Initialize your shell inside the jumpbox with your cluster information by running the contents of your
cockroach-cluster.envfile. -
Create a secrets directory on the jumpbox.
We need somewhere to put key and certificate files while we work. By working on the secure CA jumpbox, which can be carefully gated behind IAM policies controlling SSH access, we minimize the risk of leaking a sensitive credential. Remember that credentials can be leaked other ways, such as by printing out a private key or plain-text password to your terminal in a public place where a camera is pointed at your laptop’s screen.
Public certificates are less sensitive if they leak, but private keys for nodes and clients are critical secrets and must be managed with extreme care.
- Install Vault on the jumpbox, following the instructions for Ubuntu/Debian Linux.
-
Obtain the required parameters to target and authenticate to Vault.
-
Option 1: If using HashiCorp Cloud Platform (HCP):
- Go to the HCP console, choose Vault from the Services menu and then select your cluster.
-
Find the Public Cluster URL for your Vault cluster. This will be set as the
VAULT_ADDRenvironment variable, in the following step. -
Generate an admin token by clicking Generate token. This will be set as the
VAULT_TOKENenvironment variable, in the following step.
- Option 2: If using a Vault deployment internal to your organization, contact your Vault administrator for a token and the appropriate endpoint.
-
Option 3: If using a development Vault server (suitable only for tutorial/testing purposes), start the Vault development server and obtain credentials locally on your CA admin jumpbox by running
vault server --dev.
-
Option 1: If using HashiCorp Cloud Platform (HCP):
-
Initialize your shell for Vault on the jumpbox
-
Authenticate with the admin token:
Step 2. Create the certificate authority
-
Create one PKI secrets engine to serve as your cluster CA, and another to serve as your client CA.
-
Set a maximum validity duration for certificates signed by your CAs. In this example this maximum duration is 48 hours, appropriate for a scenario where the certificates are provisioned each day, with another 24 hours grace period.
-
Generate a root credential pair for each CA. Certificates created with this CA/secrets engine will be signed with the private key generated here.
The CA private key cannot be exported from Vault. This safeguards it from being leaked and used to issue fraudulent certificates.
The CA public certificate is downloaded in the resulting JSON payload.
In a following step, we’ll add both CA public certificate to each node’s trust store (
certdirectory) so it can be used by the nodes to authenticate the client. The client will also need the cluster CA public certificate in order to authenticate the cluster. -
Parse the CA’s public certificate from the corresponding JSON payload.
-
Copy the public certificate for the cluster CA to the directory intended to populate the trust store for each node, and for the client. This is necessary because the nodes, as well as external clients, act as clients and must authenticate the server.
-
Copy the public certificate for the client CA to the directory intended to populate the trust store for each node, so that each node can authenticate the client. The client does not need the client CA public certificate in its trust store.
-
(Optional) Use
opensslto examine each certificate, confirming that it has been generated and copied correctly.
Create PKI roles and issue certificates for the nodes
In Vault, a PKI role is a template for a certificate.-
Create a node role. The role will be used to generate certificates for the all cluster nodes.
Note that certificate attributes must be provided with Vault’s specific parameter syntax, which is documented here:
-
Issue a certificate pair for each node.
Each certificate is tailored to the node:
- The extended key usages attribute
ext_key_usagemust include both server and client auth usages; this is because nodes must frequently initiate requests to other nodes in order to maintain cluster synchrony and load-balance work. - The Subject Alternative Name (SAN) - IP addresses field contains:
- the IP address of the node on the internal network of your GCP project (so the node can serve at that address locally, to other nodes).
- the IP address of your cluster on the external, public internet (so the node can serve at that address publicly, to application servers).
- The extended key usages attribute
-
Parse the key and certificate pair from each return payload.
- Set key file permissions.
Provision each node’s credentials and
-
Clear any existing certs from each node:
-
Use SCP to propagate the CA crt and corresponding key pair to each node
Create a role and issue credentials for the client
Create a PKI role for the root Issue a root client certificate
Generate a private key/public certificate pair for the root SQL user.-
Generate the client role:
-
Use the client role to create credentials (a private key and public certificate) for a root client.
CockroachDB takes the name of the SQL user to be authenticated from the
common_namefield. -
Parse the client key and certificate pair from the payload.
- Set key file permissions.
Provision the Client’s credentials and trust store
-
Clear any existing credentials and certs:
-
Use SCP to propagate the CA crt and corresponding key pair to each node
Clean up the CA admin jumpbox
Be sure to delete the credential pairs for the nodes and client. You do not need to delete the public certificates for the CAs, as this is not sensitive data.Cluster operations
Install CockroachDB on each node and client
Download the CockroachDB executable frombinaries.cockroachdb.com.
Start or reset the cluster
Generate and provision a start script for each node
Note that each start script is node specific, configuring each node to advertise its own IP address to the cluster, and attempt tojoin a specified list of peers at specific IP addresses.
Start the nodes
To start the cluster, execute the pre-provisioned start script.Reset the nodes
To start using the new credentials on a running cluster, send aSIGHUP signal to each node.

