1

I would like to set up Docker Swarm over a public network, and I would like to minimize the amount of reconfiguration that has to happen when workers' IP addresses change. The recommended setup requires generating a TLS certificate for each server, but if I generate certificates for IP addresses, I'll have an ever-growing certificate "database".

flannel looked promising, especially as it is used by Kubernetes and CoreOS, and it's already packaged in Fedora. Unfortunately, its transport encryption support is not ready yet.

I also looked at Weave, but I was really sketched out by its recommended setup which involved curl-ing a binary off their site, and by their "security".

Is there some old-school solution that I should be looking at instead? An SDN competitor that I missed?

030
  • 5,901
  • 13
  • 68
  • 110
pwnall
  • 111
  • 3
  • What's wrong with "an ever-growing certificate database"? It's how I'd do it. – womble Sep 08 '15 at 19:39
  • It feels dirty and unnecessary. I feel like I should be able to get away with one server certificate and a multitude of client certificates. The workers should be cattle, not pets. – pwnall Sep 08 '15 at 20:01
  • You can automate certificate issuance, you know... – womble Sep 08 '15 at 20:09
  • If there's no better way, I would end up with an Ansible role that issues certificates. I don't like having to re-run a playbook whenever a machine gets a different IP, and I really don't like having a CA "database" file that will up with trash over time. – pwnall Sep 08 '15 at 21:55
  • How often, and under what circumstances, are your IP addresses changing? I'd expect they'd only change on container restart, which means you can hook into that and issue a new certificate if a new IP is involved. You don't really end up with a "database" of certificates; you don't even need to keep any information on what's been issued in the CA at all if you don't want to (although a "properly run" CA *should*; it's a trivial amount of data to keep, anyway. – womble Sep 08 '15 at 22:28

0 Answers0