Skip to content

Commit

Permalink
update document for sabakan TLS
Browse files Browse the repository at this point in the history
Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp>
  • Loading branch information
YZ775 committed Jan 23, 2024
1 parent 4671aa2 commit 5cb0f97
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
14 changes: 12 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ Features
To help implementing full disk encryption on client machines, sabakan accepts and stores
encrypted disk encryption keys. The key can be downloaded in the next boot to decrypt
disks.

`sabakan-cryptsetup` is a tool for clients to encrypt disks; the tool generates a disk
encryption key, encrypts it, and sends the encrypted key to sabakan. In the next boot,
it downloads the encrypted key from sabakan, decrypts it, then uses it to decrypt disks.
Expand Down Expand Up @@ -107,13 +107,23 @@ Run sabakan with docker
# create directory to store OS images
$ sudo mkdir -p /var/lib/sabakan

# create server certificate
$ sudo mkdir -p /etc/sabakan
$ make setup-cfssl
$ cd e2e/certs && ./gencerts.sh
$ cd ../..
$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key

# -advertise-url is the canonical URL of this sabakan.
$ docker run -d --read-only --cap-drop ALL --cap-add NET_BIND_SERVICE \
--network host --name sabakan \
--mount type=bind,source=/var/lib/sabakan,target=/var/lib/sabakan \
--mount type=bind,source=/etc/sabakan,target=/etc/sabakan \
ghcr.io/cybozu-go/sabakan:3.1 \
-etcd-endpoints http://foo.bar:2379,http://zot.bar:2379 \
-advertise-url http://12.34.56.78:10080
-advertise-url http://12.34.56.78:10080 \
-advertise-url-https http://12.34.56.78:10443
```

License
Expand Down
15 changes: 15 additions & 0 deletions docs/getting_started.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,26 @@ $ docker run -d --rm --name etcd --network=host --uts=host gcr.io/etcd-developme
$ sudo mkdir -p /var/lib/sabakan
```

### <a name="certs" />Prepare server certificate

Create self-signed server certificate by using script and put it to `/etc/sabakan`:
```console
$ sudo mkdir -p /etc/sabakan
$ git clone github.com/cybozu-go/sabakan
$ make setup-cfssl
$ cd e2e/certs && ./gencerts.sh
$ cd ../..
$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key
```

### <a name="configure" />Prepare sabakan.yml

Save the following contents as `/usr/local/etc/sabakan.yml`:

```yaml
advertise-url: http://localhost:10080
advertise-url-https: https://localhost:10443
etcd:
endpoints:
- http://localhost:2379
Expand Down

0 comments on commit 5cb0f97

Please sign in to comment.