Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use public cloud for digital ocean and secure with TLS #654

Merged
merged 1 commit into from
Feb 29, 2016
Merged

Use public cloud for digital ocean and secure with TLS #654

merged 1 commit into from
Feb 29, 2016

Conversation

sheerun
Copy link
Contributor

@sheerun sheerun commented Feb 28, 2016

"Private network" on digital ocean is really a shared private network.

It means all other hosts in datacenter, even of other users, can access deployed nodes on digitalocean. It means deploying on public ips is not less secure than deploying on private ones.

In this setup we additionaly secure etcd with wildcard tls certs.

As an additional bonus, we can not deploy servers across datacenters.

Also, we generate initial ssh key for digital ocean dynamically, for better security, and export it to "id_rsa" file for easy ssh access.

@sheerun
Copy link
Contributor Author

sheerun commented Feb 28, 2016

This closes #651

@wallies wallies mentioned this pull request Feb 28, 2016
Open
tayzlor
tayzlor reviewed Feb 29, 2016
View reviewed changes
terraform/digitalocean/main.tf

subject {
common_name = "*"
organization = "skybase"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v minor: wonder if we should make this ${var.organization} and default it to "apollo" or similar. all the other changes look sweet!

@sheerun
Use public cloud for digital ocean and secure with TLS
c8f8cfa 
"Private network" on digital ocean is really a shared private network.

It means all other hosts in datacenter, even of other users, can access
deployed nodes on digitalocean. It means deploying on public ips is
not less secure than deploying on private ones.

In this setup we additionaly secure etcd with wildcard tls certs.

As an additional bonus, we can not deploy servers across datacenters.

Also, we generate initial ssh key for digital ocean dynamically, for
better security, and export it to "id_rsa" file for easy ssh access.
@sheerun
Copy link
Contributor Author

sheerun commented Feb 29, 2016

Made the fix you suggested :)

@tayzlor
Copy link
Member

tayzlor commented Feb 29, 2016

Thanks!

tayzlor added a commit that referenced this pull request Feb 29, 2016
@tayzlor
Merge pull request #654 from sheerun/digitalocean1
d9dd1b5 
Use public cloud for digital ocean and secure with TLS
@tayzlor tayzlor merged commit d9dd1b5 into Capgemini:devel Feb 29, 2016
@tayzlor tayzlor mentioned this pull request Feb 29, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sheerun @tayzlor