Cluster Client¶
A client can communicate with a cluster via the secure socket, authenticated with a trusted x509 client certificate.
Any opensvc installation can operate as a client to a remote cluster. The opensvc daemon does not need to run on a pure client installation.
This chapter describes how to configure the OpenSVC agent to access remote clusters.
Prerequisites¶
The PKI and user configuration steps described in Cluster Users must be done, so the root
and usr1
users exist and have a certificate_chain and private key.
In the examples, the cluster is named clu1
. Replace as appropriate.
Install the client certificate full PEM¶
On a cluster node, or from a already configured client with root privileges:
(om system/usr/root decode --key private_key;
om system/usr/root decode --key certificate)
On the client, paste the previous command output in a ~/.opensvc/clu1-root.full.pem
file.
Install the cluster certificate authority certificate chain PEM¶
On a cluster node, or from a already configured client with root privileges:
om system/sec/ca-clu1 decode --key certificate_chain
On the client, paste the previous command output in a ~/.opensvc/clu1-ca.pem
file.
Declare the client user¶
om ctx user create --name root@clu1 --client-certificate ~/.opensvc/clu1-root.full.pem
Declare the cluster¶
om ctx cluster create --name clu1 --server=tls://vip.clu1.mycorp:1215 --certificate-authority ~/.opensvc/clu1-ca.pem
Declare the context¶
om ctx create --name root@clu1 --user root@clu1 --cluster clu1
Switch to this new context¶
om ctx set root@clu1