How to deploy a CockroachDB cluster in secure mode

If you’ve found the CockroachDB insecure mode too restricting, Jack Wallen is here to help you deploy the same cluster, only in secure mode, so you can better manage your databases.

Image: iStock/kentoh

Recently, I walked you through the process of deploying a CockroachDB cluster to fill your NoSQL needs. You might have quickly realized, however, that you cannot create users with passwords in that setup. Although it might be OK for testing purposes, you probably don’t want to deploy a passwordless database server to production.

I want to now show you how to deploy CockroachDB in secure mode. Once deployed in this manner, you’ll be able to assign passwords to users (which should be considered an absolute must in production environments).

And, so, without further ado, let’s unleash the power of a secure CockroachDB cluster.

SEE: Hiring Kit: Database engineer (TechRepublic Premium)

What you’ll need

As with the original how-to, you’ll need at least two instances of Ubuntu Server and a user with sudo privileges. That’s it, let’s get down to business.

How to install CockroachDB

In case you didn’t bother reading through the original piece, let’s recap the installation process for CockroachDB. You’ll need to do this on all of your cluster servers. Ready?

Download the binary file and move it with:

curl https://binaries.cockroachdb.com/cockroach-v21.2.8.linux-amd64.tgz | tar -xz && sudo cp -i cockroach-v21.2.8.linux-amd64/cockroach /usr/local/bin/

Create a new directory:

sudo mkdir -p /usr/local/lib/cockroach

Copy two files:

sudo cp -i cockroach-v21.2.8.linux-amd64/lib/libgeos.so /usr/local/lib/cockroach/
sudo cp -i cockroach-v21.2.8.linux-amd64/lib/libgeos_c.so /usr/local/lib/cockroach/

Configure the firewall:

sudo ufw allow 8080/tcp
sudo ufw allow 26257/tcp
sudo ufw reload

Boom! Installed. Time to securely deploy the cluster.

How to generate certificates

The first thing we must do is generate security certificates. Before we do, let’s create a directory to house them with:

mkdir certs cockroachdb_certs

Next, we’ll create the Certificate Authority key pair with:

cockroach cert create-ca --certs-dir=certs --ca-key=cockroachdb_certs/ca.key

Now, we’ll create a key pair for the nodes with:

cockroach cert create-node SERVER1 $(hostname) --certs-dir=certs --ca-key=cockroachdb_certs/ca.key

Where SERVER1 is the IP address of the controlling server.

We can now start the cluster (on the controlling node) with the command:

cockroach start --certs-dir=certs --store=server1 --listen-addr=SERVER1:26257 --http-addr=localhost:8080 --join=SERVER2:26257,SERVER3:26258,localhost:26259 --background

Where SERVER1 is the IP address of the main server, SERVER2 is the IP address of the first node, and SERVER3 is the IP address of the third node.

Next, start the server on the second and third nodes with a command like this:

cockroach start --certs-dir=certs --store=server2 --listen-addr=SERVER2:26258 --http-addr=localhost:8081 --join=SERVER1:26257,SERVER2:26258,SERVER3:26259 \
--background

Where SERVER1 is the IP address of the main server, SERVER2 is the IP address of the first node, and SERVER3 is the IP address of the third node.

Back at the controlling node, initialize the cluster with:

cockroach init --certs-dir=certs --host=SERVER1:26257

Where SERVER1 is the IP address of the main server.

How to create a user with a password

Back on the controlling node, access to the CockroachDB console with:

cockroach sql --certs-dir=certs --host=SERVER1:26257

Where SERVER1 is the IP address of the controlling node.

Create a new user/password with:

CREATE USER username WITH PASSWORD 'password';

Where username is a unique user and password is a strong/unique password.

If you want to access the admin console with a secure user, you’ll want to grant admin rights to the new user you created with:

GRANT admin To username;

Where username is the name of the user you just created.

Exit the console with:

\q

You can now log into the CockroachDB web console at http://SERVER1:8080 (Where SERVER1 is the IP address of the controlling node).

Congratulations, you’ve just deployed a CockroachDB cluster in secure mode. You can now manage your databases to your heart’s content.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.