Before you can configure your Clevis clients to use encryption keys advertised by your Tang servers, you must identify the URLs of the servers.
You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the OperatorHub by using the OpenShift Container Platform web console. After you identify the URLs, you use the clevis luks bind
command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
You must have cluster-admin
privileges on an OpenShift Container Platform cluster.
You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
In the OpenShift Container Platform web console, navigate to Operators → Installed Operators → Tang Server.
On the NBDE Tang Server Operator details page, select Tang Server.
The list of Tang servers deployed and available for your cluster appears. Click the name of the Tang server you want to bind with a Clevis client.
The web console displays an overview of the selected Tang server. You can find the URL of your Tang server in the Tang Server External Url
section of the screen:
In this example, the URL of the Tang server is http://34.28.173.205:7500
.
You can check that the Tang server is advertising by using curl
, wget
, or similar tools, for example:
$ curl 2> /dev/null http://34.28.173.205:7500/adv | jq
{
"payload": "eyJrZXlzIj…eSJdfV19",
"protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9",
"signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx"
}
You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the OperatorHub by using the CLI. After you identify the URLs, you use the clevis luks bind
command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
You must have cluster-admin
privileges on an OpenShift Container Platform cluster.
You have installed the OpenShift CLI (oc
).
You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
List details about your Tang server, for example:
$ oc -n nbde describe tangserver
…
Spec:
…
Status:
Ready: 1
Running: 1
Service External URL: http://34.28.173.205:7500/adv
Tang Server Error: No
Events:
…
Use the value of the Service External URL:
item without the /adv
part. In this example, the URL of the Tang server is http://34.28.173.205:7500
.
You can check that the Tang server is advertising by using curl
, wget
, or similar tools, for example:
$ curl 2> /dev/null http://34.28.173.205:7500/adv | jq
{
"payload": "eyJrZXlzIj…eSJdfV19",
"protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9",
"signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx"
}
Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document.