Identifying URL of a Tang server deployed with the NBDE Tang Server Operator
Before you can configure your Clevis clients to use encryption keys advertised by your Tang servers, you must identify the URLs of the servers.
Identifying URL of the NBDE Tang Server Operator using the web console
You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the software catalog by using the OpenShift Container Platform web console. After you identify the URLs, you use the clevis luks bind command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
-
You must have
cluster-adminprivileges on an OpenShift Container Platform cluster. -
You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
-
In the OpenShift Container Platform web console, navigate to Ecosystem → Installed Operators → Tang Server.
-
On the NBDE Tang Server Operator details page, select Tang Server.
-
The list of Tang servers deployed and available for your cluster appears. Click the name of the Tang server you want to bind with a Clevis client.
-
The web console displays an overview of the selected Tang server. You can find the URL of your Tang server in the
Tang Server External Urlsection of the screen:
In this example, the URL of the Tang server is
http://34.28.173.205:7500.
-
You can check that the Tang server is advertising by using
curl,wget, or similar tools, for example:$ curl 2> /dev/null http://34.28.173.205:7500/adv | jqExample output{ "payload": "eyJrZXlzIj…eSJdfV19", "protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9", "signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx" }
Identifying URL of the NBDE Tang Server Operator using CLI
You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the software catalog by using the CLI. After you identify the URLs, you use the clevis luks bind command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
-
You must have
cluster-adminprivileges on an OpenShift Container Platform cluster. -
You have installed the OpenShift CLI (
oc). -
You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
-
List details about your Tang server, for example:
$ oc -n nbde describe tangserverExample output… Spec: … Status: Ready: 1 Running: 1 Service External URL: http://34.28.173.205:7500/adv Tang Server Error: No Events: … -
Use the value of the
Service External URL:item without the/advpart. In this example, the URL of the Tang server ishttp://34.28.173.205:7500.
-
You can check that the Tang server is advertising by using
curl,wget, or similar tools, for example:$ curl 2> /dev/null http://34.28.173.205:7500/adv | jqExample output{ "payload": "eyJrZXlzIj…eSJdfV19", "protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9", "signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx" }
Additional resources
-
Configuring manual enrollment of LUKS-encrypted volumes section in the RHEL 9 Security hardening document.