As more and more services move to "secure by default" behavior, it becomes important to simplify the PKI/TLS infrastructure provisioning in the lab environments.
Containerlab tries to ease the process of certificate provisioning providing the following features:
- Automated certificate provisioning for lab nodes.
- Simplified CLI for CA and end-node keys generation.
- Ability to use custom/external CA.
Automated certificate provisioning#
Automated certificate provisioning is a two-stage process. First, containerlab creates a Certificate Authority (CA) and generates a certificate and key for it, storing these artifacts in a lab directory in the
.tls directory. Then, containerlab generates a certificate and key for each node of a lab and signs it with the CA. The signed certificate and key are then installed on the node.
Currently, automated installation of a node certificate is implemented only for Nokia SR Linux.
When generating CA certificate and key, containerlab can take in the following optional parameters:
.settings.certificate-authority.key-size- the size of the key in bytes, default is 2048
.settings.certificate-authority.validity-duration- the duration of the certificate. For example:
1000h. Max unit is hour. Default is
The decision to generate node certificates is driven by either of the following two parameters:
- node kind
issueboolean parameter under
For SR Linux nodes the
issue parameter is set to
true and can't be changed. For other node kinds the
issue parameter is set to
false by default and can be overridden by the user.
Simplified CLI for CA and end-node keys generation#
Apart automated pipeline for certificate provisioning, containerlab exposes the following commands that can create a CA and node's cert/key:
tools cert ca create- creates a Certificate Authority
tools cert sign- creates certificate/key for a host and signs the certificate with CA
With these two commands users can easily create CA node certificates and secure the transport channel of various protocols. This lab demonstrates how with containerlab's help one can easily create certificates and configure Nokia SR OS to use it for secured gNMI communication.
Users who require more control over the certificate generation process can use an existing external CA. Containerlab needs to be provided with the CA certificate and key. The CA certificate and key must be provided via
.settings.certificate-authority.[key]|[cert] configuration parameters.
When using an external CA, containerlab will not generate a CA certificate and key. Instead, it will use the provided CA certificate and key to sign the node certificates.
The paths can be provided in absolute or relative form. If the path is relative, it is relative to the directory where clab file is located.
In addition to setting External CA files via
settings section, users can also set the following environment variables:
CLAB_CA_CERT_FILE- path to the CA certificate
CLAB_CA_KEY_FILE- path to the CA key