1.2.3 Generating Keys
Generating the Keys
Concourse's various components use RSA keys to verify tokens and worker registration requests.
A minimal deployment will require the following keys:
- Session Signing Key
Used by the
webnode for signing and verifying user session tokens.
- TSA Host Key
Used by the
webnode for the SSH worker registration gateway server ("TSA").
The public key is given to each
workernode to verify the remote host when connecting via SSH.
- Worker Key
workernode verifies its registration with the
webnode via a SSH key.
The public key must be listed in the
webnode's authorized worker keys file in order for the worker to register.
To generate these keys, run:
concourse generate-key -t rsa -f ./session_signing_key concourse generate-key -t ssh -f ./tsa_host_key concourse generate-key -t ssh -f ./worker_key
ssh-keygen -t rsa -b 4096 -m PEM -f ./session_signing_key ssh-keygen -t rsa -b 4096 -m PEM -f ./tsa_host_key ssh-keygen -t rsa -b 4096 -m PEM -f ./worker_key
At this point you should have the following files:
You can remove the
session_signing_key.pub file if you have one, it is not needed by any process in Concourse.
Multiple Worker Keys
Currently you have one
worker_key. You can use this one key-pair with multiple
worker nodes. Another good strategy is to have each worker or group of workers use a key that's unique to that one worker or group of workers.
In the second case you will end up with multiple private and public worker keys. The
web node needs to know about all of the public worker keys. To pass all public worker keys to the
web node create a file that contains all of the worker public keys. A common name for this file is
authorized_worker_keys. The file should look like this, with one public key per line.
$ cat authorized_worker_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgKtVnbGRJ7Y63QKoO+loS... ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDU6lA4gSRYIc4MXzphJ2l5... ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDgNU7KBz/QQusPO52pNcea...
You should now have all the necessary keys needed to deploy Web and Worker nodes.