Cluster Manager
NMX Manager is a component of the NMX solution designed for collecting and processing data center telemetry, monitoring, and providing insights and predictions on system operability and health. The role of NMX Manager is to aggregate streamed telemetry from the NMX Telemetry subsystem, filter, sort, run local predictions, and stream the collected data into the NMX Oasis data lake for further analysis. Additionally, NMX Manager can control network behavior and configuration settings by sending control messages to the NMX Controller.
Presented below is the NVOS configuration for utilizing Cluster Manager in a non-secure environment.
admin@nvos:~$ nv set cluster state enabled
admin@nvos:~$ nv config apply
admin@nvos:~$ nv action update cluster apps nmx-controller manager encryption disabled
admin@nvos:~$ nv action update cluster apps nmx-controller manager enabled
NMX Controller and NMX Telemetry offer security support.
They use GRPC for client communication, which works over TLS or MTLS configured via NVOS CLI. Below is a simple flow for using MTLS with Cluster Manager, along with a list of cluster commands attached to this manual.
The same CA could be used on both sides, or each side could choose a different CA.
Flow Description
In NVOS, the Cluster applications NMX-C/NMX-T function as GRPC servers, while the Cluster Manager device operates as the GRPC client.
The configuration from the NVOS CLI stores the Client CA certificate and the Server certificate on the NVOS side and binds the certificates to the apps for supporting the TLS/MTLS on top of GRPC.
Configuration for Enabling mTLS with Cluster Manager
To configure mutual TLS (mTLS) with Cluster Manager, ensure that the necessary certificates and configurations are set up across both the control plane and data plane components. Below is an example of how to configure mTLS in your Cluster Manager environment:
admin@nvos:~$ nv set cluster state enabled
admin@nvos:~$ nv config apply
admin@nvos:~$ nv action import system security certificate cert-name passphrase 12345678 uri-bundle scp://your_username:your_password@1.2.3.4/path-to-cert/cert.p12 //Saving the server certificate for TLS/MTLS
admin@nvos:~$ nv action import system security ca-certificate cacert-name uri scp://your_username:your_password@1.2.3.4/path-to-cacert/ca.crt //Saving the Client CA certificate for MTLS
admin@nvos:~$ nv action update cluster apps nmx-controller manager enabled
admin@nvos:~$ nv action update cluster apps nmx-controller manager certificate cert-name //binding the imported certificate to NMX
admin@nvos:~$ nv action update cluster apps nmx-controller manager ca-certificate cacert-name //binding the imported CA certificate to NMX
admin@nvos:~$ nv action update cluster apps nmx-controller manager encryption mtls
Configuration for Enabling TLS with Cluster Manager
To enable TLS with Cluster Manager, you must configure the appropriate certificates and security settings for encrypted communication between services in the cluster. Below is an example configuration for setting up TLS in your Cluster Manager environment:
admin@nvos:~$ nv set cluster state enabled
admin@nvos:~$ nv config apply
admin@nvos:~$ nv action import system security certificate cert-name passphrase 12345678 uri-bundle scp://your_username:your_password@1.2.3.4/path-to-cert/cert.p12
admin@nvos:~$ nv action update cluster apps nmx-controller manager enabled
admin@nvos:~$ nv action update cluster apps nmx-controller manager certificate cert-name
admin@nvos:~$ nv action update cluster apps nmx-controller manager encryption tls
Action commands of Cluster Manager require a 5-second delay for execution between them. During this period, GPRC traffic will be paused. The command nv action update cluster apps log-level is an exception to this rule.