cloud: add secure kubernetes config (and other tweaks) #16486
Conversation
|
This change is |
mberhault
force-pushed
the
marc/yamlify_k8s
branch
4 times, most recently
from
3418cab
to
42dc2b4
Compare
|
This is very cool, thanks for working on it! A blog post on how you threw this together would probably do pretty well. Reviewed 5 of 6 files at r1. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 109 at r1 (raw file):
Is this idempotent? i.e. what happens if you run cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 123 at r1 (raw file):
This is... less than ideal. It's possible for people to specify custom DNS domains other than cloud/kubernetes/cockroachdb-statefulset.yaml, line 83 at r1 (raw file):
Whether we want to move this and the init container annotation is debatable. It's probably fine, but moving them restricts us to only working on the most recent version of Kubernetes (1.6), whereas we could otherwise run on 1.4: #15695 Our config in the Kubernetes repo is up-to-date because they like all their examples to be on the latest hotness, but I don't know if the same tradeoffs apply here. What do you think? cloud/kubernetes/minikube.sh, line 5 at r1 (raw file):
This file actually isn't needed anymore either, since minikube has been able to create PVs on demand for a while now. cloud/kubernetes/README.md, line 67 at r1 (raw file):
Ditto on this bit no longer being needed cloud/kubernetes/README.md, line 104 at r1 (raw file):
It might be worth mentioning that this'll happen one at a time, since if it seemed weird to you it may seem weird to others cloud/kubernetes/README.md, line 106 at r1 (raw file):
If auto-approval is an option, it might be worth linking to the docs section about it as an option for anyone that's just kicking the tires. cloud/kubernetes/README.md, line 189 at r1 (raw file):
s/you/you'll/ Comments from Reviewable |
|
Review status: 5 of 6 files reviewed at latest revision, 8 unresolved discussions, all commit checks successful. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 109 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
I'll test this. From what you said earlier, I take it the disk will be reused. The init containers still runs and just skips it, right? If that's the case, then as long as I don't fail overwriting the files, it should be fine. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 123 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
oh. good point. Switched over to cloud/kubernetes/cockroachdb-statefulset.yaml, line 83 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
We already require 1.5 for statefulsets, right? Is it that inconvenient to require 1.6? I'm happy leaving it, but I do like the clarify of the yaml format. cloud/kubernetes/minikube.sh, line 5 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
ok. Deleted. cloud/kubernetes/README.md, line 67 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. cloud/kubernetes/README.md, line 104 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. cloud/kubernetes/README.md, line 106 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
It's not, the docs just say you can either do it manually or have a process that uses the API to do this. cloud/kubernetes/README.md, line 189 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. Comments from Reviewable |
mberhault
force-pushed
the
marc/yamlify_k8s
branch
from
6de6374
to
407d394
Compare
|
Added the config files for the load generator example, one for secure and another for insecure. Small section in the README for how to run those. Review status: 2 of 8 files reviewed at latest revision, 8 unresolved discussions, some commit checks pending. Comments from Reviewable |
mberhault
force-pushed
the
marc/yamlify_k8s
branch
from
01e2b97
to
997486c
Compare
|
Reviewed 4 of 6 files at r2. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 123 at r1 (raw file): Previously, mberhault (marc) wrote…
Heh, I'm not used to seeing this as cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 20 at r2 (raw file):
This only works in certain environments (e.g. it won't work in minikube AFAIK), so I don't know how valuable it is to include. It may be better to just link to https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services---service-types from the README cloud/kubernetes/cockroachdb-statefulset.yaml, line 83 at r1 (raw file): Previously, mberhault (marc) wrote…
You're right, we have been limited to 1.5 due to the rename. I guess I'm fine with this, anyone who needs an older version can grab it from the git history. Might be worth a disclaimer in the README/docs about which versions the configs work with, though. cloud/kubernetes/example_app.yaml, line 4 at r2 (raw file):
Looks like you forgot to remove the cloud/kubernetes/example_app_secure.yaml, line 20 at r2 (raw file):
This will require an administrator to approve a cert every time a new pod starts, right? So every time a node goes down and a pod has to move elsewhere, or every time the admin does a rolling upgrade on the deployment? If so, I'm not sure whether this is the best model in practice, since it requires an admin to be around to handle any sort of event that causes the pods to be recreated. The alternative would be to pre-create certs and store them as Secrets which then get mounted by client pods. Let's chat about this today/tomorrow. Comments from Reviewable |
|
Review status: 6 of 8 files reviewed at latest revision, 11 unresolved discussions, all commit checks successful. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 20 at r2 (raw file): Previously, a-robinson (Alex Robinson) wrote…
ok, removed. I think we can leave people to figure that out by themselves for now. cloud/kubernetes/cockroachdb-statefulset.yaml, line 83 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Added version information to README. cloud/kubernetes/example_app.yaml, line 4 at r2 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. cloud/kubernetes/example_app_secure.yaml, line 20 at r2 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Ok. I'm adding a bold warning to the readme. Going through secrets is probably the right way to go. Comments from Reviewable |
|
I'll note that eventually it should be easier to get certs from Kube for containers and service identities - when that happens the expectation would be that someone else creates the cert for you in a secret that your pods prereference. But we're still a ways away from that. |
|
Reviewed 1 of 6 files at r2, 2 of 4 files at r3, 2 of 2 files at r4. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 109 at r1 (raw file): Previously, mberhault (marc) wrote…
Ever get around to testing this? cloud/kubernetes/README.md, line 33 at r4 (raw file):
Might want to remove or rework this warning now. Sorry for missing that earlier. cloud/kubernetes/README.md, line 167 at r4 (raw file):
Tiny nit, but this doesn't read well as written. Should be either "there is no secure ..." or "there is not a secure ..." Comments from Reviewable |
* add cockroachdb-statefulset-secure.yaml which requests node certificates from the kubernetes CA. * yamlify cockroachdb-statefulset.yaml (from the kubernetes/kubernetes repo) * add Azure to README * drop the cloud scripts, they're just `kubectl create` and `kubectl delete` The only differences between the secure and non-secure configs are: * init-certs init container that requests certs and copies the CA * cert volume added to the cockroachdb container * `--certs-dir` being used instead of `--insecure` This only brings up the cluster. Anything outside the cluster will probably not be able to talk to it since the external addresses are not passed to the cert. One step at a time though.
mberhault
force-pushed
the
marc/yamlify_k8s
branch
from
f9a2390
to
f601f03
Compare
|
Review status: 7 of 8 files reviewed at latest revision, 4 unresolved discussions. cloud/kubernetes/cockroachdb-statefulset-secure.yaml, line 109 at r1 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Not yet. given the manual process involved in renewing certs, I think I'll keep my more intensive testing for after the secrets-based implementation. As is, this is mostly a proof of concept (and me learning how k8s works). cloud/kubernetes/README.md, line 33 at r4 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. I've also removed some other parts that referred to the now-removed cloud/kubernetes/README.md, line 167 at r4 (raw file): Previously, a-robinson (Alex Robinson) wrote…
Done. Comments from Reviewable |
|
I hope you haven't been waiting on me, but if you were this still LGTM Reviewed 1 of 1 files at r5. Comments from Reviewable |
fixes #16385
certificates from the kubernetes CA.
kubectl createandkubectl deleteThe only differences between the secure and non-secure configs are:
--certs-dirbeing used instead of--insecureThis only brings up the cluster. Anything outside the cluster will
probably not be able to talk to it since the external addresses are not
passed to the cert. One step at a time though.