Add secure DaemonSet instructions #4037
Conversation
|
This change is |
|
v2.1/kubernetes-performance.md, line 437 at r1 (raw file):
@a-robinson, can you help me tweak this for a secure deployment? I'm not sure how to do it. For statefulsets, we have a distinct init file to use. Also, if you see other ways the instructions need to be change for secure vs. insecure, please add those comments. |
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1.
Reviewable status:complete! 0 of 0 LGTMs obtained
v2.1/kubernetes-performance.md, line 417 at r1 (raw file):
10.128.0.4,10.128.0.5,10.128.0.3
Is this meant to be the list that's already in the file (because it's not...)? Or an example? It's not clear to me.
v2.1/kubernetes-performance.md, line 437 at r1 (raw file):
Previously, jseldess (Jesse Seldess) wrote…
@a-robinson, can you help me tweak this for a secure deployment? I'm not sure how to do it. For statefulsets, we have a distinct init file to use.
Also, if you see other ways the instructions need to be change for secure vs. insecure, please add those comments.
First off, this should mention the need to approve certificate signing requests in the secure version.
For initialization, see the comment at the top of the YAML file:
# You will then have to approve certificate signing requests and initialize the
# cluster as described in the parent directory's README.md file. In order for
# the initialization step to work, note that you will need to change the
# address used by the cluster-init-secure.yaml file on the
# "--host=cockroachdb-0.cockroach" line from "cockroachdb-0.cockroach" to the
# address of one of your nodes.
In other words, you have to take the cloud/kubernetes/cluster-init-secure.yaml file, replace the line --host=cockroachdb-0.cockroach with --host=<one-of-your-addresses>, and then create the init job: kubectl create -f cluster-init-secure.yaml
We should run through this again using the docs to verify nothing else is missing. Are you up for it, or should I?
There was a problem hiding this comment.
Reviewable status:
v2.1/kubernetes-performance.md, line 417 at r1 (raw file):
Previously, a-robinson (Alex Robinson) wrote…
10.128.0.4,10.128.0.5,10.128.0.3Is this meant to be the list that's already in the file (because it's not...)? Or an example? It's not clear to me.
I'm not sure. I didn't change this content, and you wrote the original doc ;). I'll check against the "list in the provided file."
v2.1/kubernetes-performance.md, line 437 at r1 (raw file):
Previously, a-robinson (Alex Robinson) wrote…
First off, this should mention the need to approve certificate signing requests in the secure version.
For initialization, see the comment at the top of the YAML file:
# You will then have to approve certificate signing requests and initialize the # cluster as described in the parent directory's README.md file. In order for # the initialization step to work, note that you will need to change the # address used by the cluster-init-secure.yaml file on the # "--host=cockroachdb-0.cockroach" line from "cockroachdb-0.cockroach" to the # address of one of your nodes.In other words, you have to take the
cloud/kubernetes/cluster-init-secure.yamlfile, replace the line--host=cockroachdb-0.cockroachwith--host=<one-of-your-addresses>, and then create the init job:kubectl create -f cluster-init-secure.yamlWe should run through this again using the docs to verify nothing else is missing. Are you up for it, or should I?
I should've run through the doc on my own first. Sorry about that. I'll take a shot at it.
There was a problem hiding this comment.
@a-robinson, I tried to test this out but wasn't able to figure out the steps for mounting a local ssd and the taints setting. But I did update the instructions to be more explicit, based on my understanding of the process. It'd be great if you could either run through the process on your own and leave notes here or run through the process with me.
Reviewable status:
There was a problem hiding this comment.
Let's chat about the local SSDs and taints/tolerations after our other meeting this afternoon.
Reviewed 1 of 1 files at r2.
Reviewable status:
v2.1/kubernetes-performance.md, line 430 at r2 (raw file):
3. Modify the file wherever there is a `TODO` comment, for example: - Unless you want CockroachDB running on every machine in your Kubernetes cluster, pick out which nodes you want to run CockroachDB on using either [node labels](#node-labels) or [node taints](#node-taints) and then configure them and the `DaemonSet` configuration file appropriately as described in the relevant [Dedicated Nodes](#dedicated-nodes) section.
I'd add something like: "If you do want CockroachDB running on every machine, just remove the nodeSelector and tolerations sections.
jseldess
force-pushed
the
secure-DaemonSet
branch
from
e26a1be
to
8598f68
Compare
There was a problem hiding this comment.
Thanks, Alex. I have to head out early today, so we'll have to sync about SSDs and taints another day soon.
Reviewable status:
v2.1/kubernetes-performance.md, line 430 at r2 (raw file):
Previously, a-robinson (Alex Robinson) wrote…
I'd add something like: "If you do want CockroachDB running on every machine, just remove the
nodeSelectorandtolerationssections.
Done.
jseldess
changed the title
There was a problem hiding this comment.
No worries, this is mergeable as is if you'd like.
Reviewable status:
Also restructure the content into steps. Fixes #3318.
jseldess
force-pushed
the
secure-DaemonSet
branch
from
8598f68
to
71e511a
Compare
Also restructure the content into steps.
Fixes #3318.