Bug 1507617 - Adding SSL and Authentication to etcd #522
Conversation
openshift-ci-robot
added
the
size/L
shawn-hurley
force-pushed
the
etcd-secure
branch
2 times, most recently
from
2bfd959
to
40d2e95
Compare
| value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | ||
| - description: Value of the etcd server ca file | ||
| displayname: etcd trusted ca | ||
| name: ETCD_TRUESTED_CA |
There was a problem hiding this comment.
Should ETCD_TRUESTED_CA be ETCD_TRUSTED_CA?
| displayname: etcd trusted ca file path | ||
| name: BROKER_ETCD_TRUSTED_CA | ||
| value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | ||
| - description: Value of the etcd server ca file |
scripts/run_latest_build.sh
Outdated
| -p ETCD_TRUSTED_CA_FILE=/var/run/etcd-auth-secret/ca.crt \ | ||
| -p BROKER_CLIENT_CERT_PATH=/var/run/asb-etcd-auth/client.crt \ | ||
| -p BROKER_CLIENT_KEY_PATH=/var/run/asb-etcd-auth/client.key \ | ||
| -p ETCD_TRUESTED_CA="$ETCD_CA_CERT" \ |
| name: etcd-auth-secret | ||
| namespace: ansible-service-broker | ||
| data: | ||
| ca.crt: ${ETCD_TRUESTED_CA} |
There was a problem hiding this comment.
I was holding it wrong, testing correctly this time.
Before I realized how wrong I was holding it
After making the changes to scripts/run_latest_build.sh that allows me to use a local template, the broker does not come up.
➜ ansible-service-broker git:(shurley-etcd-secure) ✗ oc get pods
NAME READY STATUS RESTARTS AGE
asb-1-deploy 1/1 Running 0 1m
asb-1-jf96c 0/1 CrashLoopBackOff 3 1m
asb-etcd-1-dg697 1/1 Running 0 1m
➜ ansible-service-broker git:(shurley-etcd-secure) ✗ oc get pods
NAME READY STATUS RESTARTS AGE
asb-1-deploy 1/1 Running 0 1m
asb-1-jf96c 0/1 CrashLoopBackOff 4 1m
asb-etcd-1-dg697 1/1 Running 0 1m
➜ ansible-service-broker git:(shurley-etcd-secure) ✗ oc logs asb-1-jf96c
Using config file mounted to /etc/ansible-service-broker/config.yaml
============================================================
== Starting Ansible Service Broker... ==
============================================================
[2017-10-31T13:45:36.053Z] [NOTICE] Initializing clients...
[2017-10-31T13:45:36.053Z] [DEBUG] Trying to connect to etcd
[2017-10-31T13:45:36.053Z] [INFO] == ETCD CX ==
[2017-10-31T13:45:36.053Z] [INFO] EtcdHost: asb-etcd.ansible-service-broker.svc
[2017-10-31T13:45:36.053Z] [INFO] EtcdPort: 2379
[2017-10-31T13:45:36.053Z] [INFO] Endpoints: [http://asb-etcd.ansible-service-broker.svc:2379]
[2017-10-31T13:45:36.056Z] [ERROR] client: etcd cluster is unavailable or misconfigured; error #0: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
I suspect I'm holding it wrong.
scripts/run_latest_build.sh
Outdated
| @@ -74,23 +74,32 @@ oc new-project ansible-service-broker | |||
| # | |||
| TEMPLATE_URL="https://raw.githubusercontent.com/openshift/ansible-service-broker/master/templates/deploy-ansible-service-broker.template.yaml" | |||
There was a problem hiding this comment.
You don't have to make this change..but I would appreciate it, make this value override-able TEMPLATE_URL=${TEMPLATE_URL:-"..."}.
There was a problem hiding this comment.
@djzager You will need to use the broker image from the PR when running run_latest
There was a problem hiding this comment.
Yeah. That is what I was holding wrong 😎. Still playing with it.
|
Please note that we should ignore the gate error here as this PR will require the fusor/catasb#173 to be merged to go to green. |
| @@ -101,7 +120,7 @@ objects: | |||
| selector: | |||
| app: ansible-service-broker | |||
| strategy: | |||
| type: Recreate | |||
| type: Rolling | |||
There was a problem hiding this comment.
I think we want to leave this as recreate. See #511
There was a problem hiding this comment.
Rolling will be better now that we don't have to worry about the PV that etcd is using.
There was a problem hiding this comment.
Just some additional notes:
- I tested redeploying the broker and etcd 👍
- I tested scaling up the broker 👍
- I tested scaling up etcd 👎, this is because the replicated pod thinks it's a master...and it is not. I do not think this is something this PR should be concerned with. Dealing with etcd replicas is a pain and the whole reason I think CoreOS came out with the idea of operators. Just wanted to point it out.
There was a problem hiding this comment.
this is because the replicated pod thinks it's a master...and it is not. I do not think this is something this PR should be concerned with. Dealing with etcd replicas is a pain and the whole reason I think CoreOS came out with the idea of operators. Just wanted to point it out.
Agree, I could see adding a trello card to make this work better.
| @@ -215,8 +292,11 @@ objects: | |||
| white_list: | |||
| - ".*-apb$" | |||
| dao: | |||
| etcd_host: 0.0.0.0 | |||
| etcd_host: asb-etcd.${NAMESPACE}.svc | |||
There was a problem hiding this comment.
Why do you need .${NAMESPACE}.svc?
There was a problem hiding this comment.
Using ${NAMESPACE} will allow helios broker to pass the aws-service-broker namespace and use the same config. I did not go back and fix every instance but don't see why we can't start now. I can remove it if you feel strongly. also you need ${namespace}.svc for the internal DNS. The signed cert (generated from the openshift annotation) are valid for certain DNS names, I think the valid ones IIRC are
- .{namespace}.svc
- .{namespace}.cluster.local
- .{namespace}.local
If you are just looking the service, you could drop the {namespace.svc} because the DNS will assume you are looking in that namespace but we need SSL to work.
At least that is my understanding of what is going on.
There was a problem hiding this comment.
* etcd is now run in its own pod
shawn-hurley
force-pushed
the
etcd-secure
branch
from
44a42e7
to
77198b5
Compare
shawn-hurley
added
the
do-not-merge
|
Travis is having issues with this PR. |
* adding ability to use etcd athenticated * etcd is now run in its own pod * fixing run latest build to use etcd authentication * removing parameters that are not needed * fixing local dev scripts to work with new deployment * typos * allow for the overriding of the deployment-template in run_latest_build.sh * fixing build issue. * fixing deploy script hopefully * fixing gate * trying to remove new line from certs * triming all withspace. * actaully setting the correct value * remove debug statements.
Describe what this PR does and why we need it:
adds SSL and auth to etcd
Changes proposed in this pull request
Does this PR depend on another PR (Use this to track when PRs should be merged)
fusor/catasb#173
Also, this will need to be released to latest the changes to run_latest_build.sh
Which issue this PR fixes (This will close that issue when PR gets merged)
fixes <issue_number>
BZ#1507617
fixes #514