Add manifests for deploying core etcd and etcd proxy #1
Conversation
xmudrii
changed the title
artifacts/experimental/etcd.yaml
Outdated
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: etcd-pod |
There was a problem hiding this comment.
rename this. It's the core-etcd, right?
artifacts/experimental/etcd.yaml
Outdated
| args: ["--listen-client-urls=http://0.0.0.0:2379", "--advertise-client-urls=http://0.0.0.0:2379"] | ||
| ports: | ||
| - name: etcd | ||
| containerPort: 2379 |
There was a problem hiding this comment.
please make a service that exposes this.
There was a problem hiding this comment.
The service is added in #2
| - name: etcdproxy | ||
| image: quay.io/coreos/etcd:v3.2.18 | ||
| command: ["/usr/local/bin/etcd", "grpc-proxy", "start"] | ||
| args: ["--endpoints=http://172.17.0.3:2379", "--namespace=/exp", "--listen-addr=0.0.0.0:23790"] |
There was a problem hiding this comment.
ip address is not known ahead of time, so this won't work generically.
There was a problem hiding this comment.
reference the service, not the pod.
There was a problem hiding this comment.
xmudrii
changed the title
| - name: etcdproxy | ||
| image: quay.io/coreos/etcd:v3.2.18 | ||
| command: ["/usr/local/bin/etcd", "grpc-proxy", "start"] | ||
| args: ["--endpoints=http://etcd-svc-1.etcd.svc.cluster.local:2379", "--namespace=/exp", "--listen-addr=0.0.0.0:2379"] |
There was a problem hiding this comment.
nit: .cluster.local is configurable, so you probably want to end at .svc
artifacts/experimental/etcd.yaml
Outdated
| image: quay.io/coreos/etcd:v3.2.18 | ||
| env: | ||
| - name: ETCD_CERT_FILE | ||
| value: "/etc/server-certs/server.pem" |
There was a problem hiding this comment.
this wasn't here before, right? Adding this means you have to add trust certs to have the proxy trust the core etcd, right?
There was a problem hiding this comment.
No, it wasn't. It was in #2 and I added it here when updating.
Not sure I'm following, but in this case I have to add server certs here, and client certs to etcd proxy. Client certs were not added before, but I updated the PR to include those as well.
Nothing else is needed, I think.
|
Looks good enough to me if you want to start here. I'm not certain it runs though. |
|
@deads2k Updated the PR to include client certs for etcd proxy. I have tested the manifests on my two clusters (one ran using |
| args: ["--endpoints=https://etcd-svc-1.etcd.svc:2379", "--namespace=/example", "--listen-addr=0.0.0.0:2379", "--cacert=/etc/certs/ca.pem", "--cert=/etc/certs/client.pem", "--key=/etc/certs/client-key.pem"] | ||
| volumeMounts: | ||
| - name: client-certs | ||
| mountPath: "/etc/certs" |
There was a problem hiding this comment.
nit, you'll want these to be specific in teh final version
xmudrii
added
the
ready-for-review
No description provided.