New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add manifests for deploying core etcd and etcd proxy #1
Conversation
artifacts/experimental/etcd.yaml
Outdated
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: etcd-pod |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename this. It's the core-etcd, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
artifacts/experimental/etcd.yaml
Outdated
args: ["--listen-client-urls=http://0.0.0.0:2379", "--advertise-client-urls=http://0.0.0.0:2379"] | ||
ports: | ||
- name: etcd | ||
containerPort: 2379 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please make a service that exposes this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The service is added in #2
- name: etcdproxy | ||
image: quay.io/coreos/etcd:v3.2.18 | ||
command: ["/usr/local/bin/etcd", "grpc-proxy", "start"] | ||
args: ["--endpoints=http://172.17.0.3:2379", "--namespace=/exp", "--listen-addr=0.0.0.0:23790"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ip address is not known ahead of time, so this won't work generically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reference the service, not the pod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: etcdproxy | ||
image: quay.io/coreos/etcd:v3.2.18 | ||
command: ["/usr/local/bin/etcd", "grpc-proxy", "start"] | ||
args: ["--endpoints=http://etcd-svc-1.etcd.svc.cluster.local:2379", "--namespace=/exp", "--listen-addr=0.0.0.0:2379"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: .cluster.local
is configurable, so you probably want to end at .svc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed
artifacts/experimental/etcd.yaml
Outdated
image: quay.io/coreos/etcd:v3.2.18 | ||
env: | ||
- name: ETCD_CERT_FILE | ||
value: "/etc/server-certs/server.pem" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this wasn't here before, right? Adding this means you have to add trust certs to have the proxy trust the core etcd, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it wasn't. It was in #2 and I added it here when updating.
Not sure I'm following, but in this case I have to add server certs here, and client certs to etcd proxy. Client certs were not added before, but I updated the PR to include those as well.
Nothing else is needed, I think.
Looks good enough to me if you want to start here. I'm not certain it runs though. |
@deads2k Updated the PR to include client certs for etcd proxy. I have tested the manifests on my two clusters (one ran using |
args: ["--endpoints=https://etcd-svc-1.etcd.svc:2379", "--namespace=/example", "--listen-addr=0.0.0.0:2379", "--cacert=/etc/certs/ca.pem", "--cert=/etc/certs/client.pem", "--key=/etc/certs/client-key.pem"] | ||
volumeMounts: | ||
- name: client-certs | ||
mountPath: "/etc/certs" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, you'll want these to be specific in teh final version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good place to start
No description provided.