diff --git a/.gitignore b/.gitignore index 46059f8..91c834a 100644 --- a/.gitignore +++ b/.gitignore @@ -164,3 +164,6 @@ cython_debug/ .DS_Store features.conf + +# Kubernetes default generated dir +/kubernetes/generated diff --git a/kubernetes/full-create-and-install.sh b/kubernetes/full-create-and-install.sh index 5f57a56..44c2212 100755 --- a/kubernetes/full-create-and-install.sh +++ b/kubernetes/full-create-and-install.sh @@ -1,15 +1,47 @@ #!/bin/bash # This script sets up a GKE cluster with configurations for Aerospike and AVS node pools. -# It handles the creation of the GKE cluster, the use of AKO (Aerospike Kubernetes Operator) to deploy an Aerospike cluster, deploys the AVS cluster, -# and the deployment of necessary operators, configurations, node pools, etc. -# Additionally, it sets up monitoring using Prometheus and deploys a specific Helm chart for AVS. +# It handles the creation of the GKE cluster, the use of AKO (Aerospike Kubernetes Operator) to deploy an Aerospike cluster, +# deploys the AVS cluster, and the deployment of necessary operators, configurations, node pools, and monitoring. -# Function to print environment variables for verification set -eo pipefail if [ -n "$DEBUG" ]; then set -x; fi trap 'echo "Error: $? at line $LINENO" >&2' ERR +WORKSPACE="$(pwd)" +PROJECT_ID="$(gcloud config get-value project)" +# Prepend the current username to the cluster name +USERNAME=$(whoami) + +# Default values +DEFAULT_CLUSTER_NAME_SUFFIX="avs" +RUN_INSECURE=0 # Default value for insecure mode (false meaning secure with auth + tls) + + +# Function to display the script usage +usage() { + echo "Usage: $0 [options]" + echo "Options:" + echo " --chart-location, -l If specified expects a local directory for AVS Helm chart (default: official repo)" + echo " --cluster-name, -c Override the default cluster name (default: ${USERNAME}-${PROJECT_ID}-${DEFAULT_CLUSTER_NAME_SUFFIX})" + echo " --run-insecure, -r Run setup cluster without auth or tls. No argument required." + echo " --help, -h Show this help message" + exit 1 +} + +# Parse command line arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + --chart-location|-l) CHART_LOCATION="$2"; shift ;; + --cluster-name|-c) CLUSTER_NAME_OVERRIDE="$2"; shift ;; + --run-insecure|-r) RUN_INSECURE=1 ; shift ;; # Set RUN_INSECURE to true if the flag is present + --help|-h) usage ;; # Display the help/usage if --help or -h is passed + *) echo "Unknown parameter passed: $1"; usage ;; # Unknown parameter triggers usage + esac + shift +done + +# Function to print environment variables for verification print_env() { echo "Environment Variables:" echo "export PROJECT_ID=$PROJECT_ID" @@ -18,166 +50,431 @@ print_env() { echo "export NODE_POOL_NAME_AVS=$NODE_POOL_NAME_AVS" echo "export ZONE=$ZONE" echo "export FEATURES_CONF=$FEATURES_CONF" - echo "export AEROSPIKE_CR=$AEROSPIKE_CR" + echo "export CHART_LOCATION=$CHART_LOCATION" + echo "export RUN_INSECURE=$RUN_INSECURE" } -# Set environment variables for the GKE cluster setup -export PROJECT_ID="$(gcloud config get-value project)" -export CLUSTER_NAME="${PROJECT_ID}-cluster" -export NODE_POOL_NAME_AEROSPIKE="aerospike-pool" -export NODE_POOL_NAME_AVS="avs-pool" -export ZONE="us-central1-c" -export FEATURES_CONF="./features.conf" -export AEROSPIKE_CR="./manifests/ssd_storage_cluster_cr.yaml" - -# Print environment variables to ensure they are set correctly -print_env - -echo "$(date '+%Y-%m-%d %H:%M:%S') - Starting GKE cluster creation..." -if ! gcloud container clusters create "$CLUSTER_NAME" \ - --project "$PROJECT_ID" \ - --zone "$ZONE" \ - --num-nodes 1 \ - --disk-type "pd-standard" \ - --disk-size "100"; then - echo "Failed to create GKE cluster" - exit 1 -else - echo "GKE cluster created successfully." -fi - -echo "Creating Aerospike node pool..." -if ! gcloud container node-pools create "$NODE_POOL_NAME_AEROSPIKE" \ - --cluster "$CLUSTER_NAME" \ - --project "$PROJECT_ID" \ - --zone "$ZONE" \ - --num-nodes 3 \ - --local-ssd-count 2 \ - --disk-type "pd-standard" \ - --disk-size "100" \ - --machine-type "n2d-standard-2"; then - echo "Failed to create Aerospike node pool" - exit 1 -else - echo "Aerospike node pool added successfully." -fi - -echo "Labeling Aerospike nodes..." -kubectl get nodes -l cloud.google.com/gke-nodepool="$NODE_POOL_NAME_AEROSPIKE" -o name | \ - xargs -I {} kubectl label {} aerospike.com/node-pool=default-rack --overwrite - -echo "Deploying Aerospike Kubernetes Operator (AKO)..." -curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/install.sh | bash -s v0.25.0 -kubectl create -f https://operatorhub.io/install/aerospike-kubernetes-operator.yaml - -echo "Waiting for AKO to be ready..." -while true; do - if kubectl --namespace operators get deployment/aerospike-operator-controller-manager &> /dev/null; then - echo "AKO is ready." - kubectl --namespace operators wait \ - --for=condition=available --timeout=180s deployment/aerospike-operator-controller-manager - break - else - echo "AKO setup is still in progress..." - sleep 10 - fi -done - -echo "Granting permissions to the target namespace..." -kubectl create namespace aerospike -kubectl --namespace aerospike create serviceaccount aerospike-operator-controller-manager -kubectl create clusterrolebinding aerospike-cluster \ - --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager - -echo "Setting secrets for Aerospike cluster..." -kubectl --namespace aerospike create secret generic aerospike-secret --from-file=features.conf="$FEATURES_CONF" -kubectl --namespace aerospike create secret generic auth-secret --from-literal=password='admin123' - -echo "Adding storage class..." -kubectl apply -f https://raw.githubusercontent.com/aerospike/aerospike-kubernetes-operator/master/config/samples/storage/gce_ssd_storage_class.yaml - -echo "Deploying Aerospike cluster..." -kubectl apply -f "$AEROSPIKE_CR" - -############################################## -# AVS namespace -############################################## - -echo "Adding AVS node pool..." -if ! gcloud container node-pools create "$NODE_POOL_NAME_AVS" \ - --cluster "$CLUSTER_NAME" \ - --project "$PROJECT_ID" \ - --zone "$ZONE" \ - --num-nodes 3 \ - --disk-type "pd-standard" \ - --disk-size "100" \ - --machine-type "e2-highmem-4"; then - echo "Failed to create AVS node pool" - exit 1 -else - echo "AVS node pool added successfully." -fi - -echo "Labeling AVS nodes..." -kubectl get nodes -l cloud.google.com/gke-nodepool="$NODE_POOL_NAME_AVS" -o name | \ - xargs -I {} kubectl label {} aerospike.com/node-pool=avs --overwrite +# Function to set environment variables +set_env_variables() { + + # Use provided cluster name or fallback to the default + if [ -n "$CLUSTER_NAME_OVERRIDE" ]; then + export CLUSTER_NAME="${USERNAME}-${CLUSTER_NAME_OVERRIDE}" + else + export CLUSTER_NAME="${USERNAME}-${PROJECT_ID}-${DEFAULT_CLUSTER_NAME_SUFFIX}" + fi + + export NODE_POOL_NAME_AEROSPIKE="aerospike-pool" + export NODE_POOL_NAME_AVS="avs-pool" + export ZONE="us-central1-c" + export FEATURES_CONF="$WORKSPACE/features.conf" + export BUILD_DIR="$WORKSPACE/generated" + export REVERSE_DNS_AVS +} -echo "Setup complete. Cluster and node pools are configured." +reset_build() { + if [ -d "$BUILD_DIR" ]; then + temp_dir=$(mktemp -d /tmp/avs-deploy-previous.XXXXXX) + mv -f "$BUILD_DIR" "$temp_dir" + fi + mkdir -p "$BUILD_DIR/input" "$BUILD_DIR/output" "$BUILD_DIR/secrets" "$BUILD_DIR/certs" "$BUILD_DIR/manifests" + cp "$FEATURES_CONF" "$BUILD_DIR/secrets/features.conf" + if [[ "${RUN_INSECURE}" == 1 ]]; then + cp $WORKSPACE/manifests/avs-gke-values.yaml $BUILD_DIR/manifests/avs-gke-values.yaml + cp $WORKSPACE/manifests/aerospike-cr.yaml $BUILD_DIR/manifests/aerospike-cr.yaml + else + cp $WORKSPACE/manifests/avs-gke-values-auth.yaml $BUILD_DIR/manifests/avs-gke-values.yaml + cp $WORKSPACE/manifests/aerospike-cr-auth.yaml $BUILD_DIR/manifests/aerospike-cr.yaml + fi +} -kubectl create namespace avs +generate_certs() { + echo "Generating certificates..." + # cp -r $WORKSPACE/certs $BUILD_DIR/certs + echo "Generate Root" + openssl genrsa \ + -out "$BUILD_DIR/output/ca.aerospike.com.key" 2048 + + openssl req \ + -x509 \ + -new \ + -nodes \ + -config "$WORKSPACE/ssl/openssl_ca.conf" \ + -extensions v3_ca \ + -key "$BUILD_DIR/output/ca.aerospike.com.key" \ + -sha256 \ + -days 3650 \ + -out "$BUILD_DIR/output/ca.aerospike.com.pem" \ + -subj "/C=UK/ST=London/L=London/O=abs/OU=Support/CN=ca.aerospike.com" + + echo "Generate Requests & Private Key" + SVC_NAME="aerospike-cluster.aerospike.svc.cluster.local" COMMON_NAME="asd.aerospike.com" openssl req \ + -new \ + -nodes \ + -config "$WORKSPACE/ssl/openssl.conf" \ + -extensions v3_req \ + -out "$BUILD_DIR/input/asd.aerospike.com.req" \ + -keyout "$BUILD_DIR/output/asd.aerospike.com.key" \ + -subj "/C=UK/ST=London/L=London/O=abs/OU=Server/CN=asd.aerospike.com" + + echo "1" + SVC_NAME="avs-gke-aerospike-vector-search.aerospike.svc.cluster.local" COMMON_NAME="avs.aerospike.com" openssl req \ + -new \ + -nodes \ + -config "$WORKSPACE/ssl/openssl.conf" \ + -extensions v3_req \ + -out "$BUILD_DIR/input/avs.aerospike.com.req" \ + -keyout "$BUILD_DIR/output/avs.aerospike.com.key" \ + -subj "/C=UK/ST=London/L=London/O=abs/OU=Client/CN=avs.aerospike.com" \ + + echo "2" + SVC_NAME="avs-gke-aerospike-vector-search.aerospike.svc.cluster.local" COMMON_NAME="svc.aerospike.com" openssl req \ + -new \ + -nodes \ + -config "$WORKSPACE/ssl/openssl_svc.conf" \ + -extensions v3_req \ + -out "$BUILD_DIR/input/svc.aerospike.com.req" \ + -keyout "$BUILD_DIR/output/svc.aerospike.com.key" \ + -subj "/C=UK/ST=London/L=London/O=abs/OU=Client/CN=svc.aerospike.com" \ + + echo "Generate Certificates" + SVC_NAME="aerospike-cluster.aerospike.svc.cluster.local" COMMON_NAME="asd.aerospike.com" openssl x509 \ + -req \ + -extfile "$WORKSPACE/ssl/openssl.conf" \ + -in "$BUILD_DIR/input/asd.aerospike.com.req" \ + -CA "$BUILD_DIR/output/ca.aerospike.com.pem" \ + -CAkey "$BUILD_DIR/output/ca.aerospike.com.key" \ + -extensions v3_req \ + -days 3649 \ + -outform PEM \ + -out "$BUILD_DIR/output/asd.aerospike.com.pem" \ + -set_serial 110 \ + + SVC_NAME="avs-gke-aerospike-vector-search.aerospike.svc.cluster.local" COMMON_NAME="avs.aerospike.com" openssl x509 \ + -req \ + -extfile "$WORKSPACE/ssl/openssl.conf" \ + -in "$BUILD_DIR/input/avs.aerospike.com.req" \ + -CA "$BUILD_DIR/output/ca.aerospike.com.pem" \ + -CAkey "$BUILD_DIR/output/ca.aerospike.com.key" \ + -extensions v3_req \ + -days 3649 \ + -outform PEM \ + -out "$BUILD_DIR/output/avs.aerospike.com.pem" \ + -set_serial 210 \ + + SVC_NAME="avs-gke-aerospike-vector-search.aerospike.svc.cluster.local" COMMON_NAME="svc.aerospike.com" openssl x509 \ + -req \ + -extfile "$WORKSPACE/ssl/openssl_svc.conf" \ + -in "$BUILD_DIR/input/svc.aerospike.com.req" \ + -CA "$BUILD_DIR/output/ca.aerospike.com.pem" \ + -CAkey "$BUILD_DIR/output/ca.aerospike.com.key" \ + -extensions v3_req \ + -days 3649 \ + -outform PEM \ + -out "$BUILD_DIR/output/svc.aerospike.com.pem" \ + -set_serial 310 \ + + echo "Verify Certificate signed by root" + openssl verify \ + -verbose \ + -CAfile "$BUILD_DIR/output/ca.aerospike.com.pem" \ + "$BUILD_DIR/output/asd.aerospike.com.pem" + + openssl verify \ + -verbose\ + -CAfile "$BUILD_DIR/output/ca.aerospike.com.pem" \ + "$BUILD_DIR/output/asd.aerospike.com.pem" + + openssl verify \ + -verbose\ + -CAfile "$BUILD_DIR/output/ca.aerospike.com.pem" \ + "$BUILD_DIR/output/svc.aerospike.com.pem" + + PASSWORD="citrusstore" + echo -n "$PASSWORD" | tee "$BUILD_DIR/output/storepass" \ + "$BUILD_DIR/output/keypass" > \ + "$BUILD_DIR/secrets/client-password.txt" + + ADMIN_PASSWORD="admin123" + echo -n "$ADMIN_PASSWORD" > "$BUILD_DIR/secrets/aerospike-password.txt" + + keytool \ + -import \ + -file "$BUILD_DIR/output/ca.aerospike.com.pem" \ + --storepass "$PASSWORD" \ + -keystore "$BUILD_DIR/output/ca.aerospike.com.truststore.jks" \ + -alias "ca.aerospike.com" \ + -noprompt + + openssl pkcs12 \ + -export \ + -out "$BUILD_DIR/output/avs.aerospike.com.p12" \ + -in "$BUILD_DIR/output/avs.aerospike.com.pem" \ + -inkey "$BUILD_DIR/output/avs.aerospike.com.key" \ + -password file:"$BUILD_DIR/output/storepass" + + keytool \ + -importkeystore \ + -srckeystore "$BUILD_DIR/output/avs.aerospike.com.p12" \ + -destkeystore "$BUILD_DIR/output/avs.aerospike.com.keystore.jks" \ + -srcstoretype pkcs12 \ + -srcstorepass "$(cat $BUILD_DIR/output/storepass)" \ + -deststorepass "$(cat $BUILD_DIR/output/storepass)" \ + -noprompt + + openssl pkcs12 \ + -export \ + -out "$BUILD_DIR/output/svc.aerospike.com.p12" \ + -in "$BUILD_DIR/output/svc.aerospike.com.pem" \ + -inkey "$BUILD_DIR/output/svc.aerospike.com.key" \ + -password file:"$BUILD_DIR/output/storepass" + + keytool \ + -importkeystore \ + -srckeystore "$BUILD_DIR/output/svc.aerospike.com.p12" \ + -destkeystore "$BUILD_DIR/output/svc.aerospike.com.keystore.jks" \ + -srcstoretype pkcs12 \ + -srcstorepass "$(cat $BUILD_DIR/output/storepass)" \ + -deststorepass "$(cat $BUILD_DIR/output/storepass)" \ + -noprompt + + mv "$BUILD_DIR/output/svc.aerospike.com.keystore.jks" \ + "$BUILD_DIR/certs/svc.aerospike.com.keystore.jks" + + mv "$BUILD_DIR/output/avs.aerospike.com.keystore.jks" \ + "$BUILD_DIR/certs/avs.aerospike.com.keystore.jks" + + mv "$BUILD_DIR/output/ca.aerospike.com.truststore.jks" \ + "$BUILD_DIR/certs/ca.aerospike.com.truststore.jks" + + mv "$BUILD_DIR/output/asd.aerospike.com.pem" \ + "$BUILD_DIR/certs/asd.aerospike.com.pem" + + mv "$BUILD_DIR/output/avs.aerospike.com.pem" \ + "$BUILD_DIR/certs/avs.aerospike.com.pem" + + mv "$BUILD_DIR/output/svc.aerospike.com.pem" \ + "$BUILD_DIR/certs/svc.aerospike.com.pem" + + mv "$BUILD_DIR/output/asd.aerospike.com.key" \ + "$BUILD_DIR/certs/asd.aerospike.com.key" + + mv "$BUILD_DIR/output/ca.aerospike.com.pem" \ + "$BUILD_DIR/certs/ca.aerospike.com.pem" + + mv "$BUILD_DIR/output/keypass" \ + "$BUILD_DIR/certs/keypass" + + mv "$BUILD_DIR/output/storepass" \ + "$BUILD_DIR/certs/storepass" + + echo "Generate Auth Keys" + openssl genpkey \ + -algorithm RSA \ + -out "$BUILD_DIR/secrets/private_key.pem" \ + -pkeyopt rsa_keygen_bits:2048 \ + -pass "pass:$PASSWORD" + + openssl rsa \ + -pubout \ + -in "$BUILD_DIR/secrets/private_key.pem" \ + -out "$BUILD_DIR/secrets/public_key.pem" \ + -passin "pass:$PASSWORD" +} -echo "Setting secrets for AVS cluster..." -kubectl --namespace avs create secret generic aerospike-secret --from-file=features.conf="$FEATURES_CONF" -kubectl --namespace avs create secret generic auth-secret --from-literal=password='admin123' +# Function to create GKE cluster +create_gke_cluster() { + echo "$(date '+%Y-%m-%d %H:%M:%S') - Starting GKE cluster creation..." + if ! gcloud container clusters create "$CLUSTER_NAME" \ + --project "$PROJECT_ID" \ + --zone "$ZONE" \ + --num-nodes 1 \ + --disk-type "pd-standard" \ + --disk-size "100"; then + echo "Failed to create GKE cluster" + exit 1 + else + echo "GKE cluster created successfully." + fi + + echo "Creating Aerospike node pool..." + if ! gcloud container node-pools create "$NODE_POOL_NAME_AEROSPIKE" \ + --cluster "$CLUSTER_NAME" \ + --project "$PROJECT_ID" \ + --zone "$ZONE" \ + --num-nodes 3 \ + --local-ssd-count 2 \ + --disk-type "pd-standard" \ + --disk-size "100" \ + --machine-type "n2d-standard-32"; then + echo "Failed to create Aerospike node pool" + exit 1 + else + echo "Aerospike node pool added successfully." + fi + + echo "Labeling Aerospike nodes..." + kubectl get nodes -l cloud.google.com/gke-nodepool="$NODE_POOL_NAME_AEROSPIKE" -o name | \ + xargs -I {} kubectl label {} aerospike.com/node-pool=default-rack --overwrite + + echo "Adding AVS node pool..." + if ! gcloud container node-pools create "$NODE_POOL_NAME_AVS" \ + --cluster "$CLUSTER_NAME" \ + --project "$PROJECT_ID" \ + --zone "$ZONE" \ + --num-nodes 3 \ + --disk-type "pd-standard" \ + --disk-size "100" \ + --machine-type "n2d-standard-32"; then + echo "Failed to create AVS node pool" + exit 1 + else + echo "AVS node pool added successfully." + fi + + echo "Labeling AVS nodes..." + kubectl get nodes -l cloud.google.com/gke-nodepool="$NODE_POOL_NAME_AVS" -o name | \ + xargs -I {} kubectl label {} aerospike.com/node-pool=avs --overwrite + + echo "Setting up namespaces..." + kubectl create namespace aerospike + kubectl create namespace avs +} -################################################### -# Optional add Istio -################################################### -echo "Deploying Istio" -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update +# Function to create Aerospike node pool and deploy AKO +setup_aerospike() { + + echo "Deploying Aerospike Kubernetes Operator (AKO)..." + curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/install.sh | bash -s v0.25.0 + kubectl create -f https://operatorhub.io/install/aerospike-kubernetes-operator.yaml + + echo "Waiting for AKO to be ready..." + while true; do + if kubectl --namespace operators get deployment/aerospike-operator-controller-manager &> /dev/null; then + echo "AKO is ready." + kubectl --namespace operators wait \ + --for=condition=available --timeout=180s deployment/aerospike-operator-controller-manager + break + else + echo "AKO setup is still in progress..." + sleep 10 + fi + done + + echo "Granting permissions to the target namespace..." + kubectl --namespace aerospike create serviceaccount aerospike-operator-controller-manager + kubectl create clusterrolebinding aerospike-cluster \ + --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager + + echo "Setting secrets for Aerospike cluster..." + kubectl --namespace aerospike create secret generic aerospike-secret --from-file="$BUILD_DIR/secrets" + kubectl --namespace aerospike create secret generic auth-secret --from-literal=password='admin123' + kubectl --namespace aerospike create secret generic aerospike-tls \ + --from-file="$BUILD_DIR/certs" + + echo "Adding storage class..." + kubectl apply -f https://raw.githubusercontent.com/aerospike/aerospike-kubernetes-operator/master/config/samples/storage/gce_ssd_storage_class.yaml + + echo "Deploying Aerospike cluster..." + kubectl apply -f $BUILD_DIR/manifests/aerospike-cr.yaml +} -helm install istio-base istio/base --namespace istio-system --set defaultRevision=default --create-namespace --wait -helm install istiod istio/istiod --namespace istio-system --create-namespace --wait -helm install istio-ingress istio/gateway \ - --values ./manifests/istio/istio-ingressgateway-values.yaml \ - --namespace istio-ingress \ - --create-namespace \ - --wait +# Function to setup AVS node pool and namespace +setup_avs() { -kubectl apply -f manifests/istio/gateway.yaml -kubectl apply -f manifests/istio/avs-virtual-service.yaml -################################################### -# End Istio -################################################### + echo "Setting secrets for AVS cluster..." + kubectl --namespace avs create secret generic auth-secret --from-literal=password='admin123' + kubectl --namespace avs create secret generic aerospike-tls \ + --from-file="$BUILD_DIR/certs" + kubectl --namespace avs create secret generic aerospike-secret \ + --from-file="$BUILD_DIR/secrets" +} +# Function to optionally deploy Istio +deploy_istio() { + echo "Deploying Istio" + helm repo add istio https://istio-release.storage.googleapis.com/charts + helm repo update + + helm install istio-base istio/base --namespace istio-system --set defaultRevision=default --create-namespace --wait + helm install istiod istio/istiod --namespace istio-system --create-namespace --wait + helm install istio-ingress istio/gateway \ + --values ./manifests/istio/istio-ingressgateway-values.yaml \ + --namespace istio-ingress \ + --create-namespace \ + --wait + + kubectl apply -f manifests/istio/gateway.yaml + kubectl apply -f manifests/istio/avs-virtual-service.yaml + } + +get_reverse_dns() { + INGRESS_IP=$(kubectl get svc istio-ingress -n istio-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + REVERSE_DNS_AVS=$(dig +short -x $INGRESS_IP) + echo "Reverse DNS: $REVERSE_DNS_AVS" +} +# Function to deploy AVS Helm chart +deploy_avs_helm_chart() { + echo "Deploying AVS Helm chart..." + helm repo add aerospike-helm https://artifact.aerospike.io/artifactory/api/helm/aerospike-helm + helm repo update + if [ -z "$CHART_LOCATION" ]; then + helm install avs-gke --values $BUILD_DIR/manifests/avs-gke-values.yaml --namespace avs aerospike-helm/aerospike-vector-search --version 0.4.1 --wait + else + helm install avs-gke --values $BUILD_DIR/manifests/avs-gke-values.yaml --namespace avs "$CHART_LOCATION" --wait + fi +} -helm repo add aerospike-helm https://artifact.aerospike.io/artifactory/api/helm/aerospike-helm -helm repo update -helm install avs-gke --values "manifests/avs-gke-values.yaml" --namespace avs aerospike-helm/aerospike-vector-search --version 0.4.0 --wait +# Function to setup monitoring +setup_monitoring() { + echo "Adding monitoring setup..." + helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + helm repo update + helm install monitoring-stack prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace + + echo "Applying additional monitoring manifests..." + kubectl apply -f manifests/monitoring/aerospike-exporter-service.yaml + kubectl apply -f manifests/monitoring/aerospike-servicemonitor.yaml + kubectl apply -f manifests/monitoring/avs-servicemonitor.yaml +} -############################################## -# Monitoring namespace -############################################## -echo "Adding monitoring setup..." -helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -helm repo update -helm install monitoring-stack prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace +print_final_instructions() { + + echo Your new deployment is available at $REVERSE_DNS_AVS. + echo Check your deployment using our command line tool asvec available at https://github.com/aerospike/asvec. -echo "Applying additional monitoring manifests..." -kubectl apply -f manifests/monitoring/aerospike-exporter-service.yaml -kubectl apply -f manifests/monitoring/aerospike-servicemonitor.yaml -kubectl apply -f manifests/monitoring/avs-servicemonitor.yaml + + if [[ "${RUN_INSECURE}" != 1 ]]; then + echo "connect with asvec using cert " + cat $BUILD_DIR/certs/ca.aerospike.com.pem + echo Use the asvec tool to change your password with + echo asvec -h $REVERSE_DNS_AVS:5000 --tls-cafile path/to/tls/file -U admin -P admin user new-password --name admin --new-password your-new-password + fi + echo "Setup Complete!" + +} -echo "Setup complete." -echo "To include your Grafana dashboards, use 'import-dashboards.sh '" -echo "To view Grafana dashboards from your machine use 'kubectl port-forward -n monitoring svc/monitoring-stack-grafana 3000:80'" -echo "To expose Grafana ports publicly, use 'kubectl apply -f helpers/EXPOSE-GRAFANA.yaml'" -echo "To find the exposed port, use 'kubectl get svc -n monitoring'" +#This script runs in this order. +main() { + set_env_variables + print_env + reset_build + create_gke_cluster + deploy_istio + get_reverse_dns + if [[ "${RUN_INSECURE}" != 1 ]]; then + generate_certs + fi + setup_aerospike + setup_avs + deploy_avs_helm_chart + setup_monitoring + print_final_instructions +} -echo "To run the quote search sample app on your new cluster, for istio use:" -echo "helm install semantic-search-app aerospike/quote-semantic-search --namespace avs --values manifests/quote-search/semantic-search-values.yaml --wait" +# Run the main function +main diff --git a/kubernetes/generated/certs/asd.aerospike.com.key b/kubernetes/generated/certs/asd.aerospike.com.key new file mode 100644 index 0000000..14e2714 --- /dev/null +++ b/kubernetes/generated/certs/asd.aerospike.com.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1pq0MUEVndCl0 +LUnviVlWYYDw2wVC5f3GT0RT6cv44WdL7V1CPwdha6WTocmjzN88t7nVaQZA0Fx4 +i7YzaswiH8Sjqa1kf6gdxicw3g2aZA34ZpBX8L7lsRFJWm3wFM5llLLyPF+mM9uX +1kYeSJ+bE/TQleQydIuYdmOk+RnlwYRTjZvHN4K6taiUwCRjQJgE/2uVpyNprTGR +XXpyXLuNuW5qKK5x6sMlLB4Gd99mlzSXFxf3SRwHBGmQFMmlIYE8zUJ/C2C+5bLq +zWBVbDaskDi3zUpCng84hJPvsrORcegRsq5hO3H9tWR+pXzhTpt2RtyxkFIT1ZG3 +VCVnc8lLAgMBAAECggEAEmDDGEBUzUMw4HqmhNASFE24FGYsUZjgRHyHjq/UPaFc +aI+ixE2JKx+PeHDBbEuReFykNgWypsMN3/pOnEQdVAR/ygkkLEtIEH8YPvbwTGL8 +ENobl3IZdjakZ5X5EnWgbiGNuzlFehS8DlAU9wJk93Uc6y+HD13AM9Qif7HeH2L5 +nlFgdOfE8LwW5aHOJjogVikVfTcXsCrFLhZWDQ/dh7sZerRIVHvxTZwcHPkavbGf +pLKQ4rfD9+sCoB5u4Y3YwGmB20NxWvhGmJX32J3sY5KDc2Yq/uDHE6sIzrI5ne9S +JxjMBaf0dNTGExIyJ6gDaGcwHNkXqprIZexA1ASGIQKBgQDey3/NKU25iRULjxce +har0X36ccQPSwC0Z+cZp+RVnW5wY8lOabQHjP3SThx0dUU+oimew6M/LGUAAnoIU +P9Y524GJuo+JTyY7YBfJA35sSPQ61Dn79/731ewAGqAKbVgU42wbg9xKNItuS7FH +WLZXah0kE4TBNjfUlkFNeX8AIQKBgQDQuWCw5V7gAws/Yrh0sVjE295L0iBbBMtF +SrzC2nY8XrkJpY4c2bbnInP3QdJrfWoW6lV/StV9L/u3X69bVvEdK4C433XQWuTM +vStfMqoC7szZ45cTBjHn0gTDGcb0bFxiXfrHWymFxPw2kSaMECVmc6bkdP7S/v76 +AiQ/JDVL6wKBgQDds0TupB5K9SUzBmWsIrk2SdyU0kVKr59xzMJra8invFp93I3j +CnwpZVidAYOwS9xny6pZOaKk6PBubUzl14xWsJ6brkDtEwzpYrrodYiVOpeF/u/g +Uyyt9HrOs6/0EFDpIFHQo4tPcDAbRkkXxShVnit3XdDp7wjpi8dZz//X4QKBgC0d +xO63xbg6MDY1SpW+t+dldzmAZAoIkT+bFg4wVppaBzk0lfFahhST9+kcSzV82G+3 +m192d4sl0g0jG65srpWVj69mbfrpisdOpI9hTipwH8uBTGiKUENBvFHHwp+WxKlm +kwyAggsuNy48Vc60tsDcgtijCWnmQIsd52PWmcadAoGANrCVomqP31t7rgZ8ht0M +JBmn2pvnZ23SxSwWd2vKPLr/OEoupUdnYZCGBjZ1HVUztKfoo/cERY/LwO5eP3sm +LdgxKXehWCOBz3aP+voM7WPzIk6xRTy9CbkxHSMO7wTlURJXT0Zh1A1RKSsf5nqw +W6Ef3nY+1uqpYzo1HyRyKSk= +-----END PRIVATE KEY----- diff --git a/kubernetes/generated/certs/asd.aerospike.com.pem b/kubernetes/generated/certs/asd.aerospike.com.pem new file mode 100644 index 0000000..bddc318 --- /dev/null +++ b/kubernetes/generated/certs/asd.aerospike.com.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKTCCAxGgAwIBAgIBbjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJVSzEP +MA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA2FiczEQ +MA4GA1UECwwHU3VwcG9ydDEZMBcGA1UEAwwQY2EuYWVyb3NwaWtlLmNvbTAeFw0y +NDA5MTgwMDQzMDdaFw0zNDA5MTUwMDQzMDdaMGoxCzAJBgNVBAYTAlVLMQ8wDQYD +VQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRvbjEMMAoGA1UECgwDYWJzMQ8wDQYD +VQQLDAZTZXJ2ZXIxGjAYBgNVBAMMEWFzZC5hZXJvc3Bpa2UuY29tMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtaatDFBFZ3QpdC1J74lZVmGA8NsFQuX9 +xk9EU+nL+OFnS+1dQj8HYWulk6HJo8zfPLe51WkGQNBceIu2M2rMIh/Eo6mtZH+o +HcYnMN4NmmQN+GaQV/C+5bERSVpt8BTOZZSy8jxfpjPbl9ZGHkifmxP00JXkMnSL +mHZjpPkZ5cGEU42bxzeCurWolMAkY0CYBP9rlacjaa0xkV16cly7jbluaiiucerD +JSweBnffZpc0lxcX90kcBwRpkBTJpSGBPM1CfwtgvuWy6s1gVWw2rJA4t81KQp4P +OIST77KzkXHoEbKuYTtx/bVkfqV84U6bdkbcsZBSE9WRt1QlZ3PJSwIDAQABo4HZ +MIHWMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMHwGA1UdEQR1MHOCLWFlcm9zcGlr +ZS1jbHVzdGVyLmFlcm9zcGlrZS5zdmMuY2x1c3Rlci5sb2NhbIIvKi5hZXJvc3Bp +a2UtY2x1c3Rlci5hZXJvc3Bpa2Uuc3ZjLmNsdXN0ZXIubG9jYWyCEWFzZC5hZXJv +c3Bpa2UuY29tMB0GA1UdDgQWBBRCHqjPzRko7Zy4J21vispqvt9wqDAfBgNVHSME +GDAWgBROhSl6FFjbZYoBQ4OnPK56jZmcgDANBgkqhkiG9w0BAQsFAAOCAQEAldXW +T6g9yWde4XRi0Iah15DYbL7Q5LMuVVryHwVaU0yruRfU+U9sKuPpoAdmIC6BIKfu +kxHeF5Fk9AWzCdNLqNZs38JpjgWsUvUaXuwCG0WJs1kkkM+U987xraW9HBWGnOFS +qVlFUHIzzEKn1W1SFDo2EeOiaCQHmRbc2OZIuHxYFcc42dGlG+XYs2zfAxQye+3a +F115ARImfuhFnBcYy5KKJWuwJ2YTlzfU+4DUpJIwEa1io6a1dOTiqxltvSTMMmJJ +dmezfX1k79DMFcf1TNjojpZ3yydBz3oB7Vux1UYMDHcFILSQJhiKgO6g8412I+aI +OreizELRdJ+36ZgRbg== +-----END CERTIFICATE----- diff --git a/kubernetes/generated/certs/avs.aerospike.com.keystore.jks b/kubernetes/generated/certs/avs.aerospike.com.keystore.jks new file mode 100644 index 0000000..9d829d2 Binary files /dev/null and b/kubernetes/generated/certs/avs.aerospike.com.keystore.jks differ diff --git a/kubernetes/generated/certs/avs.aerospike.com.pem b/kubernetes/generated/certs/avs.aerospike.com.pem new file mode 100644 index 0000000..6437c44 --- /dev/null +++ b/kubernetes/generated/certs/avs.aerospike.com.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIESTCCAzGgAwIBAgICANIwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVUsx +DzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQKDANhYnMx +EDAOBgNVBAsMB1N1cHBvcnQxGTAXBgNVBAMMEGNhLmFlcm9zcGlrZS5jb20wHhcN +MjQwOTE4MDA0MzA3WhcNMzQwOTE1MDA0MzA3WjBqMQswCQYDVQQGEwJVSzEPMA0G +A1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA2FiczEPMA0G +A1UECwwGQ2xpZW50MRowGAYDVQQDDBFhdnMuYWVyb3NwaWtlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJNiJjnovnONJHgsINIgo0mTev+1O4L +DzfN/Lp+6iSg2FSFB11YiuHjH9eVrdb9UU5dNsJl19EvZa1lXllUKpGQCO2l16sx +bPXChxXpx/IaleT5Ta0hgK+GsJ22K4uL24OVpQClPFY+8z/u2Xr/HPyuyqSkKQlk +u9YTMWg4Ku+OCH8nVpTz+MCqBFP5p/H37UJo/UPRdqsWCp6KIvZVcHltG9fEl8CJ +SIehKbBBLxCq3C21ZIvxGCpwOilihgjPZq5RtV9rf1x0NSbSKRq7BF1w66n5Go/U +9YyI7BKky9DkpI0s9Ze3b5fNuN33roCYsdE3+LXfzDMdart0OIPDpAUCAwEAAaOB ++DCB9TAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DCBmgYDVR0RBIGSMIGPgjthdnMt +Z2tlLWFlcm9zcGlrZS12ZWN0b3Itc2VhcmNoLmFlcm9zcGlrZS5zdmMuY2x1c3Rl +ci5sb2NhbII9Ki5hdnMtZ2tlLWFlcm9zcGlrZS12ZWN0b3Itc2VhcmNoLmFlcm9z +cGlrZS5zdmMuY2x1c3Rlci5sb2NhbIIRYXZzLmFlcm9zcGlrZS5jb20wHQYDVR0O +BBYEFHscx7sF4k465sczUReSTirmSDNuMB8GA1UdIwQYMBaAFE6FKXoUWNtligFD +g6c8rnqNmZyAMA0GCSqGSIb3DQEBCwUAA4IBAQCNXgDmAwpzpKSPzpaaCmARbtwT +Z1XzqdZdKcz7iEpArgE7pdqFdIhIFN8oU5yENi/Y0jOjJQ70X5M5TFHU4ceku4te +4Wf2N3ISeT0PvJ+XMz9YLRQGPNcdH+/BgDWOyF7yhlw8FuhLgsMXu9FaFnV3F9dQ +Re/l8d6GTHd4yBfhwWIFKk4RMSoW18wfLOch/GEJrSMRHD9PgGhtUJiQPL649pbZ +8olXGSqOgbrtksYOKVz6v6CWTKmgyQpQLTbvTObV+oCa/lkOMBmAE9fFz242dyU9 +AIlAsJqZwwGkhVNzbW+gYU/0UoJxUbd9PAhH/bYNZbczMKcm67rQZzGJ7E1I +-----END CERTIFICATE----- diff --git a/kubernetes/generated/certs/ca.aerospike.com.pem b/kubernetes/generated/certs/ca.aerospike.com.pem new file mode 100644 index 0000000..36f1be6 --- /dev/null +++ b/kubernetes/generated/certs/ca.aerospike.com.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUBDMRDQZUrlA3GkPuPHCKWAuKl60wDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u +ZG9uMQwwCgYDVQQKDANhYnMxEDAOBgNVBAsMB1N1cHBvcnQxGTAXBgNVBAMMEGNh +LmFlcm9zcGlrZS5jb20wHhcNMjQwOTE4MDA0MzA3WhcNMzQwOTE2MDA0MzA3WjBq +MQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24x +DDAKBgNVBAoMA2FiczEQMA4GA1UECwwHU3VwcG9ydDEZMBcGA1UEAwwQY2EuYWVy +b3NwaWtlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALC3bbgx +8LehIS/j58cHS6hdG1l+cxG1t7uZv00h4RzLpbQwnsRZtezwo+GNoPEYBD4EZeyZ +FI7vf2Mye7Rvyf/hkgvifIYM1mF81BqZnqyKK8HiOgBL30mI4HrCaYjpl125kHwt +gcfpsL9n2WWOVlikGz7M0gDVW2U7Se0lfqhjqzhXrtiiL1SAHss950lUbliuaB55 +SQ2ZBL98uS3nabq9TR+6pwSr7h6ZLNAoq3BgkCydOnlvvc3JPK6UOYtYUMCAWXPK +HFiVNFnOqy0LyDmjICfdU2HmZt5+xUWF++2qygyfQTzwdISbpyB9wLeL3DYyaMPn +Napb5QVimMXXZWcCAwEAAaNTMFEwHQYDVR0OBBYEFE6FKXoUWNtligFDg6c8rnqN +mZyAMB8GA1UdIwQYMBaAFE6FKXoUWNtligFDg6c8rnqNmZyAMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABlD5Lv31jtJbTSjsEpQogp0yv8t2KgC +E+d10afRncNliyCTQouxyX7Ny4JttIVaSRi/nSo9l0yS0yWZfKh45ZGLf7veytLk +fiFYsHV1V4JP7goU2e1a46OkZar3znkiMbKcewmReI9bupFqeTXDOSpDOtXh0xc1 +bBovFJ9tYXy1Vxp9rIsyebHXwlmYhLfyPPWBbUwEtqhlFzges2sMYX9UFjhtjEfc +w5fi9aL5QugzSmi3Tj+4nUCHT1S0Ss0vAZlI2NrSmbzPffCofb3M/BxaufS7XHkf +emQqZdiWRFhIoO6mMd7DYq3iiTJZVIvz98pRNVV7bv1QQYJFNxc535k= +-----END CERTIFICATE----- diff --git a/kubernetes/generated/certs/ca.aerospike.com.truststore.jks b/kubernetes/generated/certs/ca.aerospike.com.truststore.jks new file mode 100644 index 0000000..dae2468 Binary files /dev/null and b/kubernetes/generated/certs/ca.aerospike.com.truststore.jks differ diff --git a/kubernetes/generated/certs/keypass b/kubernetes/generated/certs/keypass new file mode 100644 index 0000000..0f673cc --- /dev/null +++ b/kubernetes/generated/certs/keypass @@ -0,0 +1 @@ +citrusstore \ No newline at end of file diff --git a/kubernetes/generated/certs/storepass b/kubernetes/generated/certs/storepass new file mode 100644 index 0000000..0f673cc --- /dev/null +++ b/kubernetes/generated/certs/storepass @@ -0,0 +1 @@ +citrusstore \ No newline at end of file diff --git a/kubernetes/generated/certs/svc.aerospike.com.keystore.jks b/kubernetes/generated/certs/svc.aerospike.com.keystore.jks new file mode 100644 index 0000000..d171866 Binary files /dev/null and b/kubernetes/generated/certs/svc.aerospike.com.keystore.jks differ diff --git a/kubernetes/generated/certs/svc.aerospike.com.pem b/kubernetes/generated/certs/svc.aerospike.com.pem new file mode 100644 index 0000000..303fe25 --- /dev/null +++ b/kubernetes/generated/certs/svc.aerospike.com.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXzCCA0egAwIBAgICATYwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVUsx +DzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9uZG9uMQwwCgYDVQQKDANhYnMx +EDAOBgNVBAsMB1N1cHBvcnQxGTAXBgNVBAMMEGNhLmFlcm9zcGlrZS5jb20wHhcN +MjQwOTE4MDA0MzA3WhcNMzQwOTE1MDA0MzA3WjBqMQswCQYDVQQGEwJVSzEPMA0G +A1UECAwGTG9uZG9uMQ8wDQYDVQQHDAZMb25kb24xDDAKBgNVBAoMA2FiczEPMA0G +A1UECwwGQ2xpZW50MRowGAYDVQQDDBFzdmMuYWVyb3NwaWtlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdeau3XC4PJ19BZ1kuh8C7TpGh6KSNw +lkGq8pBtarvlVcOqAehFAfTzaEXoolJAIG1o8G0/e+XBFCmrZ+cwva0Y/DYEm2vh +CQiST/FtbBfQvYTfpKUP4DGD7F28lieNQ40cwvd3xCwdy8hhh0T3mFPxgBS/4nm9 +yrRRjRs7gXt8Dk+JG+u8/IbeYS6rM7Gp6/kvnUccmlsFsOwEYXOp8BDp8gYHQs3F +yZr5ZauwJcZ2SBxmcno/MtVe1Xm3M3yCedJhH2ET77ogHaBLqAvkS8vvkCFWnm3X +xrqVXimri6ujx5wPvIfCkvldVQUaZGrRsQwnkEtlVH3/4lZBMib8ZKsCAwEAAaOC +AQ0wggEJMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGuBgNVHREEgaYwgaOCO2F2 +cy1na2UtYWVyb3NwaWtlLXZlY3Rvci1zZWFyY2guYWVyb3NwaWtlLnN2Yy5jbHVz +dGVyLmxvY2Fsgj0qLmF2cy1na2UtYWVyb3NwaWtlLXZlY3Rvci1zZWFyY2guYWVy +b3NwaWtlLnN2Yy5jbHVzdGVyLmxvY2FsgiUyMC45LjE3Mi4zNC5iYy5nb29nbGV1 +c2VyY29udGVudC5jb20uMB0GA1UdDgQWBBSSlCDY/PsNx1xwwzNLMY+LgNt7TDAf +BgNVHSMEGDAWgBROhSl6FFjbZYoBQ4OnPK56jZmcgDANBgkqhkiG9w0BAQsFAAOC +AQEAg4oNRw3rA4viEzbUvy5Ku9BzkGv4jZCxmZW0KXJ6CQhk5wTdCHFjcOMG7UoU +00AL6vtY/taHoXSjedF/hr6l8trV8TVjM5bcUhRznGUlv2mbB8nbSSS6tdnY4bHV +kUxYTeHp7hVRwtL9K5IJzCWrrPvJuTWtmRdjumN+NCkYRsOj8dMx3Ls5JNoMJGOO +K6dijqBKuP6fmBHc+tN6UmggQ/WwHUjZVOzb+q0Z3FiBvLMqT6bmMyoittzEov/j +nWvOZXXFCU04wLZfLxcB6RNCoxLWlk8jSHgwhypsO6d+XQuN8Z6XJSXQFp4qnDQc +E87SpxOBwNrOzVH9ee4/3Zl+GA== +-----END CERTIFICATE----- diff --git a/kubernetes/generated/input/asd.aerospike.com.req b/kubernetes/generated/input/asd.aerospike.com.req new file mode 100644 index 0000000..9fccd1b --- /dev/null +++ b/kubernetes/generated/input/asd.aerospike.com.req @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0G +A1UEBwwGTG9uZG9uMQwwCgYDVQQKDANhYnMxDzANBgNVBAsMBlNlcnZlcjEaMBgG +A1UEAwwRYXNkLmFlcm9zcGlrZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC1pq0MUEVndCl0LUnviVlWYYDw2wVC5f3GT0RT6cv44WdL7V1CPwdh +a6WTocmjzN88t7nVaQZA0Fx4i7YzaswiH8Sjqa1kf6gdxicw3g2aZA34ZpBX8L7l +sRFJWm3wFM5llLLyPF+mM9uX1kYeSJ+bE/TQleQydIuYdmOk+RnlwYRTjZvHN4K6 +taiUwCRjQJgE/2uVpyNprTGRXXpyXLuNuW5qKK5x6sMlLB4Gd99mlzSXFxf3SRwH +BGmQFMmlIYE8zUJ/C2C+5bLqzWBVbDaskDi3zUpCng84hJPvsrORcegRsq5hO3H9 +tWR+pXzhTpt2RtyxkFIT1ZG3VCVnc8lLAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC +AQEAdUNq5PSAkhetvkx2TWX7O+5P0aKIgJmPE1w1W0n+5ACJrXZtxuSW0QiyJR/L +97tD2Yhde4HNfI7jcUUXKpFVFIEaQgtUV7+9iEUO8gj5Aa51kAGHfuLUEZqre16x +3YXvsHJe+3ZfA/hShhVVGFzqp4hif462PFLdYU+RZFSEhTsAtqvPB7rFrAHhk/j5 +iJSnXj4WOWi/N1aa66IGQywuuub1wS02hfbOX///xetiFedxXAPWlpc6H1XGI4cS +unR+CTfc8Joyp8ziGWi5gsn9X1Eq1fZndu94qsZUH3elINNBsS97oloMZ57y6/CJ +D3ah46bi+BImgDS6tJLIEwWVqQ== +-----END CERTIFICATE REQUEST----- diff --git a/kubernetes/generated/input/avs.aerospike.com.req b/kubernetes/generated/input/avs.aerospike.com.req new file mode 100644 index 0000000..993f68b --- /dev/null +++ b/kubernetes/generated/input/avs.aerospike.com.req @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0G +A1UEBwwGTG9uZG9uMQwwCgYDVQQKDANhYnMxDzANBgNVBAsMBkNsaWVudDEaMBgG +A1UEAwwRYXZzLmFlcm9zcGlrZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCiTYiY56L5zjSR4LCDSIKNJk3r/tTuCw83zfy6fuokoNhUhQddWIrh +4x/Xla3W/VFOXTbCZdfRL2WtZV5ZVCqRkAjtpderMWz1wocV6cfyGpXk+U2tIYCv +hrCdtiuLi9uDlaUApTxWPvM/7tl6/xz8rsqkpCkJZLvWEzFoOCrvjgh/J1aU8/jA +qgRT+afx9+1CaP1D0XarFgqeiiL2VXB5bRvXxJfAiUiHoSmwQS8QqtwttWSL8Rgq +cDopYoYIz2auUbVfa39cdDUm0ikauwRdcOup+RqP1PWMiOwSpMvQ5KSNLPWXt2+X +zbjd966AmLHRN/i138wzHWq7dDiDw6QFAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC +AQEAa5eW1DZPHC/aWeRwV6OUfOG9cn+A19qxZuGILcZSNrYyfGnUxwd7bQhGEmqQ +qKA26eSiqRj1unXJYt0D79rGErsW4/+asuMQBO6PjZZjB/8vxiSmhwjrm68HtciV +eo6rfna1ZIC34wlAJU27FaCFK7xjFp6eSeuXs44dweOvjvM9lGrmYHi0BW9ZqtxT +zVvxSQFqqprgOy5YvdbVEyLwHw67GxwZz8Ecs1QuAf9yf3FoqZM/Rbp9bdU21si6 +0ocbgkfPdCS04CJnieiOZpBvLLxlIxoHlaKUNaPhovx3LAait7JY/D0+5Jq84wZ1 +5tgW3rCd8E1GBtfpz3wFNNe6ZA== +-----END CERTIFICATE REQUEST----- diff --git a/kubernetes/generated/input/svc.aerospike.com.req b/kubernetes/generated/input/svc.aerospike.com.req new file mode 100644 index 0000000..cf0741b --- /dev/null +++ b/kubernetes/generated/input/svc.aerospike.com.req @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVUsxDzANBgNVBAgMBkxvbmRvbjEPMA0G +A1UEBwwGTG9uZG9uMQwwCgYDVQQKDANhYnMxDzANBgNVBAsMBkNsaWVudDEaMBgG +A1UEAwwRc3ZjLmFlcm9zcGlrZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCnXmrt1wuDydfQWdZLofAu06RoeikjcJZBqvKQbWq75VXDqgHoRQH0 +82hF6KJSQCBtaPBtP3vlwRQpq2fnML2tGPw2BJtr4QkIkk/xbWwX0L2E36SlD+Ax +g+xdvJYnjUONHML3d8QsHcvIYYdE95hT8YAUv+J5vcq0UY0bO4F7fA5PiRvrvPyG +3mEuqzOxqev5L51HHJpbBbDsBGFzqfAQ6fIGB0LNxcma+WWrsCXGdkgcZnJ6PzLV +XtV5tzN8gnnSYR9hE++6IB2gS6gL5EvL75AhVp5t18a6lV4pq4uro8ecD7yHwpL5 +XVUFGmRq0bEMJ5BLZVR9/+JWQTIm/GSrAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC +AQEARf6wYpRcsGS6Yi6oA3h4JXZFWx09AYGLEsI6l5xGq/zADeIYJgF7tXRBtJ6J +mSvJ6LUt8gMmYR4ZHlrjAsiZ0tjviEVXFu1sFmOkbe69WWAe4snu2tg32DNtvUcA +eOCbMFwl6hx9CWR/HvnTMhWFBxJgJzhoFx+leyKOY50tFE1ggiT4EQFFsvyJ95nb +2IQMM0De1a2HGrEf2UXDmVfPv2/g0hUE5UUyYcZRLXWt06QngTClM1EcHJXuojYV +GFUiAdM6uIIF8M4PIRAqK4u1v3GeJHZeqnCDmsdnz3KMxEhLy05xNBzMNvb1fIDY +3YVK5uI85wfFk6tC0DbuE1L7IA== +-----END CERTIFICATE REQUEST----- diff --git a/kubernetes/generated/manifests/aerospike-cr.yaml b/kubernetes/generated/manifests/aerospike-cr.yaml new file mode 100644 index 0000000..003ccff --- /dev/null +++ b/kubernetes/generated/manifests/aerospike-cr.yaml @@ -0,0 +1,140 @@ +apiVersion: asdb.aerospike.com/v1 +kind: AerospikeCluster +metadata: + name: aerocluster + namespace: aerospike + +spec: + size: 3 + image: aerospike/aerospike-server-enterprise:7.0.0.0 + storage: + filesystemVolumePolicy: + initMethod: deleteFiles + cascadeDelete: true + blockVolumePolicy: + cascadeDelete: true + volumes: + - name: workdir + aerospike: + path: /opt/aerospike + source: + persistentVolume: + storageClass: ssd + volumeMode: Filesystem + size: 1Gi + - name: avs-meta + aerospike: + path: /avs/dev/xvdf + source: + persistentVolume: + storageClass: ssd + volumeMode: Block + size: 20Gi + + - name: ns + aerospike: + path: /test/dev/xvdf + source: + persistentVolume: + storageClass: ssd + volumeMode: Block + size: 20Gi + - name: aerospike-config-secret + source: + secret: + secretName: aerospike-secret + aerospike: + path: /etc/aerospike/secret + - name: aerospike-tls-config + source: + secret: + secretName: aerospike-tls + aerospike: + path: /etc/aerospike/ssl + + + podSpec: + sidecars: + - name: aerospike-prometheus-exporter + image: aerospike/aerospike-prometheus-exporter:v1.9.0 + ports: + - containerPort: 9145 + name: exporter + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: aerospike.com/node-pool + operator: In + values: + - "default-rack" + multiPodPerHost: false + + aerospikeAccessControl: + users: + - name: admin + secretName: auth-secret + roles: + - sys-admin + - user-admin + - name: tester + secretName: auth-secret + roles: + - truncate + - sindex-admin + - user-admin + - data-admin + - read-write + - read + - write + - read-write-udf + - sys-admin + - udf-admin + operatorClientCert: + secretCertSource: + secretName: aerospike-tls + caCertsFilename: ca.aerospike.com.pem + clientCertFilename: asd.aerospike.com.pem + clientKeyFilename: asd.aerospike.com.key + + aerospikeConfig: + service: + feature-key-file: /etc/aerospike/secret/features.conf + security: {} + network: + service: + # port: 3000 + tls-name: asd.aerospike.com + tls-authenticate-client: "false" + tls-port: 4333 + fabric: + # port: 3001 + tls-name: asd.aerospike.com + tls-port: 3012 + heartbeat: + # port: 3002 + tls-name: asd.aerospike.com + tls-port: 3011 + tls: + - name: asd.aerospike.com + cert-file: /etc/aerospike/ssl/asd.aerospike.com.pem + key-file: /etc/aerospike/ssl/asd.aerospike.com.key + ca-file: /etc/aerospike/ssl/ca.aerospike.com.pem + namespaces: + - name: test + replication-factor: 2 + storage-engine: + type: device + devices: + - /test/dev/xvdf + + - name: avs-meta + nsup-period: 600 + nsup-threads: 2 + evict-tenths-pct: 5 + replication-factor: 2 + storage-engine: + type: device + devices: + - /avs/dev/xvdf \ No newline at end of file diff --git a/kubernetes/generated/manifests/avs-gke-values.yaml b/kubernetes/generated/manifests/avs-gke-values.yaml new file mode 100644 index 0000000..15f4eb7 --- /dev/null +++ b/kubernetes/generated/manifests/avs-gke-values.yaml @@ -0,0 +1,122 @@ +replicaCount: 3 +aerospikeVectorSearchConfig: + cluster: + cluster-name: "avs-db-1" + feature-key-file: "/etc/aerospike-vector-search/secrets/features.conf" + service: + metadata-namespace: "avs-meta" + ports: + 5000: + addresses: + "0.0.0.0" + tls-id: service-tls + manage: + ports: + 5040: { } + + heartbeat: + seeds: + - address: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.avs.svc.cluster.local + port: 5001 + interconnect: + client-tls-id: interconnect-tls + ports: + 5001: + addresses: + "0.0.0.0" + tls-id: interconnect-tls + storage: + client-policy: + tls-id: aerospike-tls + credentials: + username: tester + password-file: "/etc/aerospike-vector-search/secrets/aerospike-password.txt" + seeds: + - aerocluster-0-0.aerocluster.aerospike.svc.cluster.local: +# port: 3000 + port: 4333 + tls-name: "asd.aerospike.com" + security: + auth-token: + private-key: "/etc/aerospike-vector-search/secrets/private_key.pem" + private-key-password: "/etc/aerospike-vector-search/secrets/client-password.txt" + public-key: "/etc/aerospike-vector-search/secrets/public_key.pem" + tls: + service-tls: + trust-store: + store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: /etc/ssl/certs/svc.aerospike.com.keystore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: /etc/ssl/certs/keypass +# override-tls-hostname: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.aerospike.svc.cluster.local + + interconnect-tls: + trust-store: + store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: /etc/ssl/certs/avs.aerospike.com.keystore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: /etc/ssl/certs/keypass + override-tls-hostname: avs.aerospike.com + + aerospike-tls: + trust-store: + store-file: "/etc/ssl/certs/ca.aerospike.com.truststore.jks" + store-password-file: "/etc/ssl/certs/storepass" + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: "/etc/ssl/certs/avs.aerospike.com.keystore.jks" + store-password-file: "/etc/ssl/certs/storepass" + key-password-file: "/etc/ssl/certs/keypass" +# override-tls-hostname: "asd.aerospike.com" + logging: + # file: /var/log/aerospike-vector-search/aerospike-vector-search.log + enable-console-logging: false + format: simple + max-history: 30 + levels: + metrics-ticker: debug + root: info + ticker-interval: 10 + +securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 +image: + repository: "aerospike/aerospike-vector-search" + pullPolicy: "IfNotPresent" + # Overrides the image tag whose default is the chart appVersion. + tag: "0.10.0" +extraSecretVolumeMounts: + - name: aerospike-tls + mountPath: "/etc/ssl/certs" + readOnly: true + +extraVolumes: + - name: aerospike-tls + secret: + secretName: aerospike-tls + optional: false +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: aerospike.com/node-pool + operator: In + values: + - "avs" +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - topologyKey: "kubernetes.io/hostname" +# labelSelector: +# matchExpressions: +# - key: "app.kubernetes.io/name" +# operator: In +# values: +# - "aerospike-vector-search" diff --git a/kubernetes/generated/output/avs.aerospike.com.key b/kubernetes/generated/output/avs.aerospike.com.key new file mode 100644 index 0000000..e0f9e76 --- /dev/null +++ b/kubernetes/generated/output/avs.aerospike.com.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCiTYiY56L5zjSR +4LCDSIKNJk3r/tTuCw83zfy6fuokoNhUhQddWIrh4x/Xla3W/VFOXTbCZdfRL2Wt +ZV5ZVCqRkAjtpderMWz1wocV6cfyGpXk+U2tIYCvhrCdtiuLi9uDlaUApTxWPvM/ +7tl6/xz8rsqkpCkJZLvWEzFoOCrvjgh/J1aU8/jAqgRT+afx9+1CaP1D0XarFgqe +iiL2VXB5bRvXxJfAiUiHoSmwQS8QqtwttWSL8RgqcDopYoYIz2auUbVfa39cdDUm +0ikauwRdcOup+RqP1PWMiOwSpMvQ5KSNLPWXt2+Xzbjd966AmLHRN/i138wzHWq7 +dDiDw6QFAgMBAAECggEAF6/CEjKoDdYCxRFqIVbJOslO0PTJZY42o9nLmvofuMXC +nJ8ngn+EEVBg2sks7DXfElU3Qyqy0wQcTjB/kwDeD41aSDiOX50gfkNsDI4oUJSB +sL+TjwNXMQayqumltEFugWcrBAuZYSrhvEBi+/jUZaoqx9lvZcAOS8FUUhX0ai5w +GWrgwZAZsmHBOWJDOvy4EM6u9teuH5fklZGnY6rKAjNheGpF/lBy/w8x7QmnqBOi +htQ/rwndgrAZT+NirqSPsyjjKeutvZ6we8vEyWEHYyFIaksfW7zFySmkN1hmPqK2 +xuRpbzu/Q64qUCJsesx/uk0qSl2yIScLR+omQyMQUQKBgQC5SqxEzMwrgx2QE05A +B1H0MvdcbXpVaruKWllox5+KRauhIrkvq35WJCa/vlq5hnXXqlG0Td1ejFxe2bFj +nA0TePIomLYmd3AYnoPX34U2kvNQMs7AOqAfii96zCq1fbD2Ow81zRlE73Ww6vcd +01pWe7nKF4ygeVqbX1LmZ0P7OQKBgQDgPQ9K/riYzpfMxrnDO/oi09EUpsmNzjYD +xFnrtCVYvvrwyg/8ZtOkBL/bkn3vIUcpdtQ1+5OVTvgBzPaW5RBrAreIho4r4VMD +iKI9IFenwLQItRmiNzmxfTt+tkYeiocO6kYaYDuhBGf7yiNbgDYBU5GSRCACJjXx +tvYTfEVTLQKBgBi1J2GJOZR3yGJk4KNTFo+MmEV/57cqI1XglFmPfOuwPKGhAraj +lJYh/fTFik2A64fVk02KsIEiEFMpjijtLyUwlIHrUyav+Ief447OpHHRiJZiIAWs +C5wJDim+vdczqnw7Bd0zuzHhCH2N52PXwg0UNIMJPtxLMlTTkjdc/8ipAoGAQ35d +cgdFbMkSK9LM6xTMb1suHXcuR36AB5Y8MpPggdvKEFvhf+k7Xq0HSoHHYgi0MKjR +qwX0IAbK40/cEQMVdAA3WeKWPGLv56pimt93Qsjf55cLBiZ1ORUmqTcX1+1+RWEC +hMHecNKwsbrf9ZSbrL6InGvg7oSty/l0C91lyGkCgYEAtpoxz1uRaQmblBDlPtTN +wCBan9RDadFgJ9XonU3nO4OqBf9bBeUtxG3wDIeJ5ehxAcAB+NAKwsB7MfWPtR3d +gbc0kWogwW0ym9kJaP9SfJIgZNbqUqh1mu6A0vuw/xgjgVsyUPRxeET2n5hKGK1j +3+Tm5llnHS6LSQN70edt3CY= +-----END PRIVATE KEY----- diff --git a/kubernetes/generated/output/avs.aerospike.com.p12 b/kubernetes/generated/output/avs.aerospike.com.p12 new file mode 100644 index 0000000..13f82e9 Binary files /dev/null and b/kubernetes/generated/output/avs.aerospike.com.p12 differ diff --git a/kubernetes/generated/output/ca.aerospike.com.key b/kubernetes/generated/output/ca.aerospike.com.key new file mode 100644 index 0000000..4a1ddde --- /dev/null +++ b/kubernetes/generated/output/ca.aerospike.com.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwt224MfC3oSEv +4+fHB0uoXRtZfnMRtbe7mb9NIeEcy6W0MJ7EWbXs8KPhjaDxGAQ+BGXsmRSO739j +Mnu0b8n/4ZIL4nyGDNZhfNQamZ6siivB4joAS99JiOB6wmmI6ZdduZB8LYHH6bC/ +Z9lljlZYpBs+zNIA1VtlO0ntJX6oY6s4V67Yoi9UgB7LPedJVG5YrmgeeUkNmQS/ +fLkt52m6vU0fuqcEq+4emSzQKKtwYJAsnTp5b73NyTyulDmLWFDAgFlzyhxYlTRZ +zqstC8g5oyAn3VNh5mbefsVFhfvtqsoMn0E88HSEm6cgfcC3i9w2MmjD5zWqW+UF +YpjF12VnAgMBAAECggEANYoFSGJ9Ay1ioB9E2ARqVCKNSDJqy2lKNqCwmD5U9QPv ++qUmXOevGg+YHxxpL9IuatmrRaDlXR7LcfLYDsU1pnwhYs9mGbjm9Jc8rahwLecY +tb+EAhX6ms1I8XhYP/5BeUhgsXaaFMbE4WCluUKD/4wMoxyr3UvGymdJkPskogA5 +79E3XFk8nkXe8tvoG3eRZpy6zjX+sjzlsBTV0EYWKKW6txdZ9m7OqUfyRvBOXbBy +Vy+Ac0rie/utenTIz1FyuZJSQOKL1zJDIKH61kJA0Zhe+sWTGJIWEg0S9UkH1val +ftr9pRlZwjww2SVo12rfyhyMpA5lnaUgE3k5s3scTQKBgQC2KtkIkDd5C0tKHmRz +H9BekMfB+123Phc1qWv/0fPGD5Yzhf7C74fV6EuV6CVUz6nZKbQF0ZNPZ9ykNACu +7oOMXYyYecY1g/221ewgUvm9PG9+xNUno1kybLq0amUPoQ/ktY7FyOPorOp/3eyl +DrOjoYmuQr5CK8FiXN315/x4OwKBgQD4VwQVvkw1EHAd+EURIALn+9vTg+5wM5oT +JkCcTzvhatSKXCLURZv8nqBruN/lyx2C+RAIGydc2IeDiDu1udtSn6BybCQ9wmeW +ismvTdzbkEV8iU+dERxMNg5Kpr5uPjJ34jbDEtj7X6hLcLiS+0E++C1OOfn0EVgH +yqy0s56gxQKBgA7U/kbMNzgLy12Fi/gzpuuMLjeFF+RLkeg0my6BEbAWpMwdJNkK +V6z69OyHskJthg7Abn/qyGu2sShNc6DKmrtbAo+HmrPQw1+Xm1omZ18ZBJr1u8U2 +b5TDdZAq+X+ERZ8BiVZhPO085vryPspRoB66kFM36/XHSj+QACJ9ePjxAoGAXikY +KmpiGMinyiVFgs3BbFZprlRaxv450ELzwpCkYr8P4Xo31oaiM3Gt38pUUpvmD7AB +7SDmluSe1TeFdE0JJNXTjy8DussIXeM3v5llQXb9cc/aePJw6VChsJpyn/hDSINk +QijWTtGhTSFrSoer4IVXIE8JQAqHd0TYoRdt8QUCgYBGCdlfNuRS7i6kldvf8iVs +E1j9xP7Bk3F7u01VJIxIY1IJc4U0/1mJHQrE4hNaziXFkx1LWqrLYV8EiNn4vuRI +AzvRbDRsuZu+sGV2aC5RTV/zDbcia8BE8Z33iHykWXduuxm2rJUe7884rp9ZrEjt +IGEV072jP0I5Cfd2BibRkQ== +-----END PRIVATE KEY----- diff --git a/kubernetes/generated/output/svc.aerospike.com.key b/kubernetes/generated/output/svc.aerospike.com.key new file mode 100644 index 0000000..0d27d78 --- /dev/null +++ b/kubernetes/generated/output/svc.aerospike.com.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnXmrt1wuDydfQ +WdZLofAu06RoeikjcJZBqvKQbWq75VXDqgHoRQH082hF6KJSQCBtaPBtP3vlwRQp +q2fnML2tGPw2BJtr4QkIkk/xbWwX0L2E36SlD+Axg+xdvJYnjUONHML3d8QsHcvI +YYdE95hT8YAUv+J5vcq0UY0bO4F7fA5PiRvrvPyG3mEuqzOxqev5L51HHJpbBbDs +BGFzqfAQ6fIGB0LNxcma+WWrsCXGdkgcZnJ6PzLVXtV5tzN8gnnSYR9hE++6IB2g +S6gL5EvL75AhVp5t18a6lV4pq4uro8ecD7yHwpL5XVUFGmRq0bEMJ5BLZVR9/+JW +QTIm/GSrAgMBAAECggEADRXwvk/F8rPhT8T2YEt0//REMnb6qG6xEMlQ1cH4SmCP +6BBuvb5HfONbD7w0lMG2x1chFSmVgk0qSmfAY+8HpXUCoyaREEoz7puh7HplrScA +6laiBNXM7ZIm9N090DHXSj0pcTfH+rsJp80YSmghXM7Q+M5X4rTYGGkX4z0vznuv +/AJblRp9o8teVCVft+Xrkc8640dqb7zyiGgrwmD8zF/5AoOvSeovEdwY40RsQ9mK +m2ozu0JWeI9uDRFTBI7RJH9//FztYuQzNT8jDkPV6DTIqoohR9orvCUIschRafP/ +cyPvHqnfwbPVnus53SZ96gGA6ppW3hWMk0/nSJ+YoQKBgQC4MARGX5hEEjslmzca +rmQl2yF/JAq2V5GZD0NawNHt7QcPSMquIfyqEy0jJ6L+Yk5xlD0rHxac4CyhDbjJ +xsaL1i1UUtSHMJCY8v2kDmPID+Gr1pHcjybtxmRFfWxGOaJt1HDcD4vSkODSfLs2 +zzG3zmybdyn32ot8KZzIcr2e5wKBgQDon7OeN7SrwFP9DJLhZIPAiQgWauYKBq6I +tNmZQbHhGQ5h6l3dVZRQsJuPfMqhFSCFWPUpgaABh2MJOxAx3AMwXhf9n30SnRDp +hp4jS7JEYcpNC0dDq1u8D4gvtsnNoBlDCmY1RgDfZ7UZeiP8Okh9HPwoyHpwZuGU +seoHWsVnnQKBgQCeodxMr/B4UCtYzEG9XQ0r/XrwAZ6oROtFI/wioYcsn8RAybSm +HOd7o2BwsqaS6SAeeknkZbYYDorheuv3/JbrwN7xjRU2CgG/eSgyr6IIoIUAdqDR +kQk6KHAb2VXzdZgLd7hsD4ehJt466upi3jg30jWAADXJHhScL0q06P2faQKBgEqt +ki0VtwN4H75ZvgFrkjxKAXWo5aaMVJWAcWaYx3D66ToX0gBPC+kHeTkMF8S0kpcc +Yr/rZCF5hBqfgmhvN/rcChmajL1f/ODrHXM5RsZbGmW3XC5mIXHzDoY6yPghEFsM +SJmLmpYdpe7C3jCHyWOY3X5+NYhGDt78aqPnyP2lAoGADt2+03Uq+Rx6gFO+dFGI +jErFZnD58jgl/qXQnA6UK2XJ4upDRCH4mkpJtlrq1fCuDrbMjKDeJBb0n5SyDO3x +VdQpN9IICBx94m7hh9WIyw0duLr0Ly22xKBRe1swNr6phi/UnFOY+f8y3Ci+SXRT +9G6bMZefoobZd2L2I77V2Jk= +-----END PRIVATE KEY----- diff --git a/kubernetes/generated/output/svc.aerospike.com.p12 b/kubernetes/generated/output/svc.aerospike.com.p12 new file mode 100644 index 0000000..669f204 Binary files /dev/null and b/kubernetes/generated/output/svc.aerospike.com.p12 differ diff --git a/kubernetes/generated/secrets/aerospike-password.txt b/kubernetes/generated/secrets/aerospike-password.txt new file mode 100644 index 0000000..32e9c62 --- /dev/null +++ b/kubernetes/generated/secrets/aerospike-password.txt @@ -0,0 +1 @@ +admin123 \ No newline at end of file diff --git a/kubernetes/generated/secrets/client-password.txt b/kubernetes/generated/secrets/client-password.txt new file mode 100644 index 0000000..0f673cc --- /dev/null +++ b/kubernetes/generated/secrets/client-password.txt @@ -0,0 +1 @@ +citrusstore \ No newline at end of file diff --git a/kubernetes/generated/secrets/private_key.pem b/kubernetes/generated/secrets/private_key.pem new file mode 100644 index 0000000..ca33084 --- /dev/null +++ b/kubernetes/generated/secrets/private_key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCvcq2XnMbQYpGK +bStfKsyE+z7+LYsy7NTAA7Mueb0bjzphHF9CUv70mUOmczuGe+z2Krs2N/x84C9H +3Ya6DptCiNhnZIXUv9ydzo/y54CW1ZYV4RULeP5tebWP5/yNqG8k9LrWdemkKm4z +JPb+cPuWdRf5xW/Ap9CDabJE+VIlMgz8GtYyxdNRbJ5INUvufhCBg5x/XY28+fOE +T/f4hbEquijlMtcwlD4s4JZdnjbm0Z0wq/ekpIT6VULzRArrF83uSFvsbTx2mfBV +muooi6YshzJt6YEvruhRNsT14RJ1xfxQP47KLtHnXbeRi7rrD+XtXTZ0UGizJsXD +O94Ukl9HAgMBAAECggEACf6w9/mk89shqm6ksWO5SfwcLxO+IdUPG686RnQF+2tx +6nVY0ejzgFC442MeKX+m1LFDgAe5eQ22c9QhaDkLzEMKfP1jiGaztUO+vJpGn5Ek +XzO25LPsXqU33C5dm15UkpjkifImsMUACSbacU1Tb9NU3dRLFQEaZlofn0FK1jaH +BmIDCeMwh40hkhDZk4jufH2LW+SF/kncm/n6xcY98AjhI9ZcVTMVfuWTyX+1nN3A +ffxeWKXMzpkXO+Mq/lETSyfMZT+RjcNnLPQa6jNxzPWFD7ALYM5zPUZps9xqwFY7 +c+Np7IJwB0DqV//7+amcTbT0uSaaUpYXJxpMJVoghQKBgQDGM9YroKz8k1vNCwFZ +roCraHoc/Ahzty2jfmWtat4VUY/L34/T8kP6MLnpyDwwAncE3wnUa/IbMQgNRe4g +zc191jVpx5atvQBTiKjuFCsfKfMPNmow30YDOIzs2o6dCDA1jG/ByYTHXRyvQoka +xcrpzv8OZi4Dk//hscqoTPIETQKBgQDinC0eUiz4JyuEMGLWWbyYqqPSUEqVj7u5 +3pXMRGw2yzlvue/vSS/0279dATT4SCFQ2rYIrzUSx7J/JkwDucr5ThC2wq9ZmJZc +FPUCvnh1J5VnmXlpjrdD8fr/Ea4XtkTG/yHsnizd9R8nK5J71BzosSemP3sxX7cK +HD7C0I5L4wKBgHfAqB1SBlLRAf1gMd+qtKlcBbPvf3fS7GtFGk/uKuK8leI7YF5R +mUrYF+wthFgJlTnHPNwwoGZXeKL0Zo1Ba3Aldb5EzkCI2mKeRlsaqnc41FeTrBN9 +Q4L8rwEIiHROlzozcO6oQGZoVsV5sPcRHKmp3Kcpi5Gz4T3POz/2xZ9dAoGBAI6y +lALU8nZtjAyYv5SFO6rTQYftgZn+wdMApEnWCGLUxF1jtAB1kNpbCn0Rhn6WRUx5 +/Ukos34Y/IDu580s0PD+xK2hmPQNjxl7JPJOaOI1Q/LSBU+ATE1f8pNuWbea0mKR +RJaQ4GYAtlZfLMYHQxEQhYw9y2DDCis2sBrTY9fLAoGAOWEEUQ0UDNYwwX7C0teI +bQaQkHnjpwtR5aBzq/+3a+U4MGLfpnDGsRn/Ldtbs3FrYCuPC6hmQ+BSabd+XS5w +Pf3X7WEAV0Dzb7fRMZ9cGUtsRPQxTDtNGI/52DTDulDkAJtQbi+07RKAz1zC6blx +O466VuJ1wv5+NsoJ/YqoGog= +-----END PRIVATE KEY----- diff --git a/kubernetes/generated/secrets/public_key.pem b/kubernetes/generated/secrets/public_key.pem new file mode 100644 index 0000000..31b5029 --- /dev/null +++ b/kubernetes/generated/secrets/public_key.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3Ktl5zG0GKRim0rXyrM +hPs+/i2LMuzUwAOzLnm9G486YRxfQlL+9JlDpnM7hnvs9iq7Njf8fOAvR92Gug6b +QojYZ2SF1L/cnc6P8ueAltWWFeEVC3j+bXm1j+f8jahvJPS61nXppCpuMyT2/nD7 +lnUX+cVvwKfQg2myRPlSJTIM/BrWMsXTUWyeSDVL7n4QgYOcf12NvPnzhE/3+IWx +Kroo5TLXMJQ+LOCWXZ425tGdMKv3pKSE+lVC80QK6xfN7khb7G08dpnwVZrqKIum +LIcybemBL67oUTbE9eESdcX8UD+Oyi7R5123kYu66w/l7V02dFBosybFwzveFJJf +RwIDAQAB +-----END PUBLIC KEY----- diff --git a/kubernetes/manifests/aerospike-cr-auth.yaml b/kubernetes/manifests/aerospike-cr-auth.yaml new file mode 100644 index 0000000..003ccff --- /dev/null +++ b/kubernetes/manifests/aerospike-cr-auth.yaml @@ -0,0 +1,140 @@ +apiVersion: asdb.aerospike.com/v1 +kind: AerospikeCluster +metadata: + name: aerocluster + namespace: aerospike + +spec: + size: 3 + image: aerospike/aerospike-server-enterprise:7.0.0.0 + storage: + filesystemVolumePolicy: + initMethod: deleteFiles + cascadeDelete: true + blockVolumePolicy: + cascadeDelete: true + volumes: + - name: workdir + aerospike: + path: /opt/aerospike + source: + persistentVolume: + storageClass: ssd + volumeMode: Filesystem + size: 1Gi + - name: avs-meta + aerospike: + path: /avs/dev/xvdf + source: + persistentVolume: + storageClass: ssd + volumeMode: Block + size: 20Gi + + - name: ns + aerospike: + path: /test/dev/xvdf + source: + persistentVolume: + storageClass: ssd + volumeMode: Block + size: 20Gi + - name: aerospike-config-secret + source: + secret: + secretName: aerospike-secret + aerospike: + path: /etc/aerospike/secret + - name: aerospike-tls-config + source: + secret: + secretName: aerospike-tls + aerospike: + path: /etc/aerospike/ssl + + + podSpec: + sidecars: + - name: aerospike-prometheus-exporter + image: aerospike/aerospike-prometheus-exporter:v1.9.0 + ports: + - containerPort: 9145 + name: exporter + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: aerospike.com/node-pool + operator: In + values: + - "default-rack" + multiPodPerHost: false + + aerospikeAccessControl: + users: + - name: admin + secretName: auth-secret + roles: + - sys-admin + - user-admin + - name: tester + secretName: auth-secret + roles: + - truncate + - sindex-admin + - user-admin + - data-admin + - read-write + - read + - write + - read-write-udf + - sys-admin + - udf-admin + operatorClientCert: + secretCertSource: + secretName: aerospike-tls + caCertsFilename: ca.aerospike.com.pem + clientCertFilename: asd.aerospike.com.pem + clientKeyFilename: asd.aerospike.com.key + + aerospikeConfig: + service: + feature-key-file: /etc/aerospike/secret/features.conf + security: {} + network: + service: + # port: 3000 + tls-name: asd.aerospike.com + tls-authenticate-client: "false" + tls-port: 4333 + fabric: + # port: 3001 + tls-name: asd.aerospike.com + tls-port: 3012 + heartbeat: + # port: 3002 + tls-name: asd.aerospike.com + tls-port: 3011 + tls: + - name: asd.aerospike.com + cert-file: /etc/aerospike/ssl/asd.aerospike.com.pem + key-file: /etc/aerospike/ssl/asd.aerospike.com.key + ca-file: /etc/aerospike/ssl/ca.aerospike.com.pem + namespaces: + - name: test + replication-factor: 2 + storage-engine: + type: device + devices: + - /test/dev/xvdf + + - name: avs-meta + nsup-period: 600 + nsup-threads: 2 + evict-tenths-pct: 5 + replication-factor: 2 + storage-engine: + type: device + devices: + - /avs/dev/xvdf \ No newline at end of file diff --git a/kubernetes/manifests/ssd_storage_cluster_cr.yaml b/kubernetes/manifests/aerospike-cr.yaml similarity index 100% rename from kubernetes/manifests/ssd_storage_cluster_cr.yaml rename to kubernetes/manifests/aerospike-cr.yaml diff --git a/kubernetes/manifests/avs-gke-values-auth.yaml b/kubernetes/manifests/avs-gke-values-auth.yaml new file mode 100644 index 0000000..15f4eb7 --- /dev/null +++ b/kubernetes/manifests/avs-gke-values-auth.yaml @@ -0,0 +1,122 @@ +replicaCount: 3 +aerospikeVectorSearchConfig: + cluster: + cluster-name: "avs-db-1" + feature-key-file: "/etc/aerospike-vector-search/secrets/features.conf" + service: + metadata-namespace: "avs-meta" + ports: + 5000: + addresses: + "0.0.0.0" + tls-id: service-tls + manage: + ports: + 5040: { } + + heartbeat: + seeds: + - address: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.avs.svc.cluster.local + port: 5001 + interconnect: + client-tls-id: interconnect-tls + ports: + 5001: + addresses: + "0.0.0.0" + tls-id: interconnect-tls + storage: + client-policy: + tls-id: aerospike-tls + credentials: + username: tester + password-file: "/etc/aerospike-vector-search/secrets/aerospike-password.txt" + seeds: + - aerocluster-0-0.aerocluster.aerospike.svc.cluster.local: +# port: 3000 + port: 4333 + tls-name: "asd.aerospike.com" + security: + auth-token: + private-key: "/etc/aerospike-vector-search/secrets/private_key.pem" + private-key-password: "/etc/aerospike-vector-search/secrets/client-password.txt" + public-key: "/etc/aerospike-vector-search/secrets/public_key.pem" + tls: + service-tls: + trust-store: + store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: /etc/ssl/certs/svc.aerospike.com.keystore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: /etc/ssl/certs/keypass +# override-tls-hostname: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.aerospike.svc.cluster.local + + interconnect-tls: + trust-store: + store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: /etc/ssl/certs/avs.aerospike.com.keystore.jks + store-password-file: /etc/ssl/certs/storepass + key-password-file: /etc/ssl/certs/keypass + override-tls-hostname: avs.aerospike.com + + aerospike-tls: + trust-store: + store-file: "/etc/ssl/certs/ca.aerospike.com.truststore.jks" + store-password-file: "/etc/ssl/certs/storepass" + key-password-file: "/etc/ssl/certs/keypass" + key-store: + store-file: "/etc/ssl/certs/avs.aerospike.com.keystore.jks" + store-password-file: "/etc/ssl/certs/storepass" + key-password-file: "/etc/ssl/certs/keypass" +# override-tls-hostname: "asd.aerospike.com" + logging: + # file: /var/log/aerospike-vector-search/aerospike-vector-search.log + enable-console-logging: false + format: simple + max-history: 30 + levels: + metrics-ticker: debug + root: info + ticker-interval: 10 + +securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 +image: + repository: "aerospike/aerospike-vector-search" + pullPolicy: "IfNotPresent" + # Overrides the image tag whose default is the chart appVersion. + tag: "0.10.0" +extraSecretVolumeMounts: + - name: aerospike-tls + mountPath: "/etc/ssl/certs" + readOnly: true + +extraVolumes: + - name: aerospike-tls + secret: + secretName: aerospike-tls + optional: false +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: aerospike.com/node-pool + operator: In + values: + - "avs" +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - topologyKey: "kubernetes.io/hostname" +# labelSelector: +# matchExpressions: +# - key: "app.kubernetes.io/name" +# operator: In +# values: +# - "aerospike-vector-search" diff --git a/kubernetes/manifests/avs-gke-values.yaml b/kubernetes/manifests/avs-gke-values.yaml index 419f03e..414db92 100644 --- a/kubernetes/manifests/avs-gke-values.yaml +++ b/kubernetes/manifests/avs-gke-values.yaml @@ -1,39 +1,32 @@ - replicaCount: 3 -image: - repository: "aerospike/aerospike-vector-search" - pullPolicy: "IfNotPresent" - # Overrides the image tag whose default is the chart appVersion. - tag: "0.9.0" - aerospikeVectorSearchConfig: cluster: cluster-name: "avs-db-1" - feature-key-file: "/etc/aerospike-vector-search/features.conf" + feature-key-file: "/etc/aerospike-vector-search/secrets/features.conf" service: metadata-namespace: "avs-meta" ports: 5000: addresses: "0.0.0.0" + # tls-id: service-tls manage: ports: 5040: { } + heartbeat: seeds: - address: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.avs.svc.cluster.local port: 5001 - - address: avs-gke-aerospike-vector-search-1.avs-gke-aerospike-vector-search.avs.svc.cluster.local - port: 5001 - - address: avs-gke-aerospike-vector-search-2.avs-gke-aerospike-vector-search.avs.svc.cluster.local - port: 5001 - interconnect: + # client-tls-id: interconnect-tls ports: 5001: addresses: - 0.0.0.0 + "0.0.0.0" + # tls-id: interconnect-tls storage: + client-policy: {} seeds: - aerocluster-0-0.aerocluster.aerospike.svc.cluster.local: port: 3000 @@ -43,33 +36,29 @@ aerospikeVectorSearchConfig: format: simple max-history: 30 levels: - metrics-ticker: info + metrics-ticker: debug root: info - com.aerospike.vector.embedded.client: debug - client: debug ticker-interval: 10 -service: - enabled: true - annotations: - networking.gke.io/load-balancer-type: "External" - ports: - - name: "svc-port" - port: 5000 - targetPort: 5000 -# service: -# enabled: false -# type: LoadBalancer -# annotations: -# cloud.google.com/l4-rbs: "enabled" -# # networking.gke.io/load-balancer-type: "Internal" -# ports: -# - name: "svc-port" -# port: 5000 -# targetPort: 5000 +securityContext: + allowPrivilegeEscalation: false + runAsUser: 0 +image: + repository: "aerospike/aerospike-vector-search" + pullPolicy: "IfNotPresent" + # Overrides the image tag whose default is the chart appVersion. + tag: "0.10.0" +extraSecretVolumeMounts: + - name: aerospike-tls + mountPath: "/etc/ssl/certs" + readOnly: true -# schedule avs nodes - affinity: +extraVolumes: + - name: aerospike-tls + secret: + secretName: aerospike-tls + optional: false +affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: @@ -77,13 +66,4 @@ service: - key: aerospike.com/node-pool operator: In values: - - "aerospike-vector-search" - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchExpressions: - - key: "app.kubernetes.io/name" - operator: In - values: - - "aerospike-vector-search" + - "avs" diff --git a/kubernetes/manifests/istio/avs-virtual-service.yaml b/kubernetes/manifests/istio/avs-virtual-service.yaml index 8a51b53..0473e55 100644 --- a/kubernetes/manifests/istio/avs-virtual-service.yaml +++ b/kubernetes/manifests/istio/avs-virtual-service.yaml @@ -2,31 +2,19 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: avs-vs - namespace: avs + namespace: aerospike spec: hosts: - "*" gateways: - avs-gw - http: + tls: - match: - - uri: - prefix: / - port: 80 + - port: 5000 + sniHosts: + - "*" route: - destination: - port: - number: 8080 - host: sematic-search-app-quote-semantic-search.avs.svc.cluster.local - - match: - - uri: - prefix: / - port: 5000 - route: - - destination: - port: - number: 5000 host: avs-gke-aerospike-vector-search.avs.svc.cluster.local - ---- - + port: + number: 5000 \ No newline at end of file diff --git a/kubernetes/manifests/istio/gateway.yaml b/kubernetes/manifests/istio/gateway.yaml index 3ce53f7..d95b89a 100644 --- a/kubernetes/manifests/istio/gateway.yaml +++ b/kubernetes/manifests/istio/gateway.yaml @@ -2,7 +2,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: avs-gw - namespace: avs + namespace: aerospike spec: selector: istio: ingress @@ -15,8 +15,8 @@ spec: - "*" - port: number: 5000 - name: grpc - protocol: GRPC + name: grpc-svc + protocol: tls hosts: - "*" tls: diff --git a/kubernetes/secrets/aerospike-password.txt b/kubernetes/secrets/aerospike-password.txt new file mode 100644 index 0000000..32e9c62 --- /dev/null +++ b/kubernetes/secrets/aerospike-password.txt @@ -0,0 +1 @@ +admin123 \ No newline at end of file diff --git a/kubernetes/secrets/client-password.txt b/kubernetes/secrets/client-password.txt new file mode 100644 index 0000000..0f673cc --- /dev/null +++ b/kubernetes/secrets/client-password.txt @@ -0,0 +1 @@ +citrusstore \ No newline at end of file diff --git a/kubernetes/ssl/openssl.conf b/kubernetes/ssl/openssl.conf new file mode 100644 index 0000000..79edbfc --- /dev/null +++ b/kubernetes/ssl/openssl.conf @@ -0,0 +1,139 @@ +HOME = . +oid_section = new_oids + +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = rootca # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file + # several certs with same subject +new_certs_dir = $dir/newcerts # default place for new certs + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = (2 letter code, for example, US) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (such as, city) +organizationName = Organization Name (such as, company) +organizationalUnitName = Organizational Unit Name (such as, section or department) +commonName = Common Name (such as, server FQDN or YOUR name) +emailAddress = joedo@joedocompany.com + +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code, for example, US) +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +localityName = Locality Name (such as, city) +0.organizationName = Organization Name (such as, company) +0.organizationName_default = Your company name +organizationalUnitName = Organizational Unit Name (such as, section) +commonName = Common Name (such as, server FQDN or YOUR name) +commonName_max = 64 +emailAddress = joedo@joedocompany.com +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ usr_cert ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true + +[ crl_ext ] +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +[ tsa ] +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) +[ alt_names ] +DNS.1 = ${ENV::SVC_NAME} +DNS.2 = *.${ENV::SVC_NAME} +DNS.3 = ${ENV::COMMON_NAME} diff --git a/kubernetes/ssl/openssl_ca.conf b/kubernetes/ssl/openssl_ca.conf new file mode 100644 index 0000000..fbb1aeb --- /dev/null +++ b/kubernetes/ssl/openssl_ca.conf @@ -0,0 +1,134 @@ +HOME = . +oid_section = new_oids + +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = rootca # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file + # several certs with same subject +new_certs_dir = $dir/newcerts # default place for new certs + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = (2 letter code, for example, US) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (such as, city) +organizationName = Organization Name (such as, company) +organizationalUnitName = Organizational Unit Name (such as, section or department) +commonName = Common Name (such as, server FQDN or YOUR name) +emailAddress = joedo@joedocompany.com + +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code, for example, US) +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +localityName = Locality Name (such as, city) +0.organizationName = Organization Name (such as, company) +0.organizationName_default = Your company name +organizationalUnitName = Organizational Unit Name (such as, section) +commonName = Common Name (such as, server FQDN or YOUR name) +commonName_max = 64 +emailAddress = joedo@joedocompany.com +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ usr_cert ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true + +[ crl_ext ] +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +[ tsa ] +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) diff --git a/kubernetes/ssl/openssl_svc.conf b/kubernetes/ssl/openssl_svc.conf new file mode 100644 index 0000000..ee77403 --- /dev/null +++ b/kubernetes/ssl/openssl_svc.conf @@ -0,0 +1,140 @@ +HOME = . +oid_section = new_oids + +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +dir = rootca # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file + # several certs with same subject +new_certs_dir = $dir/newcerts # default place for new certs + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +x509_extensions = usr_cert # The extensions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = (2 letter code, for example, US) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (such as, city) +organizationName = Organization Name (such as, company) +organizationalUnitName = Organizational Unit Name (such as, section or department) +commonName = Common Name (such as, server FQDN or YOUR name) +emailAddress = joedo@joedocompany.com + +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = utf8only + +[ req_distinguished_name ] +countryName = Country Name (2 letter code, for example, US) +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State +localityName = Locality Name (such as, city) +0.organizationName = Organization Name (such as, company) +0.organizationName_default = Your company name +organizationalUnitName = Organizational Unit Name (such as, section) +commonName = Common Name (such as, server FQDN or YOUR name) +commonName_max = 64 +emailAddress = joedo@joedocompany.com +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ usr_cert ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical,CA:true + +[ crl_ext ] +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +basicConstraints=CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +[ tsa ] +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +[ alt_names ] +DNS.1 = ${ENV::SVC_NAME} +DNS.2 = *.${ENV::SVC_NAME} +DNS.3 = ${ENV::REVERSE_DNS_AVS}