Support user configs, user secrets and separate environments for cassandra and sidecar #218
Conversation
Signed-off-by: Alex Lourie <[email protected]>
Fixes instaclustr#213 Fixes instaclustr#208 * Fixed some comments from PR review * Added Env to CRD to allow specifying environment for containers (exists in java version) * Added userConfigMap handling (instaclustr#213) * Restored PrivelegedSupported handling (instaclustr#208) * Backup secret volume allows providing GOOGLE_APPLICATION_CREDENTIALS in a secret * Cloud providers creds can be set using Env field in CRD Signed-off-by: Alex Lourie <[email protected]>
Signed-off-by: Alex Lourie <[email protected]>
examples/go/example-datacenter.yaml
Outdated
| path: creds.json | ||
| env: | ||
| - name: GOOGLE_APPLICATION_CREDENTIALS | ||
| value: "/etc/google/creds.json" |
There was a problem hiding this comment.
Is this the "default"? If so, do we need to set it as an environment variable?
There was a problem hiding this comment.
There does not seem to be any default https://cloud.google.com/docs/authentication/getting-started
There was a problem hiding this comment.
i checked the source code, there is not any default location
There was a problem hiding this comment.
yep, no defaults for that one. This is just an example of where to place that file, I literally look it up in the env and if it's there - we use it. If not defined, we'll use /etc/gcp, but I might change that to something more generic.
There was a problem hiding this comment.
Looks like the default process is this: https://cloud.google.com/docs/authentication/production#finding_credentials_automatically
So yes, we need a way to define the environment variable, but that's probably also going to be the more uncommon approach, as on GKE the credentials will be automatically discovered.
C* clusters running on GKE would most likely backup to Google Cloud Storage. Same on Amazon EKS -- S3 is the most likely destination. But we don't want to prevent clusters running on other K8s environments from accessing cloud storage, so having the option is always nice. Could also be useful for GKE -> EKS migrations for example.
There was a problem hiding this comment.
Yea, it's a convenient option, and it's optional. Also, might be that even on GKE they might want to use some different account for backups, and that's when it would be handy.
Signed-off-by: Alex Lourie <[email protected]>
Signed-off-by: Alex Lourie <[email protected]>
| @@ -24,21 +23,9 @@ const ( | |||
| OperatorConfigVolumeMountPath = "/tmp/operator-config" | |||
| UserConfigVolumeMountPath = "/tmp/user-config" | |||
| UserSecretVolumeMountPath = "/tmp/user-secret-config" | |||
| BackupSecretVolumeMountPath = "/tmp/backup-secret" | |||
There was a problem hiding this comment.
What's the difference between BackupSecret and UserSecret?
There was a problem hiding this comment.
The difference is in fact that BackupSecret would hold the credentials for the backup functionality (i.e. GCP and maybe AWS/Azure should they choose to) and will be mounted in the sidecar container, while UserSecret is for C* encryption/auth credentials and to be mounted in the Cassandra container. Having backup stuff mounted in the cassandra container or cassandra credentials in the sidecar container, while not horrible, feels pretty hacky and dirty. That's why the split.
There was a problem hiding this comment.
Maybe change to sidecarSecret/cassandraSecret? So it relates to the pod name
I don't mind the C* and sidecar containers sharing secrets to be honest.
There was a problem hiding this comment.
Well, I can rename it, but I think it's better called a "backup" secret as it hints the usage for backups only.
Actually, the only other "secrets" usage would be for secure communications as far as I can tell, and we're going to resolve it differently anyway. So I'd just keep it as "backup" for now, and if ever we combine "user" and "backup" secrets, we can change the naming convention.
| @@ -24,21 +23,9 @@ const ( | |||
| OperatorConfigVolumeMountPath = "/tmp/operator-config" | |||
| UserConfigVolumeMountPath = "/tmp/user-config" | |||
| UserSecretVolumeMountPath = "/tmp/user-secret-config" | |||
There was a problem hiding this comment.
This probably should just be /tmp/user-secret for consistency.
docker/cassandra/entry-point
Outdated
| @@ -12,4 +12,12 @@ do | |||
| done | |||
| ) | |||
|
|
|||
| # Copy over cqlshrc to a default location if defined as ENV | |||
There was a problem hiding this comment.
I think we can make this nicer. It IMO shouldn't be a requirement that users have to define an environment variable and add a file to a config map to get cqlsh to function.
Instead I suggest that we write our own wrapper for cqlsh that detects if SSL is enabled, and fetches the CA cert (or just disables trust checking). This will also be necessary once we support authn/authz, since we need to implement shared-secret support.
As a side question, should cqlsh be installed the C* container at all? If people want to connect to the cluster, should they instead start a new pod/container that just contains cqlsh?
There was a problem hiding this comment.
@zegelin we currently use cqlsh now in cql-readiness-probe, and this is easily replaceable with either python script or, say, a statically compiled gocql simple program. So we don't have an inherent requirement to have it in the container at all.
Also, if people want to use cqlsh to connect to the cluster, they can either spin a new container with all the certificates and custom configs as they need to, or have it installed locally if they have the network access to the cluster. So, if you think that's a good path to follow, I can replace the readiness script with something else pretty quickly and stop the dependency on cqlsh.
There was a problem hiding this comment.
I did rush it a bit. Clearly, any "script" we use will have to know about SSL configuration to be able to connect to the node. So having a wrapper around cqlsh might be a useful and simpler solution.
There was a problem hiding this comment.
In order to get the PR closed, I think we should create a new issue/PR for the wrapper script and solve that one separately.
There was a problem hiding this comment.
yea, I'm going to remove this part and deal with that in #241
Signed-off-by: Alex Lourie <[email protected]>
|
Is this ready to be merged? |
|
@zegelin it can be merged, but the "secure" Cassandra needs more work. I'd prefer merging this, as it fixes a bunch of tickets/features/bugs, and continuing work on proper TLS support separately. If we do it, I'll rename the merge to "Support backups secrets, user secrets and user maps" to avoid misunderstanding. |
alourie
changed the title
| @@ -24,21 +23,9 @@ const ( | |||
| OperatorConfigVolumeMountPath = "/tmp/operator-config" | |||
| UserConfigVolumeMountPath = "/tmp/user-config" | |||
| UserSecretVolumeMountPath = "/tmp/user-secret-config" | |||
| BackupSecretVolumeMountPath = "/tmp/backup-secret" | |||
There was a problem hiding this comment.
Maybe change to sidecarSecret/cassandraSecret? So it relates to the pod name
I don't mind the C* and sidecar containers sharing secrets to be honest.
docker/cassandra/entry-point
Outdated
| @@ -12,4 +12,12 @@ do | |||
| done | |||
| ) | |||
|
|
|||
| # Copy over cqlshrc to a default location if defined as ENV | |||
There was a problem hiding this comment.
In order to get the PR closed, I think we should create a new issue/PR for the wrapper script and solve that one separately.
…assandra-operator into keystore_178
|
looks good to me |
Signed-off-by: Alex Lourie <[email protected]>
|
Now can be squashed and merged @benbromhead |
Fixes #213