diff --git a/docs/server/source/production-deployment-template/node-on-kubernetes.rst b/docs/server/source/production-deployment-template/node-on-kubernetes.rst index fb4219f1..4237fbe3 100644 --- a/docs/server/source/production-deployment-template/node-on-kubernetes.rst +++ b/docs/server/source/production-deployment-template/node-on-kubernetes.rst @@ -138,14 +138,17 @@ Step 4.1: Vanilla NGINX Step 4.2: OpenResty NGINX + 3scale ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - * This configuration is located in the file ``nginx/nginx-3scale-svc.yaml``. * You have to enable HTTPS for this one and will need an HTTPS certificate - for your domain + for your domain. - * You should have already created the Kubernetes Secret in the previous - step. + * You should have already created the necessary Kubernetes Secrets in the previous + step (e.g. ``https-certs`` and ``threescale-credentials``). + + * This configuration is located in the file ``nginx-3scale/nginx-3scale-svc.yaml``. + + * Set the ``metadata.name`` and ``metadata.labels.name`` to the value + set in ``ngx-instance-name`` in the ConfigMap above. * Set the ``spec.selector.app`` to the value set in ``ngx-instance-name`` in the ConfigMap followed by ``-dep``. For example, if the value set in the @@ -167,20 +170,18 @@ Step 5: Assign DNS Name to the NGINX Public IP `_ or are using HTTPS certificates tied to a domain. - * The following command can help you find out if the nginx service started + * The following command can help you find out if the NGINX service started above has been assigned a public IP or external IP address: .. code:: bash $ kubectl --context k8s-bdb-test-cluster-0 get svc -w - * Once a public IP is assigned, you can log in to the Azure portal and map it to + * Once a public IP is assigned, you can map it to a DNS name. - - * We usually assign ``bdb-test-cluster-0``, ``bdb-test-cluster-1`` and + We usually assign ``bdb-test-cluster-0``, ``bdb-test-cluster-1`` and so on in our documentation. - - * Let us assume that we assigned the unique name of ``bdb-test-cluster-0`` here. + Let's assume that we assign the unique name of ``bdb-test-cluster-0`` here. **Set up DNS mapping in Azure.** @@ -195,7 +196,7 @@ have the Azure DNS prefix name along with a long random string, without the (for example, ``bdb-test-cluster-0``), click ``Save``, and wait for the changes to be applied. -To verify the DNS setting is operational, you can run ``nslookup `` from your local Linux shell. This will ensure that when you scale the replica set later, other MongoDB @@ -452,11 +453,11 @@ Step 11: Start a Kubernetes StatefulSet for MongoDB * Note how the MongoDB container uses the ``mongo-db-claim`` and the ``mongo-configdb-claim`` PersistentVolumeClaims for its ``/data/db`` and - ``/data/configdb`` diretories (mount path). + ``/data/configdb`` directories (mount paths). * Note also that we use the pod's ``securityContext.capabilities.add`` specification to add the ``FOWNER`` capability to the container. That is - because MongoDB container has the user ``mongodb``, with uid ``999`` and + because the MongoDB container has the user ``mongodb``, with uid ``999`` and group ``mongodb``, with gid ``999``. When this container runs on a host with a mounted disk, the writes fail when there is no user with uid ``999``. To avoid this, we use the Docker @@ -490,12 +491,23 @@ Step 11: Start a Kubernetes StatefulSet for MongoDB Step 12: Configure Users and Access Control for MongoDB ------------------------------------------------------- - * Create a user on MongoDB with authorization to create more users and assign + * In this step, you will create a user on MongoDB with authorization + to create more users and assign roles to them. Note: You need to do this only when setting up the first MongoDB node of the cluster. - Log in to the MongoDB instance and open a mongo shell using the certificates + * Find out the name of your MongoDB pod by reading the output + of the ``kubectl ... get pods`` command at the end of the last step. + It should be something like ``mdb-instance-0-ss-0``. + + * Log in to the MongoDB pod using: + + .. code:: bash + + $ kubectl --context k8s-bdb-test-cluster-0 exec -it bash + + * Open a mongo shell using the certificates already present at ``/etc/mongod/ssl/`` .. code:: bash @@ -549,6 +561,9 @@ Step 12: Configure Users and Access Control for MongoDB PRIMARY> use admin PRIMARY> db.auth("adminUser", "superstrongpassword") + ``db.auth()`` returns 0 when authentication is not successful, + and 1 when successful. + * We need to specify the user name *as seen in the certificate* issued to the BigchainDB instance in order to authenticate correctly. Use the following ``openssl`` command to extract the user name from the diff --git a/k8s/nginx-3scale/nginx-3scale-dep.yaml b/k8s/nginx-3scale/nginx-3scale-dep.yaml index 1dacf617..7951e14d 100644 --- a/k8s/nginx-3scale/nginx-3scale-dep.yaml +++ b/k8s/nginx-3scale/nginx-3scale-dep.yaml @@ -84,7 +84,7 @@ spec: timeoutSeconds: 10 restartPolicy: Always volumes: - - name: https + - name: https-certs secret: secretName: https-certs defaultMode: 0400