From 52e097ccbaabc5854fd0063f32e37ea474de71a5 Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Wed, 28 Jun 2017 14:00:42 +0200 Subject: [PATCH 1/8] Fixed typo in az acs create command --- .../template-kubernetes-azure.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/server/source/production-deployment-template/template-kubernetes-azure.rst b/docs/server/source/production-deployment-template/template-kubernetes-azure.rst index 7027e2b3..d99596cc 100644 --- a/docs/server/source/production-deployment-template/template-kubernetes-azure.rst +++ b/docs/server/source/production-deployment-template/template-kubernetes-azure.rst @@ -102,7 +102,7 @@ Finally, you can deploy an ACS using something like: --agent-vm-size Standard_D2_v2 \ --dns-prefix \ --ssh-key-value ~/.ssh/.pub \ - --orchestrator-type kubernetes + --orchestrator-type kubernetes \ --debug --output json From c58bd49b91247d540200e27b20f0aac6d61cd7dd Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Wed, 28 Jun 2017 14:01:48 +0200 Subject: [PATCH 2/8] clarifications in docs re config-map.yaml --- .../node-config-map-and-secrets.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst index 1509091c..2b8da6e5 100644 --- a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst +++ b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst @@ -29,8 +29,8 @@ where all data values must be base64-encoded. This is true of all Kubernetes ConfigMaps and Secrets.) -vars -~~~~ +vars.mdb-instance-name and Similar +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your BigchainDB cluster organization should have a standard way of naming instances, so the instances in your BigchainDB node @@ -59,11 +59,14 @@ of all *other* nodes in your BigchainDB cluster * If you're deploying the first node in the cluster, the value should be ``""`` (an empty string). * If you're deploying the second node in the cluster, - the value should be one public key inside double quotes. + the value should be the BigchainDB public key of the first/original + node in the cluster, inside double quotes. For example, ``"EPQk5i5yYpoUwGVM8VKZRjM8CYxB6j8Lu8i8SG7kGGce"`` * If there are two or more other nodes already in the cluster, - the value should be a colon-separated list of public keys + the value should be a colon-separated list + of the BigchainDB public keys + of those other nodes, inside double quotes. For example, ``"DPjpKbmbPYPKVAuf6VSkqGCf5jzrEh69Ldef6TrLwsEQ:EPQk5i5yYpoUwGVM8VKZRjM8CYxB6j8Lu8i8SG7kGGce"`` From 1d6a7624f41464d73c470dc48df745e511d72260 Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Wed, 28 Jun 2017 14:44:08 +0200 Subject: [PATCH 3/8] Removed un-needed trailing comma in secret.yaml --- k8s/configuration/secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml index 795e4756..7c59595b 100644 --- a/k8s/configuration/secret.yaml +++ b/k8s/configuration/secret.yaml @@ -77,7 +77,7 @@ data: # Base64-encoded CA certificate (ca.crt) ca.pem: "" # Base64-encoded CRL file - crlfile: "", + crlfile: "" # Base64-encoded BigchainDB instance certificate bdb-instance.pem: "" # Base64-encoded private key From 0feaafef2b9945017fd37c823c1a3772292e4fab Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Wed, 28 Jun 2017 16:40:52 +0200 Subject: [PATCH 4/8] entire HTTPS cert chain is needed in secret.yaml --- k8s/configuration/secret.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml index 7c59595b..cccf4788 100644 --- a/k8s/configuration/secret.yaml +++ b/k8s/configuration/secret.yaml @@ -94,8 +94,9 @@ type: Opaque data: # Base64-encoded HTTPS private key cert.key: "" - # Base64-encoded HTTPS Signed Certificate or Certificate Chain - cert.pem: "" + # Base64-encoded HTTPS certificate chain + # including all intermediate certificates and the actual certificate + cert.pem: " Date: Wed, 28 Jun 2017 17:42:32 +0200 Subject: [PATCH 5/8] Explained how to get 3scale credentials --- .../node-config-map-and-secrets.rst | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst index 2b8da6e5..8ddbff2e 100644 --- a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst +++ b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst @@ -122,6 +122,31 @@ field (``bdb-certs.bdb-user``), i.e. emailAddress=dev@bigchaindb.com,CN=test-bdb-ssl,OU=BigchainDB-Instance,O=BigchainDB GmbH,L=Berlin,ST=Berlin,C=DE +threescale-credentials.* +~~~~~~~~~~~~~~~~~~~~~~~~ + +You can delete the ``threescale-credentials`` Secret if you're not using 3scale. + +If you *are* using 3scale, you can get the value for ``frontend-api-dns-name`` +using something like ``echo "your.nodesubdomain.net" | base64 -w 0`` + +To get the values for ``secret-token``, ``service-id``, +``version-header`` and ``provider-key``, login to your 3scale admin, +then click **APIs** and click on **Integration** for the relevant API. +Scroll to the bottom of the page and click the small link +in the lower right corner, labelled **Download the NGINX Config files**. +You'll get a ``.zip`` file. +Unzip it, then open the ``.conf`` file and the ``.lua`` file. +You should be able to find all the values in those files. +You have to be careful because it will have values for *all* your APIs, +and some values vary from API to API. +The ``version-header`` is the timestamp in a line that looks like: + +.. code:: + + proxy_set_header X-3scale-Version "2017-06-28T14:57:34Z"; + + Deploy Your config-map.yaml and secret.yaml ------------------------------------------- From 5687735b246a89b2081b5a3569bc22c2c61e8c64 Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Thu, 29 Jun 2017 11:00:17 +0200 Subject: [PATCH 6/8] removed 2 instances of 'inside double quotes' --- .../node-config-map-and-secrets.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst index 8ddbff2e..dad62fc6 100644 --- a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst +++ b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst @@ -60,14 +60,13 @@ of all *other* nodes in your BigchainDB cluster the value should be ``""`` (an empty string). * If you're deploying the second node in the cluster, the value should be the BigchainDB public key of the first/original - node in the cluster, inside double quotes. + node in the cluster. For example, ``"EPQk5i5yYpoUwGVM8VKZRjM8CYxB6j8Lu8i8SG7kGGce"`` * If there are two or more other nodes already in the cluster, the value should be a colon-separated list of the BigchainDB public keys - of those other nodes, - inside double quotes. + of those other nodes. For example, ``"DPjpKbmbPYPKVAuf6VSkqGCf5jzrEh69Ldef6TrLwsEQ:EPQk5i5yYpoUwGVM8VKZRjM8CYxB6j8Lu8i8SG7kGGce"`` From 7b80bb581936476a1b955dc82d9d0d37403499c4 Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Thu, 29 Jun 2017 11:09:16 +0200 Subject: [PATCH 7/8] If not using 3scale, they can also leave vals blank --- .../node-config-map-and-secrets.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst index dad62fc6..7bcbb28d 100644 --- a/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst +++ b/docs/server/source/production-deployment-template/node-config-map-and-secrets.rst @@ -124,7 +124,9 @@ field (``bdb-certs.bdb-user``), i.e. threescale-credentials.* ~~~~~~~~~~~~~~~~~~~~~~~~ -You can delete the ``threescale-credentials`` Secret if you're not using 3scale. +If you're not using 3scale, +you can delete the ``threescale-credentials`` Secret +or leave all the values blank (``""``). If you *are* using 3scale, you can get the value for ``frontend-api-dns-name`` using something like ``echo "your.nodesubdomain.net" | base64 -w 0`` From 54e0fc4f57492e66830e67600ceeb5dc5fa77706 Mon Sep 17 00:00:00 2001 From: Troy McConaghy Date: Thu, 29 Jun 2017 11:28:51 +0200 Subject: [PATCH 8/8] Clarify the required SSL cert order in cert chain --- k8s/configuration/secret.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/k8s/configuration/secret.yaml b/k8s/configuration/secret.yaml index cccf4788..f9c4aeb5 100644 --- a/k8s/configuration/secret.yaml +++ b/k8s/configuration/secret.yaml @@ -95,7 +95,9 @@ data: # Base64-encoded HTTPS private key cert.key: "" # Base64-encoded HTTPS certificate chain - # including all intermediate certificates and the actual certificate + # starting with your primary SSL cert (e.g. your_domain.crt) + # followed by all intermediate certs. + # If cert if from DigiCert, download "Best format for nginx". cert.pem: "