mirror of
https://github.com/bigchaindb/bigchaindb.git
synced 2024-10-13 13:34:05 +00:00
Common secret for CA in secret.yaml
- Creating a common secret for CA, since all the members of the replica set and the clients need to have a common CA, moving all the relevant configuration to a common secret. - Modifying Dockerfiles for some components, once changes are approved we will publish the new images. - No documentation changes required.
This commit is contained in:
parent
e7640feaec
commit
fbee5db40f
@ -99,9 +99,9 @@ spec:
|
|||||||
- name: BIGCHAINDB_DATABASE_SSL
|
- name: BIGCHAINDB_DATABASE_SSL
|
||||||
value: "true"
|
value: "true"
|
||||||
- name: BIGCHAINDB_DATABASE_CA_CERT
|
- name: BIGCHAINDB_DATABASE_CA_CERT
|
||||||
value: /etc/bigchaindb/ssl/ca.pem
|
value: /etc/bigchaindb/ca/ca.pem
|
||||||
- name: BIGCHAINDB_DATABASE_CRLFILE
|
- name: BIGCHAINDB_DATABASE_CRLFILE
|
||||||
value: /etc/bigchaindb/ssl/crlfile
|
value: /etc/bigchaindb/ca/crl.pem
|
||||||
- name: BIGCHAINDB_DATABASE_CERTFILE
|
- name: BIGCHAINDB_DATABASE_CERTFILE
|
||||||
value: /etc/bigchaindb/ssl/bdb-instance.pem
|
value: /etc/bigchaindb/ssl/bdb-instance.pem
|
||||||
- name: BIGCHAINDB_DATABASE_KEYFILE
|
- name: BIGCHAINDB_DATABASE_KEYFILE
|
||||||
@ -128,6 +128,9 @@ spec:
|
|||||||
- name: bdb-certs
|
- name: bdb-certs
|
||||||
mountPath: /etc/bigchaindb/ssl/
|
mountPath: /etc/bigchaindb/ssl/
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: ca-auth
|
||||||
|
mountPath: /etc/bigchaindb/ca/
|
||||||
|
readOnly: true
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 200m
|
cpu: 200m
|
||||||
@ -152,3 +155,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: bdb-certs
|
secretName: bdb-certs
|
||||||
defaultMode: 0400
|
defaultMode: 0400
|
||||||
|
- name: ca-auth
|
||||||
|
secret:
|
||||||
|
secretName: ca-auth
|
||||||
|
defaultMode: 0400
|
@ -40,10 +40,6 @@ type: Opaque
|
|||||||
data:
|
data:
|
||||||
# Base64-encoded, concatenated certificate and private key
|
# Base64-encoded, concatenated certificate and private key
|
||||||
mdb-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
mdb-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
||||||
# Base64-encoded CA certificate (ca.crt)
|
|
||||||
ca.pem: "<b64 encoded CA certificate>"
|
|
||||||
# Base64-encoded MongoDB CRL
|
|
||||||
mdb-crl.pem: "<b64 encoded CRL data>"
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
@ -54,8 +50,6 @@ type: Opaque
|
|||||||
data:
|
data:
|
||||||
# Base64-encoded, concatenated certificate and private key
|
# Base64-encoded, concatenated certificate and private key
|
||||||
mdb-mon-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
mdb-mon-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
||||||
# Base64-encoded CA certificate (ca.crt)
|
|
||||||
ca.pem: "<b64 encoded CA certificate>"
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
@ -66,8 +60,6 @@ type: Opaque
|
|||||||
data:
|
data:
|
||||||
# Base64-encoded, concatenated certificate and private key
|
# Base64-encoded, concatenated certificate and private key
|
||||||
mdb-bak-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
mdb-bak-instance.pem: "<b64 encoded, concatenated certificate and private key>"
|
||||||
# Base64-encoded CA certificate (ca.crt)
|
|
||||||
ca.pem: "<b64 encoded CA certificate>"
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
@ -76,10 +68,6 @@ metadata:
|
|||||||
namespace: default
|
namespace: default
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
# Base64-encoded CA certificate (ca.crt)
|
|
||||||
ca.pem: "<b64 encoded CA certificate>"
|
|
||||||
# Base64-encoded CRL file
|
|
||||||
crlfile: "<b64 encoded CRL>"
|
|
||||||
# Base64-encoded BigchainDB instance certificate
|
# Base64-encoded BigchainDB instance certificate
|
||||||
bdb-instance.pem: "<b64 encoded certificate>"
|
bdb-instance.pem: "<b64 encoded certificate>"
|
||||||
# Base64-encoded private key (<bdb-instance-name>.key)
|
# Base64-encoded private key (<bdb-instance-name>.key)
|
||||||
@ -111,3 +99,15 @@ data:
|
|||||||
service-id: "<b64 encoded 3scale service-id>"
|
service-id: "<b64 encoded 3scale service-id>"
|
||||||
version-header: "<b64 encoded 3scale version-header>"
|
version-header: "<b64 encoded 3scale version-header>"
|
||||||
service-token: "<b64 encoded 3scale service-token>"
|
service-token: "<b64 encoded 3scale service-token>"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: ca-auth
|
||||||
|
namespace: default
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
# CA used to issue members/client certificates
|
||||||
|
# Base64-encoded CA certificate (ca.crt)
|
||||||
|
ca.pem: "<b64 encoded CA certificate>"
|
||||||
|
crl.pem: "<b64 encoded CRL>"
|
||||||
|
@ -19,6 +19,6 @@ RUN apt update \
|
|||||||
&& apt clean
|
&& apt clean
|
||||||
COPY mongodb_backup_agent_entrypoint.bash /
|
COPY mongodb_backup_agent_entrypoint.bash /
|
||||||
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
|
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
|
||||||
VOLUME /etc/mongod/ssl
|
VOLUME /etc/mongod/ssl /etc/mongod/ca
|
||||||
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
|
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
|
||||||
ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"]
|
ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"]
|
||||||
|
@ -32,7 +32,7 @@ spec:
|
|||||||
- name: MMS_GROUPID_KEYFILE_PATH
|
- name: MMS_GROUPID_KEYFILE_PATH
|
||||||
value: /etc/mongod/cloud/group-id
|
value: /etc/mongod/cloud/group-id
|
||||||
- name: CA_CRT_PATH
|
- name: CA_CRT_PATH
|
||||||
value: /etc/mongod/ssl/ca.pem
|
value: /etc/mongod/ca/ca.pem
|
||||||
- name: BACKUP_PEM_PATH
|
- name: BACKUP_PEM_PATH
|
||||||
value: /etc/mongod/ssl/mdb-bak-instance.pem
|
value: /etc/mongod/ssl/mdb-bak-instance.pem
|
||||||
resources:
|
resources:
|
||||||
@ -41,6 +41,9 @@ spec:
|
|||||||
memory: 768Mi
|
memory: 768Mi
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: mdb-bak-certs
|
- name: mdb-bak-certs
|
||||||
|
mountPath: /etc/mongod/ca/
|
||||||
|
readOnly: true
|
||||||
|
- name: mdb-ca
|
||||||
mountPath: /etc/mongod/ssl/
|
mountPath: /etc/mongod/ssl/
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: cloud-manager-credentials
|
- name: cloud-manager-credentials
|
||||||
@ -52,6 +55,10 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: mdb-bak-certs
|
secretName: mdb-bak-certs
|
||||||
defaultMode: 0400
|
defaultMode: 0400
|
||||||
|
- name: ca-auth
|
||||||
|
secret:
|
||||||
|
secretName: ca-auth
|
||||||
|
defaultMode: 0400
|
||||||
- name: cloud-manager-credentials
|
- name: cloud-manager-credentials
|
||||||
secret:
|
secret:
|
||||||
secretName: cloud-manager-credentials
|
secretName: cloud-manager-credentials
|
||||||
|
@ -53,6 +53,6 @@ RUN apt update \
|
|||||||
|
|
||||||
COPY mongodb_mon_agent_entrypoint.bash /
|
COPY mongodb_mon_agent_entrypoint.bash /
|
||||||
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
|
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
|
||||||
VOLUME /etc/mongod/ssl
|
VOLUME /etc/mongod/ssl /etc/mongod/ca
|
||||||
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
|
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
|
||||||
ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]
|
ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]
|
||||||
|
@ -32,7 +32,7 @@ spec:
|
|||||||
- name: MMS_GROUPID_KEYFILE_PATH
|
- name: MMS_GROUPID_KEYFILE_PATH
|
||||||
value: /etc/mongod/cloud/group-id
|
value: /etc/mongod/cloud/group-id
|
||||||
- name: CA_CRT_PATH
|
- name: CA_CRT_PATH
|
||||||
value: /etc/mongod/ssl/ca.pem
|
value: /etc/mongod/ca/ca.pem
|
||||||
- name: MONITORING_PEM_PATH
|
- name: MONITORING_PEM_PATH
|
||||||
value: /etc/mongod/ssl/mdb-mon-instance.pem
|
value: /etc/mongod/ssl/mdb-mon-instance.pem
|
||||||
resources:
|
resources:
|
||||||
@ -41,6 +41,9 @@ spec:
|
|||||||
memory: 768Mi
|
memory: 768Mi
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: mdb-mon-certs
|
- name: mdb-mon-certs
|
||||||
|
mountPath: /etc/mongod/ca/
|
||||||
|
readOnly: true
|
||||||
|
- name: ca-auth
|
||||||
mountPath: /etc/mongod/ssl/
|
mountPath: /etc/mongod/ssl/
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: cloud-manager-credentials
|
- name: cloud-manager-credentials
|
||||||
@ -52,6 +55,10 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: mdb-mon-certs
|
secretName: mdb-mon-certs
|
||||||
defaultMode: 0400
|
defaultMode: 0400
|
||||||
|
- name: ca-auth
|
||||||
|
secret:
|
||||||
|
secretName: ca-auth
|
||||||
|
defaultMode: 0400
|
||||||
- name: cloud-manager-credentials
|
- name: cloud-manager-credentials
|
||||||
secret:
|
secret:
|
||||||
secretName: cloud-manager-credentials
|
secretName: cloud-manager-credentials
|
||||||
|
@ -7,6 +7,6 @@ RUN apt-get update \
|
|||||||
&& apt-get clean
|
&& apt-get clean
|
||||||
COPY mongod.conf.template /etc/mongod.conf
|
COPY mongod.conf.template /etc/mongod.conf
|
||||||
COPY mongod_entrypoint.bash /
|
COPY mongod_entrypoint.bash /
|
||||||
VOLUME /data/db /data/configdb /etc/mongod/ssl
|
VOLUME /data/db /data/configdb /etc/mongod/ssl /etc/mongod/ca
|
||||||
EXPOSE 27017
|
EXPOSE 27017
|
||||||
ENTRYPOINT ["/mongod_entrypoint.bash"]
|
ENTRYPOINT ["/mongod_entrypoint.bash"]
|
||||||
|
@ -49,9 +49,9 @@ spec:
|
|||||||
- --mongodb-key-file-path
|
- --mongodb-key-file-path
|
||||||
- /etc/mongod/ssl/mdb-instance.pem
|
- /etc/mongod/ssl/mdb-instance.pem
|
||||||
- --mongodb-ca-file-path
|
- --mongodb-ca-file-path
|
||||||
- /etc/mongod/ssl/ca.pem
|
- /etc/mongod/ca/ca.pem
|
||||||
- --mongodb-crl-file-path
|
- --mongodb-crl-file-path
|
||||||
- /etc/mongod/ssl/mdb-crl.pem
|
- /etc/mongod/ca/crl.pem
|
||||||
- --replica-set-name
|
- --replica-set-name
|
||||||
- $(MONGODB_REPLICA_SET_NAME)
|
- $(MONGODB_REPLICA_SET_NAME)
|
||||||
- --mongodb-fqdn
|
- --mongodb-fqdn
|
||||||
@ -74,6 +74,9 @@ spec:
|
|||||||
- name: mdb-certs
|
- name: mdb-certs
|
||||||
mountPath: /etc/mongod/ssl/
|
mountPath: /etc/mongod/ssl/
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: ca-auth
|
||||||
|
mountPath: /etc/mongod/ca/
|
||||||
|
readOnly: true
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 200m
|
cpu: 200m
|
||||||
@ -98,3 +101,7 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: mdb-certs
|
secretName: mdb-certs
|
||||||
defaultMode: 0400
|
defaultMode: 0400
|
||||||
|
- name: ca-auth
|
||||||
|
secret:
|
||||||
|
secretName: ca-auth
|
||||||
|
defaultMode: 0400
|
Loading…
x
Reference in New Issue
Block a user