Common secret for CA in secret.yaml

- Creating a common secret for CA, since all the members of the replica set
and the clients need to have a common CA, moving all the relevant configuration
to a common secret.
- Modifying Dockerfiles for some components, once changes are approved
we will publish the new images.
- No documentation changes required.
This commit is contained in:
Muawia Khan 2017-08-15 14:25:02 +02:00
parent e7640feaec
commit fbee5db40f
8 changed files with 51 additions and 23 deletions

View File

@ -99,9 +99,9 @@ spec:
- name: BIGCHAINDB_DATABASE_SSL - name: BIGCHAINDB_DATABASE_SSL
value: "true" value: "true"
- name: BIGCHAINDB_DATABASE_CA_CERT - name: BIGCHAINDB_DATABASE_CA_CERT
value: /etc/bigchaindb/ssl/ca.pem value: /etc/bigchaindb/ca/ca.pem
- name: BIGCHAINDB_DATABASE_CRLFILE - name: BIGCHAINDB_DATABASE_CRLFILE
value: /etc/bigchaindb/ssl/crlfile value: /etc/bigchaindb/ca/crl.pem
- name: BIGCHAINDB_DATABASE_CERTFILE - name: BIGCHAINDB_DATABASE_CERTFILE
value: /etc/bigchaindb/ssl/bdb-instance.pem value: /etc/bigchaindb/ssl/bdb-instance.pem
- name: BIGCHAINDB_DATABASE_KEYFILE - name: BIGCHAINDB_DATABASE_KEYFILE
@ -128,6 +128,9 @@ spec:
- name: bdb-certs - name: bdb-certs
mountPath: /etc/bigchaindb/ssl/ mountPath: /etc/bigchaindb/ssl/
readOnly: true readOnly: true
- name: ca-auth
mountPath: /etc/bigchaindb/ca/
readOnly: true
resources: resources:
limits: limits:
cpu: 200m cpu: 200m
@ -152,3 +155,7 @@ spec:
secret: secret:
secretName: bdb-certs secretName: bdb-certs
defaultMode: 0400 defaultMode: 0400
- name: ca-auth
secret:
secretName: ca-auth
defaultMode: 0400

View File

@ -40,10 +40,6 @@ type: Opaque
data: data:
# Base64-encoded, concatenated certificate and private key # Base64-encoded, concatenated certificate and private key
mdb-instance.pem: "<b64 encoded, concatenated certificate and private key>" mdb-instance.pem: "<b64 encoded, concatenated certificate and private key>"
# Base64-encoded CA certificate (ca.crt)
ca.pem: "<b64 encoded CA certificate>"
# Base64-encoded MongoDB CRL
mdb-crl.pem: "<b64 encoded CRL data>"
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -54,8 +50,6 @@ type: Opaque
data: data:
# Base64-encoded, concatenated certificate and private key # Base64-encoded, concatenated certificate and private key
mdb-mon-instance.pem: "<b64 encoded, concatenated certificate and private key>" mdb-mon-instance.pem: "<b64 encoded, concatenated certificate and private key>"
# Base64-encoded CA certificate (ca.crt)
ca.pem: "<b64 encoded CA certificate>"
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -66,8 +60,6 @@ type: Opaque
data: data:
# Base64-encoded, concatenated certificate and private key # Base64-encoded, concatenated certificate and private key
mdb-bak-instance.pem: "<b64 encoded, concatenated certificate and private key>" mdb-bak-instance.pem: "<b64 encoded, concatenated certificate and private key>"
# Base64-encoded CA certificate (ca.crt)
ca.pem: "<b64 encoded CA certificate>"
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -76,10 +68,6 @@ metadata:
namespace: default namespace: default
type: Opaque type: Opaque
data: data:
# Base64-encoded CA certificate (ca.crt)
ca.pem: "<b64 encoded CA certificate>"
# Base64-encoded CRL file
crlfile: "<b64 encoded CRL>"
# Base64-encoded BigchainDB instance certificate # Base64-encoded BigchainDB instance certificate
bdb-instance.pem: "<b64 encoded certificate>" bdb-instance.pem: "<b64 encoded certificate>"
# Base64-encoded private key (<bdb-instance-name>.key) # Base64-encoded private key (<bdb-instance-name>.key)
@ -111,3 +99,15 @@ data:
service-id: "<b64 encoded 3scale service-id>" service-id: "<b64 encoded 3scale service-id>"
version-header: "<b64 encoded 3scale version-header>" version-header: "<b64 encoded 3scale version-header>"
service-token: "<b64 encoded 3scale service-token>" service-token: "<b64 encoded 3scale service-token>"
---
apiVersion: v1
kind: Secret
metadata:
name: ca-auth
namespace: default
type: Opaque
data:
# CA used to issue members/client certificates
# Base64-encoded CA certificate (ca.crt)
ca.pem: "<b64 encoded CA certificate>"
crl.pem: "<b64 encoded CRL>"

View File

@ -19,6 +19,6 @@ RUN apt update \
&& apt clean && apt clean
COPY mongodb_backup_agent_entrypoint.bash / COPY mongodb_backup_agent_entrypoint.bash /
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/ RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
VOLUME /etc/mongod/ssl VOLUME /etc/mongod/ssl /etc/mongod/ca
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete #USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"] ENTRYPOINT ["/mongodb_backup_agent_entrypoint.bash"]

View File

@ -32,7 +32,7 @@ spec:
- name: MMS_GROUPID_KEYFILE_PATH - name: MMS_GROUPID_KEYFILE_PATH
value: /etc/mongod/cloud/group-id value: /etc/mongod/cloud/group-id
- name: CA_CRT_PATH - name: CA_CRT_PATH
value: /etc/mongod/ssl/ca.pem value: /etc/mongod/ca/ca.pem
- name: BACKUP_PEM_PATH - name: BACKUP_PEM_PATH
value: /etc/mongod/ssl/mdb-bak-instance.pem value: /etc/mongod/ssl/mdb-bak-instance.pem
resources: resources:
@ -41,6 +41,9 @@ spec:
memory: 768Mi memory: 768Mi
volumeMounts: volumeMounts:
- name: mdb-bak-certs - name: mdb-bak-certs
mountPath: /etc/mongod/ca/
readOnly: true
- name: mdb-ca
mountPath: /etc/mongod/ssl/ mountPath: /etc/mongod/ssl/
readOnly: true readOnly: true
- name: cloud-manager-credentials - name: cloud-manager-credentials
@ -52,6 +55,10 @@ spec:
secret: secret:
secretName: mdb-bak-certs secretName: mdb-bak-certs
defaultMode: 0400 defaultMode: 0400
- name: ca-auth
secret:
secretName: ca-auth
defaultMode: 0400
- name: cloud-manager-credentials - name: cloud-manager-credentials
secret: secret:
secretName: cloud-manager-credentials secretName: cloud-manager-credentials

View File

@ -53,6 +53,6 @@ RUN apt update \
COPY mongodb_mon_agent_entrypoint.bash / COPY mongodb_mon_agent_entrypoint.bash /
RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/ RUN chown -R mongodb-mms-agent:mongodb-mms-agent /etc/mongodb-mms/
VOLUME /etc/mongod/ssl VOLUME /etc/mongod/ssl /etc/mongod/ca
#USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete #USER mongodb-mms-agent - BUG(Krish) Uncomment after tests are complete
ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"] ENTRYPOINT ["/mongodb_mon_agent_entrypoint.bash"]

View File

@ -32,7 +32,7 @@ spec:
- name: MMS_GROUPID_KEYFILE_PATH - name: MMS_GROUPID_KEYFILE_PATH
value: /etc/mongod/cloud/group-id value: /etc/mongod/cloud/group-id
- name: CA_CRT_PATH - name: CA_CRT_PATH
value: /etc/mongod/ssl/ca.pem value: /etc/mongod/ca/ca.pem
- name: MONITORING_PEM_PATH - name: MONITORING_PEM_PATH
value: /etc/mongod/ssl/mdb-mon-instance.pem value: /etc/mongod/ssl/mdb-mon-instance.pem
resources: resources:
@ -41,6 +41,9 @@ spec:
memory: 768Mi memory: 768Mi
volumeMounts: volumeMounts:
- name: mdb-mon-certs - name: mdb-mon-certs
mountPath: /etc/mongod/ca/
readOnly: true
- name: ca-auth
mountPath: /etc/mongod/ssl/ mountPath: /etc/mongod/ssl/
readOnly: true readOnly: true
- name: cloud-manager-credentials - name: cloud-manager-credentials
@ -52,7 +55,11 @@ spec:
secret: secret:
secretName: mdb-mon-certs secretName: mdb-mon-certs
defaultMode: 0400 defaultMode: 0400
- name: ca-auth
secret:
secretName: ca-auth
defaultMode: 0400
- name: cloud-manager-credentials - name: cloud-manager-credentials
secret: secret:
secretName: cloud-manager-credentials secretName: cloud-manager-credentials
defaultMode: 0400 defaultMode: 0400

View File

@ -7,6 +7,6 @@ RUN apt-get update \
&& apt-get clean && apt-get clean
COPY mongod.conf.template /etc/mongod.conf COPY mongod.conf.template /etc/mongod.conf
COPY mongod_entrypoint.bash / COPY mongod_entrypoint.bash /
VOLUME /data/db /data/configdb /etc/mongod/ssl VOLUME /data/db /data/configdb /etc/mongod/ssl /etc/mongod/ca
EXPOSE 27017 EXPOSE 27017
ENTRYPOINT ["/mongod_entrypoint.bash"] ENTRYPOINT ["/mongod_entrypoint.bash"]

View File

@ -5,7 +5,7 @@
######################################################################## ########################################################################
apiVersion: apps/v1beta1 apiVersion: apps/v1beta1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: mdb-instance-0-ss name: mdb-instance-0-ss
namespace: default namespace: default
@ -49,9 +49,9 @@ spec:
- --mongodb-key-file-path - --mongodb-key-file-path
- /etc/mongod/ssl/mdb-instance.pem - /etc/mongod/ssl/mdb-instance.pem
- --mongodb-ca-file-path - --mongodb-ca-file-path
- /etc/mongod/ssl/ca.pem - /etc/mongod/ca/ca.pem
- --mongodb-crl-file-path - --mongodb-crl-file-path
- /etc/mongod/ssl/mdb-crl.pem - /etc/mongod/ca/crl.pem
- --replica-set-name - --replica-set-name
- $(MONGODB_REPLICA_SET_NAME) - $(MONGODB_REPLICA_SET_NAME)
- --mongodb-fqdn - --mongodb-fqdn
@ -74,6 +74,9 @@ spec:
- name: mdb-certs - name: mdb-certs
mountPath: /etc/mongod/ssl/ mountPath: /etc/mongod/ssl/
readOnly: true readOnly: true
- name: ca-auth
mountPath: /etc/mongod/ca/
readOnly: true
resources: resources:
limits: limits:
cpu: 200m cpu: 200m
@ -98,3 +101,7 @@ spec:
secret: secret:
secretName: mdb-certs secretName: mdb-certs
defaultMode: 0400 defaultMode: 0400
- name: ca-auth
secret:
secretName: ca-auth
defaultMode: 0400