fix: [DENA-580] fix cockroachdb manifests (#48)

* fix example, README, certificate issuer name * certificate should be vaild for cockroachdb-proxy * fixing backup job certs * fix backup job certs * standarize cockroachdb access * update deprecated patchesStrategicMerge * move certificate patches into the manifest base * move secret construction from patch to resources definition
utilitywarehouse · Jul 2, 2024 · 6db72e3 · 6db72e3
1 parent 8e2a50a
commit 6db72e3
Show file tree

Hide file tree

Showing 11 changed files with 76 additions and 105 deletions.
diff --git a/cockroachdb/CERT_MANAGER_README.md b/cockroachdb/CERT_MANAGER_README.md
@@ -1,7 +1,7 @@
 # Certificates
 
 In order to secure the communication between CRDB nodes and clients we need to generate three certificates:
-- CA Certifiace - used to sign node and client certificates
+- CA Certificate - used to sign node and client certificates
 - Node Certificate - used to allow nodes establishing a connection to each other. The Node Certificate is being shared between all nodes
 - Client Certificate - used by the init and backup jobs to connect to CRDB
 

diff --git a/cockroachdb/example/cert-manager/certificates-patch.yaml b/cockroachdb/example/cert-manager/certificates-patch.yaml
diff --git a/cockroachdb/example/cert-manager/dns-names-patch.yaml b/cockroachdb/example/cert-manager/dns-names-patch.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node
+spec:
+  issuerRef:
+    name: cockroachdb-ca-issuer
+    kind: Issuer
+  commonName: node
+  dnsNames:
+    - cockroachdb-0.cockroachdb
+    - cockroachdb-1.cockroachdb
+    - cockroachdb-2.cockroachdb
+    - cockroachdb-0.cockroachdb.<your namespace here>.svc.cluster.local
+    - cockroachdb-1.cockroachdb.<your namespace here>.svc.cluster.local
+    - cockroachdb-2.cockroachdb.<your namespace here>.svc.cluster.local
diff --git a/cockroachdb/example/cert-manager/kustomization.yaml b/cockroachdb/example/cert-manager/kustomization.yaml
@@ -3,10 +3,10 @@ kind: Kustomization
 
 resources:
   - sa.yaml
-  - github.com/utilitywarehouse/shared-kustomize-bases/cockroachdb/manifests-cert-manager
+  - github.com/utilitywarehouse/shared-kustomize-bases//cockroachdb/manifests-cert-manager
 
 patches:
-  - path: certificates-patch.yaml
+  - path: dns-names-patch.yaml
   - path: cockroach.yaml
 
 configMapGenerator:

diff --git a/cockroachdb/example/cfssl/kustomization.yaml b/cockroachdb/example/cfssl/kustomization.yaml
@@ -27,5 +27,5 @@ resources:
   - sa.yaml
   - github.com/utilitywarehouse/shared-kustomize-bases/cockroachdb/manifests
 
-patchesStrategicMerge:
-  - cockroach.yaml
+patches:
+  - path: cockroach.yaml
diff --git a/cockroachdb/manifests-cert-manager/backup-init-job.yaml b/cockroachdb/manifests-cert-manager/backup-init-job.yaml
@@ -53,7 +53,18 @@ spec:
       restartPolicy: OnFailure
       volumes:
         - name: client-certs
-          emptyDir: {}
+          projected:
+            sources:
+              - secret:
+                  name: cockroachdb.client.root
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                    - key: tls.crt
+                      path: client.root.crt
+                    - key: tls.key
+                      path: client.root.key
+            defaultMode: 256
         - name: cockroachdb-scripts
           configMap:
             name: cockroachdb-scripts
diff --git a/cockroachdb/manifests-cert-manager/certificates.yaml b/cockroachdb/manifests-cert-manager/certificates.yaml
@@ -44,6 +44,7 @@ spec:
     - cockroachdb-0.cockroachdb
     - cockroachdb-1.cockroachdb
     - cockroachdb-2.cockroachdb
+    - cockroachdb-proxy
   secretName: cockroachdb.node
   usages:
     - server auth
@@ -55,7 +56,7 @@ metadata:
   name: client
 spec:
   issuerRef:
-    name: ca-issuer
+    name: cockroachdb-ca-issuer
     kind: Issuer
   commonName: root
   secretName: cockroachdb.client.root

diff --git a/cockroachdb/manifests-cert-manager/client.yaml b/cockroachdb/manifests-cert-manager/client.yaml
@@ -56,6 +56,15 @@ spec:
               mountPath: /cockroach/cockroach-certs
       volumes:
         - name: client-certs
-          secret:
-            secretName: cockroachdb.client.root
+          projected:
+            sources:
+              - secret:
+                  name: cockroachdb.client.root
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                    - key: tls.crt
+                      path: client.root.crt
+                    - key: tls.key
+                      path: client.root.key
             defaultMode: 256
diff --git a/cockroachdb/manifests-cert-manager/init-job.yaml b/cockroachdb/manifests-cert-manager/init-job.yaml
@@ -16,12 +16,15 @@ spec:
             - name: client-certs
               mountPath: /cockroach/cockroach-certs
           env:
-            - name: COCKROACH_INIT_HOST
-              value: cockroachdb-0.cockroachdb
+            - name: COCKROACH_HOST
+              valueFrom:
+                configMapKeyRef:
+                  name: cockroach
+                  key: cockroach.host
           command:
             - "/bin/bash"
             - "-c"
-            - "/cockroach/cockroach init --certs-dir=/cockroach/cockroach-certs --host=$(COCKROACH_INIT_HOST) --port=26357 2>&1 | grep 'initialized'"
+            - "/cockroach/cockroach init --certs-dir=/cockroach/cockroach-certs --port=26357 2>&1 | grep 'initialized'"
           resources:
             requests:
               cpu: 0
@@ -32,6 +35,15 @@ spec:
       restartPolicy: OnFailure
       volumes:
         - name: client-certs
-          secret:
-            secretName: cockroachdb.client.root
+          projected:
+            sources:
+              - secret:
+                  name: cockroachdb.client.root
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                    - key: tls.crt
+                      path: client.root.crt
+                    - key: tls.key
+                      path: client.root.key
             defaultMode: 256
diff --git a/cockroachdb/manifests-cert-manager/scripts.yaml b/cockroachdb/manifests-cert-manager/scripts.yaml
@@ -40,6 +40,7 @@ data:
         exit 1
     fi
 
+    # todo: wait for the cockroachdb cluster to be ready
     SQL_CMD="/cockroach/cockroach sql" > /dev/null
 
     $SQL_CMD << EOF

diff --git a/cockroachdb/manifests-cert-manager/statefulset.yaml b/cockroachdb/manifests-cert-manager/statefulset.yaml
@@ -108,8 +108,18 @@ spec:
           persistentVolumeClaim:
             claimName: datadir
         - name: certs
-          secret:
-            secretName: cockroachdb.node
+          # https://www.cockroachlabs.com/docs/stable/authentication#using-cockroach-cert-or-openssl-commands
+          projected:
+            sources:
+              - secret:
+                  name: cockroachdb.node
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+                    - key: tls.crt
+                      path: node.crt
+                    - key: tls.key
+                      path: node.key
             defaultMode: 256
   podManagementPolicy: Parallel
   updateStrategy: