Sync access packages #147
Sync access packages #147
Conversation
| } | ||
|
|
||
| // String returns a string used to unique identify the authentication settings. | ||
| func (a Authentication) String() string { | ||
| return a.TLSAuthentication.String() + ":" + a.JWTSecret | ||
| return a.TLSAuthentication.String() + ":" + a.JWTSecret + ":" + a.Username + ":" + a.Password |
There was a problem hiding this comment.
I do not know where String() is used. But I wonder if making the password available via this function is required, and if not required, is it a bad thing. Could we accidentally expose a real user's password to a log file or such.
There was a problem hiding this comment.
It is used to generate a key that matches the exact settings. So with exactly the same key you are allowed to share the same client object.
| @@ -53,12 +76,23 @@ that is reachable from the Kubernetes cluster the `ArangoDeploymentReplication` | |||
|
|
|||
| Specifying this setting and `spec.source.deploymentName` at the same time is not allowed. | |||
|
|
|||
| ### `spec.source.auth.jwtSecretName: string` | |||
| ### `spec.source.auth.keyfileSecretName: string` | |||
There was a problem hiding this comment.
Is the user facing an upgrade issue if they previously used .jwtSecretName? Same question for .deploymentNamespace versus .endpoint.
There was a problem hiding this comment.
It was never part of a released version and was only just introduced in master, so I doubt it will cause problems.
| used to authenticate the SyncMaster in the destination cluster with the SyncMaster in the | ||
| source cluster. | ||
| As a result, the destination Kubernetes cluster will have 2 additional `Secrets`. One containing a client authentication certificate | ||
| formatted ad a keyfile. Another containing the public key of the TLS CA certificate of the source cluster. |
There was a problem hiding this comment.
spelling or grammar or typo: "One containing a client authentication certificate formatted ad a keyfile." ad -> and ? If so, better wording would be "One contains a ...". Second sentence would then be "Another contains ..."
| In response, a `Secret` is created in that Kubernetes cluster, with the given name, that contains a `accessPackage.yaml` data field | ||
| that contains a Kubernetes resource specification that can be inserted into the other Kubernetes cluster. | ||
|
|
||
| The process for creating and using an access package to authentication at the source cluster is as follows: |
There was a problem hiding this comment.
"package to authentication" -> "package for authentication"
This PR aims to make the (dc2dc) replication easier and such that it no longer requires
arangosyncto be installed locally.It does so by:
ArangoDeploymentReplication(see docs)access package. This is a k8s resource file containing a secret for the TLS CA and a secret with a generated client authentication keyfile. See docs for details.The access package is created by editing the
ArangoDeploymentin the source cluster (add a name to theaccessPackageSecretNamesfield). This yields the creation of a secret with that name.Extract the secret data (under
accessPackage.yaml).Finally apply the
accessPackage.yamlfile in the destination cluster.