Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow spread encryption to be set in the VerticaDB CR #224

Merged
merged 6 commits into from
Jun 21, 2022
Merged

Allow spread encryption to be set in the VerticaDB CR #224

merged 6 commits into from
Jun 21, 2022

Conversation

spilchen
Copy link
Collaborator

@spilchen spilchen commented Jun 20, 2022
edited
Loading

The following parm was added to the VerticaDB CR:

spec.encryptSpreadComm

When this is set to vertica, then the EncryptSpreadComm parameter will be set for the database right after it is created. Setting encryption in spread requires a server restart, which the operator handles automatically. The default value for this parameter is an empty string, which means no encryption is set.

The events for the VerticaDB will look like the following when enabling spread encryption. We will show a successful create database, then a complete server restart.

Events:
  Type    Reason                   Age   From                Message
  ----    ------                   ----  ----                -------
  Normal  CreateDBStart            78s   verticadb-operator  Calling 'admintools -t create_db'
  Normal  CreateDBSucceeded        48s   verticadb-operator  Successfully created database with subcluster 'my-sc'. It t
ook 30.065841637s
  Normal  StopDBStart              47s   verticadb-operator  Calling 'admintools -t stop_db'
  Normal  StopDBSucceeded          43s   verticadb-operator  Successfully stopped the database.  It took 4s
  Normal  ClusterRestartStarted    42s   verticadb-operator  Calling 'admintools -t start_db' to restart the cluster
  Normal  ClusterRestartSucceeded  33s   verticadb-operator  Successfully called 'admintools -t start_db' and it took 9s

This can only be set for new instances of VerticaDB. It is ignored if the initPolicy is something other than Create. It only accepts an empty string (to clear encryption) or vertica. The webhook enforces these rules.

The restart was generalized with a new condition variable: VerticaRestartNeeded. In the future, if we have other cases where Vertica needs to be restarted we can use this condition variable.

Closes #222

@spilchen spilchen self-assigned this Jun 20, 2022
@spilchen spilchen requested a review from roypaulin June 20, 2022 12:16
@nyikesda
Copy link
Contributor

Hi @spilchen ,
Did you test the solution with active client connection during the DB stop? It would be important to stop the DB independently from the connected users.

@spilchen
Copy link
Collaborator Author

@nyikesda the stop DB doesn't wait for active connection. If there are any, those connections will be terminated. This happens immediately after create db though. Do you expect to have a lot of connections come in between? You can use various status conditions to know when the database is fully setup.

kubectl wait --for=condition=DBInitialized=True vdb/v   # Wait for DB to be created
kubectl wait --for=condition=VerticaRestartNeeded=False vdb/v  # Wait for stop db
kubectl wait --for=condition=Ready=True pod/v-my-sc-0 # Wait for start db by checking ready state of one pod

@nyikesda
Copy link
Contributor

I do not see --force argument in your code after the admintools -t stop_db, so I thought that it waites for the the active connections. If it the --force argument is not neccessary, then sorry for my previous comment.

@spilchen
Copy link
Collaborator Author

Okay, I understand what you mean. You are right I am missing a force. I'll add that in.

nyikesda
nyikesda approved these changes Jun 21, 2022
View reviewed changes
Copy link
Contributor

@nyikesda nyikesda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

roypaulin
roypaulin reviewed Jun 21, 2022
View reviewed changes
Copy link
Collaborator

@roypaulin roypaulin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I don't have too much to add.

pkg/controllers/vdb/stopdb_reconcile.go Outdated Show resolved Hide resolved
@spilchen spilchen requested a review from roypaulin June 21, 2022 17:31
@spilchen spilchen merged commit d76fe5d into vertica:main Jun 21, 2022
@spilchen spilchen deleted the encrypt-spread branch June 21, 2022 19:33
@nyikesda nyikesda mentioned this pull request Oct 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyikesda nyikesda nyikesda approved these changes

@roypaulin roypaulin roypaulin approved these changes

Assignees

@spilchen spilchen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setting for enabling TLS for internode Spread communication
3 participants
@spilchen @nyikesda @roypaulin