Skip to content

Commit

Permalink
add enable tls docs
Browse files Browse the repository at this point in the history
Signed-off-by: Rudro-25 <[email protected]>
  • Loading branch information
Rudro-25 committed Nov 5, 2024
1 parent 12c80da commit c03dd16
Show file tree
Hide file tree
Showing 24 changed files with 1,644 additions and 63 deletions.
2 changes: 1 addition & 1 deletion docs/examples/zookeeper/reconfiguration/new-secret.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
stringData:
zoo.cfg: |
maxClientCnxns=70
maxClientCnxns=100
kind: Secret
metadata:
name: zk-new-configuration
Expand Down
11 changes: 11 additions & 0 deletions docs/examples/zookeeper/reconfigure-tls/zkops-remove.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: ops.kubedb.com/v1alpha1
kind: ZooKeeperOpsRequest
metadata:
name: zkops-remove
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: zk-quickstart
tls:
remove: true
11 changes: 11 additions & 0 deletions docs/examples/zookeeper/reconfigure-tls/zkops-rotate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: ops.kubedb.com/v1alpha1
kind: ZooKeeperOpsRequest
metadata:
name: zkops-rotate
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: zk-quickstart
tls:
rotateCertificates: true
23 changes: 23 additions & 0 deletions docs/examples/zookeeper/reconfigure-tls/zookeeper-add-tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: ops.kubedb.com/v1alpha1
kind: ZooKeeperOpsRequest
metadata:
name: zkops-add-tls
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: zk-quickstart
tls:
issuerRef:
name: zookeeper-ca-issuer
kind: Issuer
apiGroup: "cert-manager.io"
certificates:
- alias: client
subject:
organizations:
- zookeeper
organizationalUnits:
- client
timeout: 5m
apply: IfReady
8 changes: 8 additions & 0 deletions docs/examples/zookeeper/reconfigure-tls/zookeeper-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: zk-issuer
namespace: demo
spec:
ca:
secretName: zookeeper-ca
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: zk-new-issuer
namespace: demo
spec:
ca:
secretName: zookeeper-new-ca
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: ops.kubedb.com/v1alpha1
kind: ZooKeeperOpsRequest
metadata:
name: zkops-update-issuer
namespace: demo
spec:
type: ReconfigureTLS
databaseRef:
name: zk-quickstart
tls:
issuerRef:
name: zk-new-issuer
kind: Issuer
apiGroup: "cert-manager.io"
16 changes: 16 additions & 0 deletions docs/examples/zookeeper/reconfigure-tls/zookeeper.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: kubedb.com/v1alpha2
kind: ZooKeeper
metadata:
name: zk-quickstart
namespace: demo
spec:
version: "3.8.3"
adminServerPort: 8080
replicas: 3
storage:
resources:
requests:
storage: "1Gi"
accessModes:
- ReadWriteOnce
deletionPolicy: "WipeOut"
8 changes: 8 additions & 0 deletions docs/examples/zookeeper/tls/zookeeper-issuer.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: zookeeper-ca-issuer
namespace: demo
spec:
ca:
secretName: zookeeper-ca
22 changes: 22 additions & 0 deletions docs/examples/zookeeper/tls/zookeeper-tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: kubedb.com/v1alpha2
kind: ZooKeeper
metadata:
name: zk-quickstart
namespace: demo
spec:
version: "3.8.3"
enableSSL: true
tls:
issuerRef:
apiGroup: "cert-manager.io"
kind: Issuer
name: zookeeper-ca-issuer
adminServerPort: 8080
replicas: 5
storage:
resources:
requests:
storage: "1Gi"
accessModes:
- ReadWriteOnce
deletionPolicy: "WipeOut"
10 changes: 10 additions & 0 deletions docs/guides/zookeeper/reconfigure-tls/_index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
title: Reconfigure TLS/SSL
menu:
docs_{{ .version }}:
identifier: zk-reconfigure-tls
name: Reconfigure TLS/SSL
parent: zk-zookeeper-guides
weight: 46
menu_name: docs_{{ .version }}
---
54 changes: 54 additions & 0 deletions docs/guides/zookeeper/reconfigure-tls/overview.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: Reconfiguring TLS/SSL
menu:
docs_{{ .version }}:
identifier: zk-reconfigure-tls-overview
name: Overview
parent: zk-reconfigure-tls
weight: 10
menu_name: docs_{{ .version }}
section_menu_id: guides
---

> New to KubeDB? Please start [here](/docs/README.md).
# Reconfiguring TLS of ZooKeeper

This guide will give an overview on how KubeDB Ops-manager operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates of `ZooKeeper`.

## Before You Begin

- You should be familiar with the following `KubeDB` concepts:
- [ZooKeeper](/docs/guides/zookeeper/concepts/zookeeper.md)
- [ZooKeeperOpsRequest](/docs/guides/zookeeper/concepts/opsrequest.md)

## How Reconfiguring ZooKeeper TLS Configuration Process Works

The following diagram shows how KubeDB Ops-manager operator reconfigures TLS of a `ZooKeeper`. Open the image in a new tab to see the enlarged version.

<figure align="center">
  <img alt="Reconfiguring TLS process of ZooKeeper" src="/docs/images/day-2-operation/zookeeper/zk-reconfigure-tls.svg">
<figcaption align="center">Fig: Reconfiguring TLS process of ZooKeeper</figcaption>
</figure>

The Reconfiguring ZooKeeper TLS process consists of the following steps:

1. At first, a user creates a `ZooKeeper` Custom Resource Object (CRO).

2. `KubeDB` Provisioner operator watches the `ZooKeeper` CRO.

3. When the operator finds a `ZooKeeper` CR, it creates required number of `PetSets` and related necessary stuff like secrets, services, etc.

4. Then, in order to reconfigure the TLS configuration of the `ZooKeeper` database the user creates a `ZooKeeperOpsRequest` CR with desired information.

5. `KubeDB` Ops-manager operator watches the `ZooKeeperOpsRequest` CR.

6. When it finds a `ZooKeeperOpsRequest` CR, it pauses the `ZooKeeper` object which is referred from the `ZooKeeperOpsRequest`. So, the `KubeDB` Provisioner operator doesn't perform any operations on the `ZooKeeper` object during the reconfiguring TLS process.

7. Then the `KubeDB` Ops-manager operator will add, remove, update or rotate TLS configuration based on the Ops Request yaml.

8. Then the `KubeDB` Ops-manager operator will restart all the Pods of the database so that they restart with the new TLS configuration defined in the `ZooKeeperOpsRequest` CR.

9. After the successful reconfiguring of the `ZooKeeper` TLS, the `KubeDB` Ops-manager operator resumes the `ZooKeeper` object so that the `KubeDB` Provisioner operator resumes its usual operations.

In the [next](/docs/guides/zookeeper/reconfigure-tls/reconfigure-tls.md) docs, we are going to show a step by step guide on reconfiguring TLS configuration of a ZooKeeper database using `ZooKeeperOpsRequest` CRD.
Loading

0 comments on commit c03dd16

Please sign in to comment.