[
https://issues.apache.org/jira/browse/HDDS-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Elek, Marton updated HDDS-1507:
-------------------------------
Description:
We need documentation and example k8s files to demonstrate how to start secure
ozone cluster inside kubernetes.
The biggest challenge is the creation of the keytab files. There are multiple
solutions for that. For example in the ozonesecure docker-compose cluster we
have a simple rest endpoints and the containers download the required keytabs
files from that specific (unsecure) rest endpoint.
While this is a very good and flexible solution I prefer to use something which
is more production-like, which can be used as an example how ozone should be
used in production.
A dynamic approach can be achieved with Hasicorp Vault which is a _secure_ key
value store. With a huge amount of configuration the pre-generated keytabs can
be stored to make it available for all the containers.
But I prefer to use a simple solution here. Let's say that the keytab
generation is the responsibility of the user. The generated keytab files can be
stored in k8s configmap oboject and can be easily mounted.
While this aproach requires some manual work, it can be used for production.
was:We need documentation and example k8s files to demonstrate how to start
secure ozone cluster inside kubernetes.
> Provide example k8s deployment files for secure ozone setup
> -----------------------------------------------------------
>
> Key: HDDS-1507
> URL: https://issues.apache.org/jira/browse/HDDS-1507
> Project: Hadoop Distributed Data Store
> Issue Type: Sub-task
> Reporter: Elek, Marton
> Assignee: Elek, Marton
> Priority: Major
>
> We need documentation and example k8s files to demonstrate how to start
> secure ozone cluster inside kubernetes.
> The biggest challenge is the creation of the keytab files. There are multiple
> solutions for that. For example in the ozonesecure docker-compose cluster we
> have a simple rest endpoints and the containers download the required keytabs
> files from that specific (unsecure) rest endpoint.
> While this is a very good and flexible solution I prefer to use something
> which is more production-like, which can be used as an example how ozone
> should be used in production.
> A dynamic approach can be achieved with Hasicorp Vault which is a _secure_
> key value store. With a huge amount of configuration the pre-generated
> keytabs can be stored to make it available for all the containers.
> But I prefer to use a simple solution here. Let's say that the keytab
> generation is the responsibility of the user. The generated keytab files can
> be stored in k8s configmap oboject and can be easily mounted.
> While this aproach requires some manual work, it can be used for production.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
