k8s
k8s copied to clipboard
cockroachdb
Enable key separation when multiple CRDB clusters are run in the same namespace
Currently node and client keys are visible between CRDB clusters running in the same namespace.
This pull request adds a -cluster flag to logically name and partition the key-space. If the -cluster flag is not specified everything works as before.
Example:
/request-cert '-namespace=crdb' '-certs-dir=/cockroach-certs' '-type=client' '-user=root' '-symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' '-cluster=crdb-test'
2019/02/27 16:21:07 Looking up cert and key under secret crdb.crdb-test.client.root
W0227 16:21:07.014788 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
2019/02/27 16:21:07 Secret crdb.crdb-test.client.root not found, sending CSR
Sending create request: crdb.crdb-test.client.root for
Request sent, waiting for approval. To approve, run 'kubectl certificate approve crdb.crdb-test.client.root'
CSR approved, but no certificate in response. Waiting some more
request crdb.crdb-test.client.root Approved at 2019-02-27 16:21:09 +0000 UTC
reason: AutoApproved
message: Auto approving CockroachDB certificate after SubjectAccessReview.
2019/02/27 16:21:09 Storing cert and key under secret crdb.crdb-test.client.root
2019/02/27 16:21:09 Writing cert and key to local files
wrote key file: /cockroach-certs/client.root.key
wrote certificate file: /cockroach-certs/client.root.crt
symlinked CA certificate file: /cockroach-certs/ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
This fixes issue #18
