Support Kubernetes Auto-Scaler on Managed DBaaS Authorized IP

[zarinbal]

As a Kubernetes user (on OVHcloud's Managed Kubernetes Services or another) I want a way to automatically whitelist a given subset of my cluster's nodes So that the nodes hosting containers that need access to a given database get their IP authorized (and removed when the node is destroyed)

Implementations details : The solution we will offer is an opensource and OVHcloud supported service Operator, where you will be able to use a node label-selector to get the database ACL updated each time a new node matching this label gets added or removed.

Additonnal notes

• This operator will later be enriched to support creation and full lifecycle and configuration of all our OVHcloud Managed DBaaS
• It will be offered at a later stage in an OVHcloud Kubernetes software catalog
• We will later, additionnalyto this agnostic and reversible approach, offer better integrated support for service-to-service authorization (leveraging future OVHcloud identity and access management)

---- original user story ----

In the control panel of the managed database, I can only add the specific IP address of the authorized servers. However, the servers will be added and removed automatically in a Kubernetes environment with OVH Autoscale feature. We do not know the IP of those servers.

My proposed solution is to be able to add the Kubernetes cluster as an authorized source. Any server added to the Node Pools (manually or through Auto-Scale) or removed should be automatically added or removed from the authorized IPs list.

Here is an example of the Digital Ocean user interface. You can add an individual node or the entire Kubernetes cluster.

[matmicro]

If this is possible, then we need exactly the same for NAS-HA services.

Also, as a solution for MKS, you can use Private Network to access your Managed Database.

But then, i am thinking, is it possible to have NAS-HA inside a private network ? This will fix IP whitelist issue.

[mhurtrel]

@zarinbal I understand your need and confirm we have planned to adress this use case. I cannot however share an ETA yet.

[mhurtrel]

@zarinbal @matmicro I updated the ticket after validating feasability internally. Our current ETA is very early 2023. In the meantime, as a workaround, we strongly encourage to enable vRack on our Managed DBaaS (note that currently only Business and Enterprise support vRack, but all DBaaS flavors will soon offer thi ( #304 ) and use a Kubernetes cluster in the same vRack. You can then allow all IPs on the specific private network.

@matmicro NAS-HA will offer vRack support in a few months. However note that our prefered solution terms of scalability and automation will be FSaaS withing public cloud, which will also support vRack and will be integrated as a storage class. ( #21 )

[mhurtrel]

I mark this issue as closed, as you can now follow up : https://github.com/ovh/public-cloud-roadmap/issues/305 This use case will be suppprted by our managed DBaaS colleagues, who plan to release a DBaaS Kubernetes operator in the next 2 months https://github.com/ovh/public-cloud-roadmap/issues/305

Bonus point is that this solution will be usable with any Kubernetes cluster, managed or not, at OVHcloud or anywhere with access to OVHcloud managed databases.