zookeeper-operator
zookeeper-operator copied to clipboard
pravega
Support for TLS configuration
It seems like ZK needs a bunch of pkcs or jks files and a keystore password along with this zoo.cfg addition to setup TLS:
# TLS configuration
secureClientPort=2281
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/etc/zookeeper-tls/zk.jks
ssl.keyStore.password=${keystore-password}
ssl.trustStore.location=/etc/zookeeper-tls/cacert.pem
sslQuorum=true
ssl.quorum.keyStore.location=/etc/zookeeper-tls/zk.jks
ssl.quorum.keyStore.password=${keystore-password}
ssl.quorum.trustStore.location=/etc/zookeeper-tls/cacert.pem
I guess a couple of options are possible:
- Support a user provided secret with all the information to setup TLS.
- Add a toggle to activate automatic TLS configuration, and the zookeeper-operator would create and manage the secret. Unfortunately, it seems like the cert-manager doesn't support pkcs or jks yet.
Would it possible to add TLS support to the zookeeper service through the zookeeper-operator?
Actually it seems like we don't need jks and a keystore password, which may be compatible with what current cert-manager can provide.
cert-manager supports pkcs12 now ... I think the approach I took for the Solr operator (which relies heavily on ZK) would be applicable for this operator: https://github.com/bloomberg/solr-operator/pull/151 ... tl;dr is cert-manager integration ... if y'all agree that's a good approach, I can work up a PR for this repo as well
Integration with Cert Manager so that Zookeeper can receive TLS material from it, would be a very useful feature to have. It'd simplify the management of TLS material. Presumably, the SSL/TLS certificates (both the server certificate and the CA certificate) and private key files can be provided by Cert Manager. What about the remaining configuration items?
- The
secureClientPort - The
serverCnxnFactory - The file containing the keystore password
I suppose these additional config needs to be provided at deployment-time.
The first two could have some sensible defaults. The admin/operator should be able to configure these at deployment-time. The 3rd one shall require some form of operator input - a Kubernetes secret'd be a nice way of managing that sensitive field.
What do you say?
cc @pbelgundi @fpj
No update but sounds like there's growing interest in having this, so I can get a PR for it next week (eta: Feb 10) (have another project I need to focus on this week) ~ stay tuned ;-)
Hi, @TristanCacqueray ,
I think there is support for this functionality, we just enabled it on our zookeeper cluster. Using config.additionalConfig map and volumes and volumeMounts, you can enable ssl on a new or existing zookeeper cluster.
Steps:
- convert the pem certs/key in java keystore format (jks) using keytool
- add volumes and volumeMounts zookeepercluster CR config to your cluster config to mount the k8s secret containing the jks file
- use the zoo.cfg configs that you posted in the
config.additionalConfigsmap in cluster config
Let me know if works for you.
@dobrerazvan thanks! We can try to integrate the operator to replace our manual resource definition here. cc @jeblair
@dobrerazvan I have followed your steps and tls perfectly working on zk quorum but I have a issue. here it is when implementing tls to zk quorum I'm using 2281 as secureclientport but how can I add this new port permanently to zk-client-service. There is only one client port available now which is 2181 in client service. Is there a scope to use 2181 as secureclientport as it is already clinetport ? Can u help me also on this?
