<div dir="ltr">Hi Carsten,<div><br></div><div><div>That is unfortunate. I have created <a href="https://github.com/EnMasseProject/enmasse/issues/70">https://github.com/EnMasseProject/enmasse/issues/70</a> and pushed a fix. I will merge it once CI is done with it.</div><div><br></div><div>We will redesign how certificates are passed to the API as part of changing to the new address model, so passing certificates will likely be more explicit and potentially with options like using acme for signing and renewal. </div></div><div><br></div><div>I will close the issue when a snapshot with the fix has been pushed.</div><div><br></div><div>Thanks,</div><div><br></div><div>Ulf</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 4, 2017 at 3:55 PM, Lohmann Carsten (INST/ECS4) <span dir="ltr"><<a href="mailto:Carsten.Lohmann@bosch-si.com" target="_blank">Carsten.Lohmann@bosch-si.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace'<br>
> where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.<br>
<br>
</span>What would creating/editing the secret 'certs-$namespace' secret mean exactly?<br>
<br>
When I create the secret before deploying EnMasse, there is an exception in the address controller when creating the instance.<br>
---<br>
2017-07-03T11:43:34.432591236Z 2017-07-03 11:43:34 INFO InstanceManagerImpl:38 - Creating instance id=hono,namespace=hono<br>
2017-07-03T11:43:34.460022656Z 2017-07-03 11:43:34 ERROR WatcherVerticle:46 - Error starting watch<br>
2017-07-03T11:43:34.460045324Z io.fabric8.kubernetes.client.<wbr>KubernetesClientException: Failure executing: POST at: <a href="https://10.3.0.1/api/v1/namespaces/hono/secrets" rel="noreferrer" target="_blank">https://10.3.0.1/api/v1/<wbr>namespaces/hono/secrets</a>. Message: secrets "certs-hono" already exists. Received status: Status(apiVersion=v1, code=409, details=StatusDetails(causes=[<wbr>], group=null, kind=secrets, name=certs-hono, retryAfterSeconds=null, additionalProperties={}), kind=Status, message=secrets "certs-hono" already exists, metadata=ListMeta(<wbr>resourceVersion=null, selfLink=null, additionalProperties={}), reason=AlreadyExists, status=Failure, additionalProperties={}).<br>
2017-07-03T11:43:34.460051673Z at io.fabric8.kubernetes.client.<wbr>dsl.base.OperationSupport.<wbr>requestFailure(<wbr>OperationSupport.java:470)<br>
2017-07-03T11:43:34.460055572Z at io.fabric8.kubernetes.client.<wbr>dsl.base.OperationSupport.<wbr>assertResponseCode(<wbr>OperationSupport.java:409)<br>
2017-07-03T11:43:34.460059048Z at io.fabric8.kubernetes.client.<wbr>dsl.base.OperationSupport.<wbr>handleResponse(<wbr>OperationSupport.java:379)<br>
2017-07-03T11:43:34.460062494Z at io.fabric8.kubernetes.client.<wbr>dsl.base.OperationSupport.<wbr>handleResponse(<wbr>OperationSupport.java:343)<br>
2017-07-03T11:43:34.460066135Z at io.fabric8.kubernetes.client.<wbr>dsl.base.OperationSupport.<wbr>handleCreate(OperationSupport.<wbr>java:226)<br>
2017-07-03T11:43:34.460073634Z at io.fabric8.kubernetes.client.<wbr>dsl.base.BaseOperation.<wbr>handleCreate(BaseOperation.<wbr>java:741)<br>
2017-07-03T11:43:34.460077044Z at io.fabric8.kubernetes.client.<wbr>dsl.base.BaseOperation.create(<wbr>BaseOperation.java:334)<br>
2017-07-03T11:43:34.460080377Z at io.fabric8.kubernetes.client.<wbr>dsl.base.BaseOperation$1.<wbr>apply(BaseOperation.java:351)<br>
2017-07-03T11:43:34.46008363Z at io.fabric8.kubernetes.api.<wbr>model.DoneableSecret.done(<wbr>DoneableSecret.java:26)<br>
2017-07-03T11:43:34.460087035Z at enmasse.controller.common.<wbr>KubernetesHelper.<wbr>createInstanceSecret(<wbr>KubernetesHelper.java:237)<br>
2017-07-03T11:43:34.460090432Z at enmasse.controller.instance.<wbr>InstanceManagerImpl.create(<wbr>InstanceManagerImpl.java:44)<br>
2017-07-03T11:43:34.460093532Z at enmasse.controller.instance.<wbr>InstanceController.<wbr>createInstances(<wbr>InstanceController.java:104)<br>
2017-07-03T11:43:34.460096664Z at enmasse.controller.instance.<wbr>InstanceController.<wbr>resourcesUpdated(<wbr>InstanceController.java:86)<br>
2017-07-03T11:43:34.460099732Z at enmasse.controller.common.<wbr>WatcherVerticle.lambda$start$<wbr>1(WatcherVerticle.java:36)<br>
2017-07-03T11:43:34.460116207Z at io.vertx.core.impl.<wbr>ContextImpl.lambda$<wbr>executeBlocking$1(ContextImpl.<wbr>java:271)<br>
---<br>
<br>
Updating the secret afterwards would mean having to restart the qdrouter pod, I guess, and would therefore be not such a good solution.<br>
<br>
<br>
Best regards<br>
<br>
Carsten Lohmann<br>
<span class=""><br>
(INST/ECS4)<br>
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | <a href="http://www.bosch-si.com" rel="noreferrer" target="_blank">www.bosch-si.com</a><br>
</span><span class="">Tel. <a href="tel:%2B49%2030%20726112-130" value="+4930726112130">+49 30 726112-130</a> | Fax <a href="tel:%2B49%2030%20726112-100" value="+4930726112100">+49 30 726112-100</a> | <a href="mailto:carsten.lohmann@bosch-si.com">carsten.lohmann@bosch-si.com</a><br>
<br>
</span><span class="">Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B<br>
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn<br>
<br>
<br>
<br>
</span>-----Ursprüngliche Nachricht-----<br>
<span class="">Von: Ulf Lilleengen [mailto:<a href="mailto:ulilleen@redhat.com">ulilleen@redhat.com</a>]<br>
</span><span class="">Gesendet: Freitag, 16. Juni 2017 14:30<br>
</span>An: Lohmann Carsten (INST/ECS4) <<a href="mailto:Carsten.Lohmann@bosch-si.com">Carsten.Lohmann@bosch-si.com</a>><wbr>; <a href="mailto:enmasse@redhat.com">enmasse@redhat.com</a><br>
Betreff: Re: [EnMasse] Adapting the EnMasse deployment<br>
<div class="HOEnZb"><div class="h5"><br>
On 16. juni 2017 12:44, Ulf Lilleengen wrote:<br>
> On 16. juni 2017 12:08, Lohmann Carsten (INST/ECS4) wrote:<br>
>> Hi Ulf,<br>
>><br>
>>> Out of curiosity, what is it that you wish to modify in this config?<br>
>><br>
>> We want to use a config similar to the one used in Hono:<br>
>><br>
>> <a href="https://github.com/eclipse/hono/blob/master/dispatchrouter/qpid/qdrou" rel="noreferrer" target="_blank">https://github.com/eclipse/<wbr>hono/blob/master/<wbr>dispatchrouter/qpid/qdrou</a><br>
>> terd-with-broker.json<br>
>><br>
>> > I.e. with our sslProfile / certificates and vhost definitions.<br>
>><br>
><br>
> One thing to look out for there is that the enmasse router config is<br>
> created dynamically from a static fixed template + configuration from<br>
> the router agent (address config for instance).<br>
><br>
> To make it work properly in EnMasse, you have to merge that config<br>
> with the static enmasse router config:<br>
><br>
> <a href="https://github.com/EnMasseProject/dockerfiles/blob/master/qdrouterd/qd" rel="noreferrer" target="_blank">https://github.com/<wbr>EnMasseProject/dockerfiles/<wbr>blob/master/qdrouterd/qd</a><br>
> routerd.conf.template<br>
><br>
><br>
<br>
Just to elaborate on this part: Eventually we hope to provide a way in EnMasse to do this without overriding the router config. For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace' where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.<br>
<br>
We intend to improve the certificate management in the near future in combination with keycloak integration.<br>
<br>
How to add vhost definitions is something that needs more discussion, but we're working on a backlog so this is useful input.<br>
<br>
--<br>
Ulf<br>
<br>
</div></div><div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
enmasse mailing list<br>
<a href="mailto:enmasse@redhat.com">enmasse@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/enmasse" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/enmasse</a><br>
</div></div></blockquote></div><br></div>