[EnMasse] Adapting the EnMasse deployment

Lohmann Carsten (INST/ECS4) Carsten.Lohmann at bosch-si.com
Tue Jul 4 13:55:02 UTC 2017 

> For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace' 
> where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.

What would creating/editing the secret 'certs-$namespace' secret mean exactly?

When I create the secret before deploying EnMasse, there is an exception in the address controller when creating the instance. 
---
2017-07-03T11:43:34.432591236Z 2017-07-03 11:43:34 INFO  InstanceManagerImpl:38 - Creating instance id=hono,namespace=hono
2017-07-03T11:43:34.460022656Z 2017-07-03 11:43:34 ERROR WatcherVerticle:46 - Error starting watch
2017-07-03T11:43:34.460045324Z io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.3.0.1/api/v1/namespaces/hono/secrets. Message: secrets "certs-hono" already exists. Received status: Status(apiVersion=v1, code=409, details=StatusDetails(causes=[], group=null, kind=secrets, name=certs-hono, retryAfterSeconds=null, additionalProperties={}), kind=Status, message=secrets "certs-hono" already exists, metadata=ListMeta(resourceVersion=null, selfLink=null, additionalProperties={}), reason=AlreadyExists, status=Failure, additionalProperties={}).
2017-07-03T11:43:34.460051673Z 	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
2017-07-03T11:43:34.460055572Z 	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409)
2017-07-03T11:43:34.460059048Z 	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
2017-07-03T11:43:34.460062494Z 	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
2017-07-03T11:43:34.460066135Z 	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:226)
2017-07-03T11:43:34.460073634Z 	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:741)
2017-07-03T11:43:34.460077044Z 	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:334)
2017-07-03T11:43:34.460080377Z 	at io.fabric8.kubernetes.client.dsl.base.BaseOperation$1.apply(BaseOperation.java:351)
2017-07-03T11:43:34.46008363Z 	at io.fabric8.kubernetes.api.model.DoneableSecret.done(DoneableSecret.java:26)
2017-07-03T11:43:34.460087035Z 	at enmasse.controller.common.KubernetesHelper.createInstanceSecret(KubernetesHelper.java:237)
2017-07-03T11:43:34.460090432Z 	at enmasse.controller.instance.InstanceManagerImpl.create(InstanceManagerImpl.java:44)
2017-07-03T11:43:34.460093532Z 	at enmasse.controller.instance.InstanceController.createInstances(InstanceController.java:104)
2017-07-03T11:43:34.460096664Z 	at enmasse.controller.instance.InstanceController.resourcesUpdated(InstanceController.java:86)
2017-07-03T11:43:34.460099732Z 	at enmasse.controller.common.WatcherVerticle.lambda$start$1(WatcherVerticle.java:36)
2017-07-03T11:43:34.460116207Z 	at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:271)
---

Updating the secret afterwards would mean having to restart the qdrouter pod, I guess, and would therefore be not such a good solution.


Best regards

 Carsten Lohmann

(INST/ECS4) 
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-130 | Fax +49 30 726112-100 | carsten.lohmann at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 



-----Ursprüngliche Nachricht-----
Von: Ulf Lilleengen [mailto:ulilleen at redhat.com] 
Gesendet: Freitag, 16. Juni 2017 14:30
An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>; enmasse at redhat.com
Betreff: Re: [EnMasse] Adapting the EnMasse deployment

On 16. juni 2017 12:44, Ulf Lilleengen wrote:
> On 16. juni 2017 12:08, Lohmann Carsten (INST/ECS4) wrote:
>> Hi Ulf,
>>
>>>  Out of curiosity, what is it that you wish to modify in this config?
>>
>> We want to use a config similar to the one used in Hono:
>>
>> https://github.com/eclipse/hono/blob/master/dispatchrouter/qpid/qdrou
>> terd-with-broker.json
>>
>>  > I.e. with our sslProfile / certificates and vhost definitions.
>>
> 
> One thing to look out for there is that the enmasse router config is 
> created dynamically from a static fixed template + configuration from 
> the router agent (address config for instance).
> 
> To make it work properly in EnMasse, you have to merge that config 
> with the static enmasse router config:
> 
> https://github.com/EnMasseProject/dockerfiles/blob/master/qdrouterd/qd
> routerd.conf.template
> 
> 

Just to elaborate on this part: Eventually we hope to provide a way in EnMasse to do this without overriding the router config. For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace' where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.

We intend to improve the certificate management in the near future in combination with keycloak integration.

How to add vhost definitions is something that needs more discussion, but we're working on a backlog so this is useful input.

--
Ulf

More information about the enmasse mailing list