[EnMasse] Adapting the EnMasse deployment

Ulf Lilleengen lulf at redhat.com
Tue Jul 4 14:12:11 UTC 2017 

Hi Carsten,

That is unfortunate. I have created
https://github.com/EnMasseProject/enmasse/issues/70 and pushed a fix. I
will merge it once CI is done with it.

We will redesign how certificates are passed to the API as part of changing
to the new address model, so passing certificates will likely be more
explicit and potentially with options like using acme for signing and
renewal.

I will close the issue when a snapshot with the fix has been pushed.

Thanks,

Ulf

On Tue, Jul 4, 2017 at 3:55 PM, Lohmann Carsten (INST/ECS4) <
Carsten.Lohmann at bosch-si.com> wrote:

>
> > For certs, you can edit the certificates used by the router by
> creating/editing the secret 'certs-$namespace'
> > where $namespace is the namespace where you deployed EnMasse to, which
> will be used for external connections.
>
> What would creating/editing the secret 'certs-$namespace' secret mean
> exactly?
>
> When I create the secret before deploying EnMasse, there is an exception
> in the address controller when creating the instance.
> ---
> 2017-07-03T11:43:34.432591236Z 2017-07-03 11:43:34 INFO
> InstanceManagerImpl:38 - Creating instance id=hono,namespace=hono
> 2017-07-03T11:43:34.460022656Z 2017-07-03 11:43:34 ERROR
> WatcherVerticle:46 - Error starting watch
> 2017-07-03T11:43:34.460045324Z io.fabric8.kubernetes.client.KubernetesClientException:
> Failure executing: POST at: https://10.3.0.1/api/v1/
> namespaces/hono/secrets. Message: secrets "certs-hono" already exists.
> Received status: Status(apiVersion=v1, code=409,
> details=StatusDetails(causes=[], group=null, kind=secrets,
> name=certs-hono, retryAfterSeconds=null, additionalProperties={}),
> kind=Status, message=secrets "certs-hono" already exists, metadata=ListMeta(resourceVersion=null,
> selfLink=null, additionalProperties={}), reason=AlreadyExists,
> status=Failure, additionalProperties={}).
> 2017-07-03T11:43:34.460051673Z  at io.fabric8.kubernetes.client.
> dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
> 2017-07-03T11:43:34.460055572Z  at io.fabric8.kubernetes.client.
> dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409)
> 2017-07-03T11:43:34.460059048Z  at io.fabric8.kubernetes.client.
> dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
> 2017-07-03T11:43:34.460062494Z  at io.fabric8.kubernetes.client.
> dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
> 2017-07-03T11:43:34.460066135Z  at io.fabric8.kubernetes.client.
> dsl.base.OperationSupport.handleCreate(OperationSupport.java:226)
> 2017-07-03T11:43:34.460073634Z  at io.fabric8.kubernetes.client.
> dsl.base.BaseOperation.handleCreate(BaseOperation.java:741)
> 2017-07-03T11:43:34.460077044Z  at io.fabric8.kubernetes.client.
> dsl.base.BaseOperation.create(BaseOperation.java:334)
> 2017-07-03T11:43:34.460080377Z  at io.fabric8.kubernetes.client.
> dsl.base.BaseOperation$1.apply(BaseOperation.java:351)
> 2017-07-03T11:43:34.46008363Z   at io.fabric8.kubernetes.api.
> model.DoneableSecret.done(DoneableSecret.java:26)
> 2017-07-03T11:43:34.460087035Z  at enmasse.controller.common.
> KubernetesHelper.createInstanceSecret(KubernetesHelper.java:237)
> 2017-07-03T11:43:34.460090432Z  at enmasse.controller.instance.
> InstanceManagerImpl.create(InstanceManagerImpl.java:44)
> 2017-07-03T11:43:34.460093532Z  at enmasse.controller.instance.
> InstanceController.createInstances(InstanceController.java:104)
> 2017-07-03T11:43:34.460096664Z  at enmasse.controller.instance.
> InstanceController.resourcesUpdated(InstanceController.java:86)
> 2017-07-03T11:43:34.460099732Z  at enmasse.controller.common.
> WatcherVerticle.lambda$start$1(WatcherVerticle.java:36)
> 2017-07-03T11:43:34.460116207Z  at io.vertx.core.impl.ContextImpl.lambda$
> executeBlocking$1(ContextImpl.java:271)
> ---
>
> Updating the secret afterwards would mean having to restart the qdrouter
> pod, I guess, and would therefore be not such a good solution.
>
>
> Best regards
>
>  Carsten Lohmann
>
> (INST/ECS4)
> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-130 | Fax +49 30 726112-100 |
> carsten.lohmann at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Ulf Lilleengen [mailto:ulilleen at redhat.com]
> Gesendet: Freitag, 16. Juni 2017 14:30
> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> enmasse at redhat.com
> Betreff: Re: [EnMasse] Adapting the EnMasse deployment
>
> On 16. juni 2017 12:44, Ulf Lilleengen wrote:
> > On 16. juni 2017 12:08, Lohmann Carsten (INST/ECS4) wrote:
> >> Hi Ulf,
> >>
> >>>  Out of curiosity, what is it that you wish to modify in this config?
> >>
> >> We want to use a config similar to the one used in Hono:
> >>
> >> https://github.com/eclipse/hono/blob/master/dispatchrouter/qpid/qdrou
> >> terd-with-broker.json
> >>
> >>  > I.e. with our sslProfile / certificates and vhost definitions.
> >>
> >
> > One thing to look out for there is that the enmasse router config is
> > created dynamically from a static fixed template + configuration from
> > the router agent (address config for instance).
> >
> > To make it work properly in EnMasse, you have to merge that config
> > with the static enmasse router config:
> >
> > https://github.com/EnMasseProject/dockerfiles/blob/master/qdrouterd/qd
> > routerd.conf.template
> >
> >
>
> Just to elaborate on this part: Eventually we hope to provide a way in
> EnMasse to do this without overriding the router config. For certs, you can
> edit the certificates used by the router by creating/editing the secret
> 'certs-$namespace' where $namespace is the namespace where you deployed
> EnMasse to, which will be used for external connections.
>
> We intend to improve the certificate management in the near future in
> combination with keycloak integration.
>
> How to add vhost definitions is something that needs more discussion, but
> we're working on a backlog so this is useful input.
>
> --
> Ulf
>
> _______________________________________________
> enmasse mailing list
> enmasse at redhat.com
> https://www.redhat.com/mailman/listinfo/enmasse
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/enmasse/attachments/20170704/c3f6735d/attachment.htm>

More information about the enmasse mailing list