[EnMasse] Adapting the EnMasse deployment

Lohmann Carsten (INST/ECS4) Carsten.Lohmann at bosch-si.com
Tue Jul 4 15:33:51 UTC 2017 

Hi Ulf,

Ok, thanks for the quick fix.

Best regards

Carsten Lohmann

(INST/ECS4)
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-130 | Fax +49 30 726112-100 | carsten.lohmann at bosch-si.com<mailto:carsten.lohmann at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn



Von: Ulf Lilleengen [mailto:lulf at redhat.com]
Gesendet: Dienstag, 4. Juli 2017 16:12
An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>
Cc: enmasse at redhat.com
Betreff: Re: [EnMasse] Adapting the EnMasse deployment

Hi Carsten,

That is unfortunate. I have created https://github.com/EnMasseProject/enmasse/issues/70 and pushed a fix. I will merge it once CI is done with it.

We will redesign how certificates are passed to the API as part of changing to the new address model, so passing certificates will likely be more explicit and potentially with options like using acme for signing and renewal.

I will close the issue when a snapshot with the fix has been pushed.

Thanks,

Ulf

On Tue, Jul 4, 2017 at 3:55 PM, Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com<mailto:Carsten.Lohmann at bosch-si.com>> wrote:

> For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace'
> where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.

What would creating/editing the secret 'certs-$namespace' secret mean exactly?

When I create the secret before deploying EnMasse, there is an exception in the address controller when creating the instance.
---
2017-07-03T11:43:34.432591236Z 2017-07-03 11:43:34 INFO  InstanceManagerImpl:38 - Creating instance id=hono,namespace=hono
2017-07-03T11:43:34.460022656Z 2017-07-03 11:43:34 ERROR WatcherVerticle:46 - Error starting watch
2017-07-03T11:43:34.460045324Z io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://10.3.0.1/api/v1/namespaces/hono/secrets. Message: secrets "certs-hono" already exists. Received status: Status(apiVersion=v1, code=409, details=StatusDetails(causes=[], group=null, kind=secrets, name=certs-hono, retryAfterSeconds=null, additionalProperties={}), kind=Status, message=secrets "certs-hono" already exists, metadata=ListMeta(resourceVersion=null, selfLink=null, additionalProperties={}), reason=AlreadyExists, status=Failure, additionalProperties={}).
2017-07-03T11:43:34.460051673Z  at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:470)
2017-07-03T11:43:34.460055572Z  at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:409)
2017-07-03T11:43:34.460059048Z  at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:379)
2017-07-03T11:43:34.460062494Z  at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:343)
2017-07-03T11:43:34.460066135Z  at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:226)
2017-07-03T11:43:34.460073634Z  at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:741)
2017-07-03T11:43:34.460077044Z  at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:334)
2017-07-03T11:43:34.460080377Z  at io.fabric8.kubernetes.client.dsl.base.BaseOperation$1.apply(BaseOperation.java:351)
2017-07-03T11:43:34.46008363Z   at io.fabric8.kubernetes.api.model.DoneableSecret.done(DoneableSecret.java:26)
2017-07-03T11:43:34.460087035Z  at enmasse.controller.common.KubernetesHelper.createInstanceSecret(KubernetesHelper.java:237)
2017-07-03T11:43:34.460090432Z  at enmasse.controller.instance.InstanceManagerImpl.create(InstanceManagerImpl.java:44)
2017-07-03T11:43:34.460093532Z  at enmasse.controller.instance.InstanceController.createInstances(InstanceController.java:104)
2017-07-03T11:43:34.460096664Z  at enmasse.controller.instance.InstanceController.resourcesUpdated(InstanceController.java:86)
2017-07-03T11:43:34.460099732Z  at enmasse.controller.common.WatcherVerticle.lambda$start$1(WatcherVerticle.java:36)
2017-07-03T11:43:34.460116207Z  at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:271)
---

Updating the secret afterwards would mean having to restart the qdrouter pod, I guess, and would therefore be not such a good solution.


Best regards

 Carsten Lohmann

(INST/ECS4)
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-130<tel:%2B49%2030%20726112-130> | Fax +49 30 726112-100<tel:%2B49%2030%20726112-100> | carsten.lohmann at bosch-si.com<mailto:carsten.lohmann at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn



-----Ursprüngliche Nachricht-----
Von: Ulf Lilleengen [mailto:ulilleen at redhat.com<mailto:ulilleen at redhat.com>]
Gesendet: Freitag, 16. Juni 2017 14:30
An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com<mailto:Carsten.Lohmann at bosch-si.com>>; enmasse at redhat.com<mailto:enmasse at redhat.com>
Betreff: Re: [EnMasse] Adapting the EnMasse deployment

On 16. juni 2017 12:44, Ulf Lilleengen wrote:
> On 16. juni 2017 12:08, Lohmann Carsten (INST/ECS4) wrote:
>> Hi Ulf,
>>
>>>  Out of curiosity, what is it that you wish to modify in this config?
>>
>> We want to use a config similar to the one used in Hono:
>>
>> https://github.com/eclipse/hono/blob/master/dispatchrouter/qpid/qdrou
>> terd-with-broker.json
>>
>>  > I.e. with our sslProfile / certificates and vhost definitions.
>>
>
> One thing to look out for there is that the enmasse router config is
> created dynamically from a static fixed template + configuration from
> the router agent (address config for instance).
>
> To make it work properly in EnMasse, you have to merge that config
> with the static enmasse router config:
>
> https://github.com/EnMasseProject/dockerfiles/blob/master/qdrouterd/qd
> routerd.conf.template
>
>

Just to elaborate on this part: Eventually we hope to provide a way in EnMasse to do this without overriding the router config. For certs, you can edit the certificates used by the router by creating/editing the secret 'certs-$namespace' where $namespace is the namespace where you deployed EnMasse to, which will be used for external connections.

We intend to improve the certificate management in the near future in combination with keycloak integration.

How to add vhost definitions is something that needs more discussion, but we're working on a backlog so this is useful input.

--
Ulf
_______________________________________________
enmasse mailing list
enmasse at redhat.com<mailto:enmasse at redhat.com>
https://www.redhat.com/mailman/listinfo/enmasse

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/enmasse/attachments/20170704/24cdbacd/attachment.htm>

More information about the enmasse mailing list