0
  • Followed instructions here to create a local 3 node secure cluster

  • Got the go example app running with the following DB connection string to connect to the secure cluster

    sql.Open("postgres", "postgresql://root@localhost:26257/dbname?sslmode=verify-full&sslrootcert=<location of ca.crt>&sslcert=<location of client.root.crt>&sslkey=<location of client.root.key>")

Cockroach DB worked well locally so I decided to move the DB (as in the DB solution and not the actual data) to GCP Kubernetes Engine using the instructions here

Everything worked fine - pods created and could use the built in SQL client from the cloud console.

Now I want to use the previous example app to now connect to this new cloud DB. I created a load balancer using kubectl expose command and got a public ip to use in the code.

How do I get the new ca.crt, client.root.crt, client.root.key files to use in my connection string for the DB running on GCP?

We have 5+ developers and the idea is to have them write code on their local machines and connect to the cloud db using the connection strings and the certificates.

Or is there a better way to let 5+ developers use a single DEV DB cluster running on GCP?

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
samstride
  • 168
  • 1
  • 7

1 Answers1

1

The recommended way to run against a Kubernetes CockroachDB cluster is to have your apps run in the same cluster. This makes certificate generation fairly simple. See the built-in SQL client example and its config file.

The config above uses an init container to send a CSR for client certificates and makes them available to the container (in this case just the cockroach sql client, but it would be anything else).

If you wish to run a client outside the kubernetes cluster, the simplest way is to copy the generated certs directly from the client pod. It's recommended to use a non root user:

  • create the user through the SQL command
  • modify the client-secure.yaml config for your new user and start the new client pod
  • approve the CSR for the client certificate
  • wait for the pod to finish initializing
  • copy the ca.crt, client.<username>.crt and client.<username>.key from the pod onto your local machine

Note: the public DNS or IP address of your kubernetes cluster is most likely not included in the node certificates. You either need to modify the list of hostnames/addresses before bringing up the nodes, or change your connection URL to sslmode=verify-ca (see client connection parameters for details).

Alternatively, you could use password authentication in which case you would only need the CA certificate.

Marc
  • 19,394
  • 6
  • 47
  • 51
  • Sorry, I am new to GCP and Kubernetes. How do I do this: `copy the ca.crt, client..crt and client..key from the pod onto your local machine` – samstride Aug 16 '18 at 00:01
  • 1
    You can use `kubectl cp /:/cockroach-certs certs` where the pod is one that was initialized with the desired client certificate and key (and also has the CA certificate). I'll emphasize again that it's better to run the clients inside the kubernetes cluster. – Marc Aug 16 '18 at 00:14
  • Thanks, kubetcl copy worked, (however the ca.crt had symbolic links so had to get that from a different folder). I also had to change ssl-mode to `verify-ca`. Ok, I am going to mark the question as answered. Few more things around the recommendation. We have a golang web app that connects to cockroach DB. We also have 5+ devs and we want to share the DB but not the code on the local machine. What is the best way to do this? Also, if the web app runs in the same cluster, I am guessing that I don't need a load balancer and I just use the client pod? Is that correct? – samstride Aug 16 '18 at 01:16
  • hey is there is a tutorial to migrate the go-app to GCP so it can connect to the Kubernetes Cockroach DB cluster on GCP? Basically, we want to move the go-app to GCP too based on the recommendation to have the apps run in the same cluster? – samstride Sep 18 '18 at 03:47
  • You can modify the `client-secure` config linked above to run your docker image instead of the cockroachdb sql shell. – Marc Sep 18 '18 at 10:24