Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Distribution Team Demos / 19 Nov 2020
GitLab / Distribution Team Demos / 19 Nov 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Distribution Team Demo - November 19 2020

Description

The team demos the upcoming addition of TLS certs support for praefect in the GitLab Helm Charts.

A

Hi, hello, everyone and welcome to this week's distribution uh demo. um This week we are going to uh use one of the active mr's for supporting tls and profit.

A

uh This one was scheduled to be merged in 13.6, but due to some issues, it has been postponed and hopefully we can get it through in 13.7.

A

um One thing that I want to show you this week is uh the I want to stress on that, and it was pointed out by robert is that the difficulty of setting up tls for italy and profit so without further ado. Let's start with uh going through this uh this, mr um I link the mr to this. Is the mr. I linked it to the distribution demo notes as well, so allow me to just go through it and there is a documentation here. So, let's open the documentation.

A

And this one is for.

A

Italy.

A

Doesn't seem to be right, this was nothing one that we wanted.

A

Yes, so for this demo um you're not going to use search manager, we are going to use um self signed certificate uh that is generated by the chart itself.

A

It was believed that it is going to collide with the self-signed certificates that we generate for profit and italy, but as a matter of fact, it doesn't have the any side effect. The issue was somewhere else, which I'm gonna show you so uh this. This is the set of values that you're going to use.

A

I'm going to install.

A

Just let me make sure that I have the right.

A

Okay,.

A

Let's install it from the instance from the branch- and this is the set of values you see here.

A

So these two secrets are not uh these two sections are are just let me see, I I think we have deleted those.

A

Secrets.

A

um

A

Just allow me to cancel that I didn't want to use the existing secrets. I just wanted to make sure that we have the we are going to start with a clean slate uh namespace, so I'm gonna remove the secrets and I'm going to go through the generation of secrets as well, so to enable tls on italy and profit we need to generate. The problem is that we need to generate the secrets manually. The user has to generate the secrets manually both for profit and the.

A

Shoot right here.

A

Both for profit and italy, the success needs to be generated manually and we provide an additional script to do that, but that the script actually turned out to be problematic, and I will show you how and where. So just let me delete the namespace.

A

So we can start from nothing that is there, and the script is right here.

A

So this is the script that is used, I'm going to show you here's the script. This could actually generate certificates. This was intended to generate certificates for gita lee and what it does it generates: certificates for the pods of kitaly service, star, dot, italy, dot, name space that is vc and using the same script for profit is problematic because uh when user, when we are connecting to italy endpoints, we are connecting to it to its pods.

A

But when we are working with profit, we are actually working with its headless service. So the problem was just the the the wildcard certificate, so this script needed to be fixed like this. So there are two dns entries here: one is for the pods and the other one is actually for the service, so by default. This script generates uh italy for um tls certificates.

A

For for italy in namespace, in default name space, and, to be honest with you, this is not a very easy script to use and we are directing users to use this script to generate certificates, tls certificates in our documentation, and it actually generates a lot of confusion.

A

So here's the process, so we recommend using the service the the script that we have here without any further explanation. Actually there are some comments on top of the service, but not enough, so I'm going to generate the.

A

uh This is for profit. I can generate one for.

A

Detailing.

A

These are certificates and keys that are generated for digitally and traffic and they need to be generated separately. So, let's take a look at the.

A

Certificates, I'm just double checking here. This is the fix that was applied to this.

A

Script same thing: for italy as well.

A

Okay, now.

A

I think we have deleted the name space, let's um create the namespace.

A

And now, let's follow the this script here, I'm just copying and pasting from.

A

Documentation all right just a.

A

Sick.

A

Okay, so I haven't deployed the chart yet, and these are all the preparations that I had I had to do before, deploying the chart uh before installing the chart to enable tls for profit and italy, so I had to generate the certificates with this script that is now fixed. It wasn't fixed, it was. It was problematic up until yesterday and I had to generate the certificates manually and upload them and generate the secrets, and now now I can go ahead and use the names.

A

I think I made it so ridiculous.

A

And now right at this point, I can only only at this point I can start using.

A

Chart to enable tls.

A

Yep.

A

For some reason it wasn't responding.

A

Okay: let's go ahead and install.

A

uh Yeah looks like.

A

It.

A

So um I didn't actually break this demo. I used a fixed script to run the demo, but if it, if I wasn't, if I didn't do that, uh if I do, if I don't do that, it will break like this, it will show you it's. It starts throwing 503 when it does. It wants to do any kind of communication with italy, because the certificate, uh the the name, the sand, doesn't match the host name of the optic of italy. That's why the grpc client fails and you can see it in different ways.

A

I think uh one of the pro errors that robert recorded here on this one is actually due to that.

A

So I went ahead manually and loaded the the gem and connected to the grpc endpoint, and that's the reason that this you can see something like this- that I cannot connect to any address, because simply the tls doesn't fit the name, and it only happens with.

A

Profit.

A

And part of that reason is that the whole process is manual and needs to be.

A

Needs to be done in this sequence. Of course you can start deploying the chart first uh and then add the secrets and then fix it. But then I tried it myself and what happened was that um when I changed the secrets for some reason, I couldn't really make it work. I had to delete the pods manually again and make sure they are. The stickers are mounted again, at least at the web service. Italy and profit pods needs to be removed manually for to to for them to pick up the new secret.

A

I'm not sure if we really check this uh being the shah of the uh of the secret. um I don't know how we deal with the changes in the secret.

B

Yeah the uh the secret change behavior uh is an issue with our init containers, because our init containers are where the secrets are mounted and then we copy them. So the actual running container doesn't actually have the secret mounted from the kubernetes secret. Actually has it copied in right to a.

C

In memory.

B

File, location and that's why doing things like updating secrets doesn't uh doesn't cause our pods to restart when it went in a normal, kubernetes installation it would it's uh the method we've done with the init containers. That's blocking that.

A

So that explains uh part of the problem that I was running into so which brings us to the point that it needs to be done exactly in this sequence or with some manual tweaking to the parts or deleting them later.

A

If you go ahead just and install the uh the chart and enable the tls, um so this one is going on, we know that profit needs some handholding to start. So let me just this is documented uh indeed, so I'm gonna go ahead and just copy this from.

A

I just let me make sure that the.

A

Screen is upright.

B

Okay,.

A

I'm just copying and pasting from the oh. I need the password now.

A

um

A

So.

A

Okay, looks like we are set, let's go back, is an initializing um it should it shouldn't break. I don't expect it to break.

A

But it is taking too long to initialize.

A

It didn't really crash and burn okay, so.

A

It's going.

A

Through.

A

So.

A

We're still waiting for.

D

Them this.

D

One.

A

I.

A

Don't feel good about this because it's it shouldn't take this long.

A

It's all gitlab.

A

Containers.

B

Is it the um custom certificates container.

A

No, I don't think that's the problem.

A

This is still stuck in initialized. Let me uh just.

B

Yeah because I probably wouldn't decide.

A

For.

B

Registry, I guess.

A

I'm sorry dj, I I have trouble hearing you, it seems like your voice is very low.

A

Am I the only one it's pretty low.

A

Found the scheduling I can see this one failed mount.

A

You need to tell the secret okay, it's not mounting. um This is new.

D

When you cleared out your entire, your entire thing, did you clear up the old pvcs.

A

I deleted the uh the name space, so I was under the impression that it will also delete the.

D

Yeah, I don't think this is there under policy retain sorry, come again they're under policy retained. We don't recycle or reuse them. So if pvcs were there, they'll be retained afterwards. That's so that you don't accidentally get rid of all your like repositories and certificates and such.

A

Okay, I'm looking at this. This is the pvcs, but the ones that are failing are not here and besides, they are, I think the one that are failing are.

A

Just let me take a look.

A

The ones that are failing are actually secrets.

A

Oh my bad, my.

A

Bad.

A

I thought that okay, definitely my bad.

A

I was looking at the file with the same name in a different directory and I edited the secrets name. I think this is what has.

A

Happened.

A

Yeah, this is the one.

A

So I copied this file to somewhere else, change the name of the secrets and save it in another folder and then use this on the original, which was this one. So I just need to.

A

Upgrade.

C

Foreign.

C

um

A

Okay,.

A

This one came up and.

A

Done.

A

Let um double check that if I pass the next secret name, I mean these are the actual secrets.

A

This is correct and.

A

This yeah.

A

Okay,.

A

uh

A

This is failing.

B

Okay,.

A

ah This hasn't.

A

Okay, uh prophet cannot authenticate to postgresql.

A

This is what I expected. I'm gonna just check this one.

A

Quickly,.

C

Oh.

A

Make sure that uh I didn't miss anything and copy and.

A

Paste.

A

This is not.

B

This man- I don't- I don't know if it's just uh the ui of your terminal there, but it looked like. Maybe it missed copying the percent sign at the end of the.

A

There is actually that doesn't copy that amper, that that's, uh that part, that's a like a new character, but I think I think this is probably something that.

A

If it doesn't work, I'm gonna copy from somewhere else. This is working. um Okay, let me do something.

A

Else.

A

Okay, definitely not good.

A

Okay, this one is uh yeah, it's.

A

Up.

A

Now, let's take a look at the web service: let's see.

A

Okay,.

A

Here's where we can really find out if this thing is working or.

A

Not oh yeah, okay, that was the.

A

The particular name was the problem.

A

I can give it a try with um just the original script without the name space, but we are pretty sure it's going to happen, but I can do it if you like to see an like a failure on this screen in a demo.

A

That's going to be uh that's going to definitely be a 503 if we do that.

A

So.

A

um I am.

A

I don't have anything else to show you. I can just show you the script, the the endpoints and the configuration of the gitlab that it's those both profit and italy. The communication between web service and traffic and profit and italy is not on over tls.

A

And this was the aim of this uh this demo, but at the same time I wanted to show that it's kind of difficult to set it up with manual process and error prone, especially that we for someone that is going to start this and doesn't know the process that it needs to some preparation before deployment.

A

It might get a little confusing.

A

So what I'm going to suggest is that uh perhaps we should add these two certificates to like uh shared secrets.

A

As a follow-up.

B

Yeah, I'm just looking to see if there's already an issue for that. If not, we should definitely create one.

D

Yeah is that how is that? How is that uh the same or different from the having the shared secret job do the general service things that I noted in the review? Is that the same thing I I think.

A

To to, I think, what you are referring to robert was having once uh as far as I understand what having one certificate that is shared between services. I am just what I'm proposing here. Am I right.

D

No, I was just more thinking that um for internal services, because this is a thing that we ran into with another project that no longer exists, that we generate that per service for tls, and so I think, having the shared services job. You know the share the shared secrets job be aware and be able to generate those if tls is enabled and just generate them on the fly, and we can start with italy as a first but like make it more generic where it just says.

D

You know it has a list of services it'll check and if toss is enabled it'll just make that search for the pod service names and be done. That way when we start enabling this for the back end for other parts of the back, it just works.

A

I I think I think I am I'm basically saying the same thing. I'm saying that okay tls is enabled for gitali and profit, because basically they are exactly the same. The way that they deal with tls and their setup tls is exactly the same.

A

If they are, the tls is enabled and the secret is not specified, then we just go ahead and generate one.

D

I'm just thinking like if we do it generically, then the next follow-up we can do is encrypt all of sl of postgres backend as well.

A

Oh okay, regarding being generic, uh I, I am not sure I need to take a look into, but the number of dots in that certificate is is quite it's very important as this this demo and this the problem that motivated this demo show that we just had a wildcard certificate for the pods of the service and it didn't work for the service.

A

So um we definitely can have something there to at least um you know, simplify the deployment of the tls for gitelli and profit, and then we can go ahead and generalize from there, but I I am all for generating certificates where needed, because I want to just show you the script.

A

So if you want to change the uh release name or the name space this, this is just environment variables. So it's not. This script is not really written for users to be used.

A

Even though it has something you know yeah, we have some explanation on top of it, but no one really reads that.

D

I think it's something that we can put into a follow-up issue and then yeah.

A

Yeah, I totally agree. I completely agree. I I think we should. We should follow up and add the tls where needed where needed, um and I think that, if you have anything else, you want me to just run on this cluster test. It.

A

No come comment: okay,.

D

um So.

A

I think.

D

This sorry one one other possibility. um I guess this doesn't have multiple storages in the back. I was just wondering if you go into like the the the top level admin and tell it to push it 100 to the to the side to the non-default storage. Do we have multiple storages or we can test that just to see if tls works? I.

A

Know I think it's this one is configured with one storage.

A

Yeah yeah, this one is complicated with one story. Actually uh I think this is one of the limitations.

A

For profit.

C

That's the mr I'm working on now to add multiple back.

A

Ends.

C

So the mr exists, I think that's one thing that we'll be we'll have to add on once. My mr has done is that in that scenario we can have one pre-effect but multiple gilly nodes. So I guess we'll just have to make sure the shared secrets will generate a cert for each potential.

A

Okay,.

C

Staple set of getaway yeah.

A

Yeah, that's good thanks, because apparently I think you only.

C

Ever scale up horizontally, like we use one stateful set currently in goodly.

A

And.

C

Create the desired number of nodes, and then you know the pod name based on the index number from the stateful set. But after this, mr I'm working on, we can have multiple virtual storages and each virtual storage will generate a stateful set of its own. And so I think we can just kind of loop through the logic of generating a certificate per stateful set per pod.

A

Cool.

A

It's going to be next then, with that okay, um so I think anyone else has something else, something that wants to add or check.

A

Okay, then, um so I think this concludes our demo for this week and thank you, everyone for participating and have a great rest of the day.