►
From YouTube: Distribution Team Demo - November 19 2020
Description
The team demos the upcoming addition of TLS certs support for praefect in the GitLab Helm Charts.
A
Hi,
hello,
everyone
and
welcome
to
this
week's
distribution
demo.
This
week
we
are
going
to
use
one
of
the
active
mr's
for
supporting
tls
and
profit.
A
A
One
thing
that
I
want
to
show
you
this
week
is
the
I
want
to
stress
on
that,
and
it
was
pointed
out
by
robert
is
that
the
difficulty
of
setting
up
tls
for
italy
and
profit
so
without
further
ado.
Let's
start
with
going
through
this
this,
mr
I
link
the
mr
to
this.
Is
the
mr.
I
linked
it
to
the
distribution
demo
notes
as
well,
so
allow
me
to
just
go
through
it
and
there
is
a
documentation
here.
So,
let's
open
the
documentation.
A
A
Yes,
so
for
this
demo
you're
not
going
to
use
search
manager,
we
are
going
to
use
self
signed
certificate
that
is
generated
by
the
chart
itself.
A
A
A
So
these
two
secrets
are
not
these
two
sections
are
are
just
let
me
see,
I
I
think
we
have
deleted
those.
A
A
Just
allow
me
to
cancel
that
I
didn't
want
to
use
the
existing
secrets.
I
just
wanted
to
make
sure
that
we
have
the
we
are
going
to
start
with
a
clean
slate
namespace,
so
I'm
gonna
remove
the
secrets
and
I'm
going
to
go
through
the
generation
of
secrets
as
well,
so
to
enable
tls
on
italy
and
profit
we
need
to
generate.
The
problem
is
that
we
need
to
generate
the
secrets
manually.
The
user
has
to
generate
the
secrets
manually
both
for
profit
and
the.
A
A
So
this
is
the
script
that
is
used,
I'm
going
to
show
you
here's
the
script.
This
could
actually
generate
certificates.
This
was
intended
to
generate
certificates
for
gita
lee
and
what
it
does
it
generates:
certificates
for
the
pods
of
kitaly
service,
star,
dot,
italy,
dot,
name
space
that
is
vc
and
using
the
same
script
for
profit
is
problematic
because
when
user,
when
we
are
connecting
to
italy
endpoints,
we
are
connecting
to
it
to
its
pods.
A
But
when
we
are
working
with
profit,
we
are
actually
working
with
its
headless
service.
So
the
problem
was
just
the
the
the
wildcard
certificate,
so
this
script
needed
to
be
fixed
like
this.
So
there
are
two
dns
entries
here:
one
is
for
the
pods
and
the
other
one
is
actually
for
the
service,
so
by
default.
This
script
generates
italy
for
tls
certificates.
A
A
This
is
for
profit.
I
can
generate
one
for.
A
A
I
think
we
have
deleted
the
name
space,
let's
create
the
namespace.
A
A
Okay,
so
I
haven't
deployed
the
chart
yet,
and
these
are
all
the
preparations
that
I
had
I
had
to
do
before,
deploying
the
chart
before
installing
the
chart
to
enable
tls
for
profit
and
italy,
so
I
had
to
generate
the
certificates
with
this
script
that
is
now
fixed.
It
wasn't
fixed,
it
was.
It
was
problematic
up
until
yesterday
and
I
had
to
generate
the
certificates
manually
and
upload
them
and
generate
the
secrets,
and
now
now
I
can
go
ahead
and
use
the
names.
A
A
A
So
I
didn't
actually
break
this
demo.
I
used
a
fixed
script
to
run
the
demo,
but
if
it,
if
I
wasn't,
if
I
didn't
do
that,
if
I
do,
if
I
don't
do
that,
it
will
break
like
this,
it
will
show
you
it's.
It
starts
throwing
503
when
it
does.
It
wants
to
do
any
kind
of
communication
with
italy,
because
the
certificate,
the
the
name,
the
sand,
doesn't
match
the
host
name
of
the
optic
of
italy.
That's
why
the
grpc
client
fails
and
you
can
see
it
in
different
ways.
A
I
think
one
of
the
pro
errors
that
robert
recorded
here
on
this
one
is
actually
due
to
that.
A
A
Needs
to
be
done
in
this
sequence.
Of
course
you
can
start
deploying
the
chart
first
and
then
add
the
secrets
and
then
fix
it.
But
then
I
tried
it
myself
and
what
happened
was
that
when
I
changed
the
secrets
for
some
reason,
I
couldn't
really
make
it
work.
I
had
to
delete
the
pods
manually
again
and
make
sure
they
are.
The
stickers
are
mounted
again,
at
least
at
the
web
service.
Italy
and
profit
pods
needs
to
be
removed
manually
for
to
to
for
them
to
pick
up
the
new
secret.
A
I'm
not
sure
if
we
really
check
this
being
the
shah
of
the
of
the
secret.
I
don't
know
how
we
deal
with
the
changes
in
the
secret.
B
Yeah
the
the
secret
change
behavior
is
an
issue
with
our
init
containers,
because
our
init
containers
are
where
the
secrets
are
mounted
and
then
we
copy
them.
So
the
actual
running
container
doesn't
actually
have
the
secret
mounted
from
the
kubernetes
secret.
Actually
has
it
copied
in
right
to
a.
B
File,
location
and
that's
why
doing
things
like
updating
secrets
doesn't
doesn't
cause
our
pods
to
restart
when
it
went
in
a
normal,
kubernetes
installation
it
would
it's
the
method
we've
done
with
the
init
containers.
That's
blocking
that.
A
So
that
explains
part
of
the
problem
that
I
was
running
into
so
which
brings
us
to
the
point
that
it
needs
to
be
done
exactly
in
this
sequence
or
with
some
manual
tweaking
to
the
parts
or
deleting
them
later.
A
If
you
go
ahead
just
and
install
the
the
chart
and
enable
the
tls,
so
this
one
is
going
on,
we
know
that
profit
needs
some
handholding
to
start.
So
let
me
just
this
is
documented
indeed,
so
I'm
gonna
go
ahead
and
just
copy
this
from.
B
A
A
Okay,
looks
like
we
are
set,
let's
go
back,
is
an
initializing
it
should
it
shouldn't
break.
I
don't
expect
it
to
break.
A
A
D
A
B
Is
it
the
custom
certificates
container.
A
A
You
need
to
tell
the
secret
okay,
it's
not
mounting.
This
is
new.
A
I
deleted
the
the
name
space,
so
I
was
under
the
impression
that
it
will
also
delete
the.
D
A
A
A
A
A
C
A
A
A
Let
double
check
that
if
I
pass
the
next
secret
name,
I
mean
these
are
the
actual
secrets.
A
B
A
Okay,
prophet
cannot
authenticate
to
postgresql.
C
A
Make
sure
that
I
didn't
miss
anything
and
copy
and.
A
B
This
man-
I
don't-
I
don't
know
if
it's
just
the
ui
of
your
terminal
there,
but
it
looked
like.
Maybe
it
missed
copying
the
percent
sign
at
the
end
of
the.
A
There
is
actually
that
doesn't
copy
that
amper,
that
that's,
that
part,
that's
a
like
a
new
character,
but
I
think
I
think
this
is
probably
something
that.
A
A
A
Okay,
this
one
is
yeah,
it's.
A
A
A
I
can
give
it
a
try
with
just
the
original
script
without
the
name
space,
but
we
are
pretty
sure
it's
going
to
happen,
but
I
can
do
it
if
you
like
to
see
an
like
a
failure
on
this
screen
in
a
demo.
A
That's
going
to
be
that's
going
to
definitely
be
a
503
if
we
do
that.
A
A
A
And
this
was
the
aim
of
this
this
demo,
but
at
the
same
time
I
wanted
to
show
that
it's
kind
of
difficult
to
set
it
up
with
manual
process
and
error
prone,
especially
that
we
for
someone
that
is
going
to
start
this
and
doesn't
know
the
process
that
it
needs
to
some
preparation
before
deployment.
A
So
what
I'm
going
to
suggest
is
that
perhaps
we
should
add
these
two
certificates
to
like
shared
secrets.
B
D
Yeah
is
that
how
is
that?
How
is
that
the
same
or
different
from
the
having
the
shared
secret
job
do
the
general
service
things
that
I
noted
in
the
review?
Is
that
the
same
thing
I
I
think.
A
To
to,
I
think,
what
you
are
referring
to
robert
was
having
once
as
far
as
I
understand
what
having
one
certificate
that
is
shared
between
services.
I
am
just
what
I'm
proposing
here.
Am
I
right.
D
No,
I
was
just
more
thinking
that
for
internal
services,
because
this
is
a
thing
that
we
ran
into
with
another
project
that
no
longer
exists,
that
we
generate
that
per
service
for
tls,
and
so
I
think,
having
the
shared
services
job.
You
know
the
share
the
shared
secrets
job
be
aware
and
be
able
to
generate
those
if
tls
is
enabled
and
just
generate
them
on
the
fly,
and
we
can
start
with
italy
as
a
first
but
like
make
it
more
generic
where
it
just
says.
D
A
A
Oh
okay,
regarding
being
generic,
I,
I
am
not
sure
I
need
to
take
a
look
into,
but
the
number
of
dots
in
that
certificate
is
is
quite
it's
very
important
as
this
this
demo
and
this
the
problem
that
motivated
this
demo
show
that
we
just
had
a
wildcard
certificate
for
the
pods
of
the
service
and
it
didn't
work
for
the
service.
A
So
we
definitely
can
have
something
there
to
at
least
you
know,
simplify
the
deployment
of
the
tls
for
gitelli
and
profit,
and
then
we
can
go
ahead
and
generalize
from
there,
but
I
I
am
all
for
generating
certificates
where
needed,
because
I
want
to
just
show
you
the
script.
A
So
if
you
want
to
change
the
release
name
or
the
name
space
this,
this
is
just
environment
variables.
So
it's
not.
This
script
is
not
really
written
for
users
to
be
used.
A
Yeah,
I
totally
agree.
I
completely
agree.
I
I
think
we
should.
We
should
follow
up
and
add
the
tls
where
needed
where
needed,
and
I
think
that,
if
you
have
anything
else,
you
want
me
to
just
run
on
this
cluster
test.
It.
A
D
This
sorry
one
one
other
possibility.
I
guess
this
doesn't
have
multiple
storages
in
the
back.
I
was
just
wondering
if
you
go
into
like
the
the
the
top
level
admin
and
tell
it
to
push
it
100
to
the
to
the
side
to
the
non-default
storage.
Do
we
have
multiple
storages
or
we
can
test
that
just
to
see
if
tls
works?
I.
A
Yeah
yeah,
this
one
is
complicated
with
one
story.
Actually
I
think
this
is
one
of
the
limitations.
A
C
A
A
C
Create
the
desired
number
of
nodes,
and
then
you
know
the
pod
name
based
on
the
index
number
from
the
stateful
set.
But
after
this,
mr
I'm
working
on,
we
can
have
multiple
virtual
storages
and
each
virtual
storage
will
generate
a
stateful
set
of
its
own.
And
so
I
think
we
can
just
kind
of
loop
through
the
logic
of
generating
a
certificate
per
stateful
set
per
pod.
A
A
It's
going
to
be
next
then,
with
that
okay,
so
I
think
anyone
else
has
something
else,
something
that
wants
to
add
or
check.
A
Okay,
then,
so
I
think
this
concludes
our
demo
for
this
week
and
thank
you,
everyone
for
participating
and
have
a
great
rest
of
the
day.