Skip to content

Commit

Permalink
link fixes (#2511)
Browse files Browse the repository at this point in the history
  • Loading branch information
abby-cyber authored Mar 7, 2024
1 parent 33633ed commit ada8605
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 289 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -113,5 +113,5 @@ If the scale-in operation remains incomplete for a long time, you can go to the

!!! caution

- Scaling is supported only for the Graph and Storage services in the NebulaGraph cluster, but not for the Meta service.
- If the cluster with the zone feature enabled is scaled in, ensure that the remaining number of Storage Pods after the scaled-in is no less than the number of zones specified by `nebula.metad.config.zone_list`. For instance, if the number of zones is 3, then the number of Storage Pods after the scale-in cannot be less than 3. For more information about zones, see [Enable zones](../../4.cluster-administration/4.8.ha-and-balancing/4.8.2.enable-zone.md).
- Scaling is supported only for the Graph and Storage services in the NebulaGraph cluster, but not for the Meta service.
- If the cluster with the zone feature enabled is scaled in, ensure that the remaining number of Storage Pods after the scaled-in is no less than the number of zones specified by `nebula.metad.config.zone_list`. For instance, if the number of zones is 3, then the number of Storage Pods after the scale-in cannot be less than 3. For more information about zones, see [Enable zones](../../4.cluster-administration/4.8.ha-and-balancing/4.8.2.enable-zone.md).
Original file line number Diff line number Diff line change
Expand Up @@ -291,257 +291,6 @@ The following provides examples of the cluster configuration file to enable mTLS
# whenUnsatisfiable: "DoNotSchedule"
```


<!-- for 3.7.x version, which excludes the ssl_server_SAN field
??? info "View sample configurations of mTLS between services"
```yaml
apiVersion: apps.nebula-graph.io/v1alpha1
kind: NebulaCluster
metadata:
name: nebula
spec:
# # Required to enable backup and restore.
# enableBR: true
# # Customize Agent configurations for backup and restore.
# agent:
# # Configure environment variables for the Agent component to obtain certificates.
# env:
# - name: CA_CERT_PATH
# value: /usr/local/certs/root.crt
# - name: CLIENT_CERT_PATH
# value: /usr/local/certs/client.crt
# - name: CLIENT_KEY_PATH
# value: /usr/local/certs/client.key
# # Customize the Agent image and version.
# image: reg.vesoft-inc.com/cloud-dev/nebula-agent
# resources: {}
# version: snap
# # Limit the speed of file upload and download, in Mbps. The default value is 0, indicating no limit.
# rateLimit: 0
# # The connection timeout between the Agent and metad, in seconds. The default value is 60.
# heartbeatInterval: 60
# volumeMounts:
# - mountPath: /usr/local/certs
# name: credentials
# # Used to obtain the zone information about the node.
# alpineImage: "reg.vesoft-inc.com/vesoft/nebula-alpine:latest"
exporter:
image: vesoft/nebula-stats-exporter
replicas: 1
maxRequests: 20
# The certificate files for NebulaGraph Operator to access Storage and Meta services.
sslCerts:
# Certificates can be passed in by creating a Secret or
# by configuring environment variables in the Operator chart configuration file.
# The following fields are example configurations for passing in certificates by creating a Secret.
# clientSecret: "client-cert"
# clientCert: "tls.crt"
# clientKey: "tls.key"
# caSecret: "ca-cert"
# caCert: "tls.crt"
insecureSkipVerify: false # Whether the client verifies the server's certificate chain and hostname. Default is false.
# If `insecureSkipVerify` is set to `false`,
# either specify the server's hostname or IP of the server in the `subjectAltName` field of the server's certificate,
# or specify the Subject Alternative Name (SAN) of the server in the following `serverName` field.
serverName: managed-graph-http2.nebula # The SAN of the server.
graphd:
config:
# The following fields are used to enable mTLS between services.
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
# The following fields are required for creating a cluster with zones.
# accept_partial_success: "true"
# prioritize_intra_zone_reading: "true"
# sync_meta_when_use_space: "true"
# stick_to_intra_zone_on_failure: "false"
# session_reclaim_interval_secs: "300"
# The parent directory of the SSL certificate files that are automatically reloaded.
ssl_watch_path: certs
initContainers:
- name: init-auth-sidecar
command:
- /bin/sh
- -c
args:
- cp /certs/* /credentials/
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
sidecarContainers:
- name: auth-sidecar
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
volumes:
- name: credentials
emptyDir:
medium: Memory
volumeMounts:
- name: credentials
mountPath: /usr/local/nebula/certs
logVolumeClaim:
resources:
requests:
storage: 1Gi
storageClassName: local-path
resources:
requests:
cpu: "200m"
memory: "500Mi"
limits:
cpu: "1"
memory: "1Gi"
replicas: 1
image: reg.vesoft-inc.com/xxx/xxx
version: v3.5.0-sc
metad:
config:
# Zone names CANNOT be modified once set.
# It's suggested to set an odd number of zones.
# zone_list: az1,az2,az3
# Whether to enable the timestamp validation of the session.
validate_session_timestamp: "true"
# The following fields are used to enable mTLS between services.
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
# The parent directory of the SSL certificate files that are automatically reloaded.
ssl_watch_path: certs
initContainers:
- name: init-auth-sidecar
command:
- /bin/sh
- -c
args:
- cp /certs/* /credentials/
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
sidecarContainers:
- name: auth-sidecar
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
volumes:
- name: credentials
emptyDir:
medium: Memory
volumeMounts:
- name: credentials
mountPath: /usr/local/nebula/certs
licenseManagerURL: "192.168.8.xx:9119"
resources:
requests:
cpu: "300m"
memory: "500Mi"
limits:
cpu: "1"
memory: "1Gi"
replicas: 1
image: reg.vesoft-inc.com/xxx/xxx
version: v3.5.0-sc
dataVolumeClaim:
resources:
requests:
storage: 2Gi
storageClassName: local-path
logVolumeClaim:
resources:
requests:
storage: 1Gi
storageClassName: local-path
storaged:
config:
# The following fields are used to enable mTLS between services.
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
# The parent directory of the SSL certificate files that are automatically reloaded.
ssl_watch_path: certs
initContainers:
- name: init-auth-sidecar
command:
- /bin/sh
- -c
args:
- cp /certs/* /credentials/
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
sidecarContainers:
- name: auth-sidecar
imagePullPolicy: Always
image: reg.vesoft-inc.com/xxx/xxx:latest
volumeMounts:
- name: credentials
mountPath: /credentials
volumes:
- name: credentials
emptyDir:
medium: Memory
volumeMounts:
- name: credentials
mountPath: /usr/local/nebula/certs
resources:
requests:
cpu: "300m"
memory: "500Mi"
limits:
cpu: "1"
memory: "1Gi"
replicas: 1
image: reg.vesoft-inc.com/xxx/xxx
version: v3.5.0-sc
dataVolumeClaims:
- resources:
requests:
storage: 2Gi
storageClassName: local-path
logVolumeClaim:
resources:
requests:
storage: 1Gi
storageClassName: local-path
# Automatically balance storage data after scaling out.
# enableAutoBalance: true
reference:
name: statefulsets.apps
version: v1
schedulerName: nebula-scheduler
imagePullPolicy: Always
imagePullSecrets:
- name: nebula-image
# Whether to automatically delete PVCs when deleting a cluster.
# enablePVReclaim: true
# Used to evenly distribute Pods across zones.
# topologySpreadConstraints:
# - topologyKey: "kubernetes.io/zone"
# whenUnsatisfiable: "DoNotSchedule"
```
-->


??? info "View sample configurations of mTLS between the client and the Graph service"

```yaml
Expand Down Expand Up @@ -807,8 +556,6 @@ The following only lists the fields that must be configured to enable mTLS with

To enable mTLS between services (Graph, Meta, and Storage), add the following fields under the `spec.metad.config`, `spec.graphd.config`, and `spec.storaged.config` respectively in the cluster configuration file.

<!-- for 3.8.x and snapchat version, which includes the ssl_server_SAN field -->

```yaml
spec:
graph:
Expand Down Expand Up @@ -843,40 +590,6 @@ The following only lists the fields that must be configured to enable mTLS with
ssl_watch_path: certs
```

<!-- for 3.7.x version, which excludes the ssl_server_SAN field
```yaml
spec:
graph:
config:
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
ssl_watch_path: certs
metad:
config:
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
ssl_watch_path: certs
storaged:
config:
ca_client_path: certs/root.crt
ca_path: certs/root.crt
cert_path: certs/server.crt
key_path: certs/server.key
enable_meta_ssl: "true"
enable_storage_ssl: "true"
ssl_watch_path: certs
```
-->

#### `initContainers`, `sidecarContainers`, `volumes`, and `volumeMounts`

`initContainers`, `sidecarContainers`, `volumes`, and `volumeMounts` fields are essential for implementing mTLS certificate online hot-reloading.
Expand Down

0 comments on commit ada8605

Please sign in to comment.