From 2434c54b0102ca107b6ea298375c7d19bc857210 Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Mon, 18 Nov 2024 21:10:17 +0600 Subject: [PATCH] Finish reconfigure tls for ag Signed-off-by: Neaj Morshad --- .../reconfigure-tls/mg-replicaset.yaml | 17 - .../reconfigure-tls/msops-ag-add-tls.yaml | 24 + .../msops-ag-change-issuer.yaml | 14 + .../reconfigure-tls/msops-ag-remove.yaml | 11 + .../reconfigure-tls/msops-ag-rotate.yaml | 13 + .../msops-reconfigure-ag-apply.yaml | 16 - .../reconfigure-tls/msops-reconfigure-ag.yaml | 14 - .../msops-reconfigure-standalone-apply.yaml | 16 - .../msops-reconfigure-standalone.yaml | 14 - ...-ag-cluster.yaml => mssql-ag-cluster.yaml} | 12 +- .../mssqlserver/reconfigure-tls/ag_cluster.md | 766 +++++++++--------- 11 files changed, 434 insertions(+), 483 deletions(-) delete mode 100644 docs/examples/mssqlserver/reconfigure-tls/mg-replicaset.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-ag-add-tls.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-ag-change-issuer.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-ag-remove.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-ag-rotate.yaml delete mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml delete mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml delete mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml delete mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml rename docs/examples/mssqlserver/reconfigure-tls/{mssqlserver-ag-cluster.yaml => mssql-ag-cluster.yaml} (77%) diff --git a/docs/examples/mssqlserver/reconfigure-tls/mg-replicaset.yaml b/docs/examples/mssqlserver/reconfigure-tls/mg-replicaset.yaml deleted file mode 100644 index b271b8a5f2..0000000000 --- a/docs/examples/mssqlserver/reconfigure-tls/mg-replicaset.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: kubedb.com/v1 -kind: MongoDB -metadata: - name: mg-rs - namespace: demo -spec: - version: "4.4.26" - replicas: 3 - replicaSet: - name: rs0 - storage: - storageClassName: "standard" - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-ag-add-tls.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-add-tls.yaml new file mode 100644 index 0000000000..42904f0309 --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-add-tls.yaml @@ -0,0 +1,24 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-ag-add-tls + namespace: demo +spec: + type: ReconfigureTLS + databaseRef: + name: mssql-ag-cluster + tls: + issuerRef: + name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + certificates: + - alias: client + subject: + organizations: + - mssqlserver + organizationalUnits: + - client + clientTLS: true + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-ag-change-issuer.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-change-issuer.yaml new file mode 100644 index 0000000000..0d8b199efc --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-change-issuer.yaml @@ -0,0 +1,14 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-ag-change-issuer + namespace: demo +spec: + type: ReconfigureTLS + databaseRef: + name: mssql-ag-cluster + tls: + issuerRef: + name: mssqlserver-new-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-ag-remove.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-remove.yaml new file mode 100644 index 0000000000..338985c3d9 --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-remove.yaml @@ -0,0 +1,11 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-ag-remove + namespace: demo +spec: + type: ReconfigureTLS + databaseRef: + name: mssql-ag-cluster + tls: + remove: true \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-ag-rotate.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-rotate.yaml new file mode 100644 index 0000000000..31bc701f8e --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-ag-rotate.yaml @@ -0,0 +1,13 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-ag-rotate + namespace: demo +spec: + type: ReconfigureTLS + databaseRef: + name: mssql-ag-cluster + tls: + rotateCertificates: true + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml deleted file mode 100644 index b93d450d54..0000000000 --- a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: ops.kubedb.com/v1alpha1 -kind: MSSQLServerOpsRequest -metadata: - name: msops-reconfigure-ag-apply - namespace: demo -spec: - type: Reconfigure - databaseRef: - name: mssqlserver-ag-cluster - configuration: - applyConfig: - mssql.conf: |- - [memory] - memorylimitmb = 3072 - timeout: 5m - apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml deleted file mode 100644 index 86d2b8283d..0000000000 --- a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: ops.kubedb.com/v1alpha1 -kind: MSSQLServerOpsRequest -metadata: - name: msops-reconfigure-ag - namespace: demo -spec: - type: Reconfigure - databaseRef: - name: mssqlserver-ag-cluster - configuration: - configSecret: - name: new-custom-config - timeout: 5m - apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml deleted file mode 100644 index 0199028a1b..0000000000 --- a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: ops.kubedb.com/v1alpha1 -kind: MSSQLServerOpsRequest -metadata: - name: msops-reconfigure-standalone-apply - namespace: demo -spec: - type: Reconfigure - databaseRef: - name: ms-standalone - configuration: - applyConfig: - mssql.conf: |- - [memory] - memorylimitmb = 3072 - timeout: 5m - apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml deleted file mode 100644 index 5c0f52531a..0000000000 --- a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: ops.kubedb.com/v1alpha1 -kind: MSSQLServerOpsRequest -metadata: - name: msops-reconfigure-standalone - namespace: demo -spec: - type: Reconfigure - databaseRef: - name: ms-standalone - configuration: - configSecret: - name: new-custom-config - timeout: 5m - apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml b/docs/examples/mssqlserver/reconfigure-tls/mssql-ag-cluster.yaml similarity index 77% rename from docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml rename to docs/examples/mssqlserver/reconfigure-tls/mssql-ag-cluster.yaml index 8407bb6fcf..95212e5c57 100644 --- a/docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml +++ b/docs/examples/mssqlserver/reconfigure-tls/mssql-ag-cluster.yaml @@ -1,12 +1,10 @@ apiVersion: kubedb.com/v1alpha2 kind: MSSQLServer metadata: - name: mssqlserver-ag-cluster + name: mssql-ag-cluster namespace: demo spec: version: "2022-cu12" - configSecret: - name: ms-custom-config replicas: 3 topology: mode: AvailabilityGroup @@ -28,7 +26,13 @@ spec: - name: ACCEPT_EULA value: "Y" - name: MSSQL_PID - value: Developer + value: Evaluation + resources: + requests: + cpu: "500m" + memory: "1.5Gi" + limits: + memory: "2Gi" storageType: Durable storage: storageClassName: "standard" diff --git a/docs/guides/mssqlserver/reconfigure-tls/ag_cluster.md b/docs/guides/mssqlserver/reconfigure-tls/ag_cluster.md index 3097a46171..7a17b63d4c 100644 --- a/docs/guides/mssqlserver/reconfigure-tls/ag_cluster.md +++ b/docs/guides/mssqlserver/reconfigure-tls/ag_cluster.md @@ -33,9 +33,9 @@ KubeDB supports reconfigure i.e. add, remove, update and rotation of TLS/SSL cer > Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). -## Add TLS to a MSSQLServer database +## Add TLS to a MSSQLServer Availability Group Cluster -Here, We are going to create a MSSQLServer database without TLS and then reconfigure the database to use TLS. +Here, We are going to create a MSSQLServer Availability Group Cluster without TLS and then reconfigure the database to use TLS. At first, we need to create an Issuer/ClusterIssuer which will be used to generate the certificate used for TLS configurations. @@ -74,17 +74,23 @@ issuer.cert-manager.io/mssqlserver-ca-issuer created ### Deploy MSSQLServer without TLS -In this section, we are going to deploy a MSSQLServer Standalone database without TLS. In the next few sections we will reconfigure TLS using `MSSQLServerOpsRequest` CRD. Below is the YAML of the `MSSQLServer` CR that we are going to create, +In this section, we are going to deploy a MSSQLServer Availability Group Cluster without TLS. In the next few sections we will reconfigure to add TLS using `MSSQLServerOpsRequest` CRD. Below is the YAML of the `MSSQLServer` CR that we are going to create, ```yaml apiVersion: kubedb.com/v1alpha2 kind: MSSQLServer metadata: - name: ms-standalone + name: mssql-ag-cluster namespace: demo spec: version: "2022-cu12" - replicas: 1 + replicas: 3 + topology: + mode: AvailabilityGroup + availabilityGroup: + databases: + - agdb1 + - agdb2 tls: issuerRef: name: mssqlserver-ca-issuer @@ -100,6 +106,12 @@ spec: value: "Y" - name: MSSQL_PID value: Evaluation + resources: + requests: + cpu: "500m" + memory: "1.5Gi" + limits: + memory: "2Gi" storageType: Durable storage: storageClassName: "standard" @@ -114,160 +126,16 @@ spec: Let's create the `MSSQLServer` CR we have shown above, ```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml -mssqlserver.kubedb.com/ms-standalone created +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/mssql-ag-cluster.yaml +mssqlserver.kubedb.com/mssql-ag-cluster created ``` -Now, wait until `ms-standalone` has status `Ready`. i.e, +Now, wait until `mssql-ag-cluster` has status `Ready`. i.e, ```bash $ kubectl get ms -n demo -NAME VERSION STATUS AGE -ms-standalone 2022-cu12 Ready 4m3s - -$ kubectl describe ms -n demo ms-standalone -Name: ms-standalone -Namespace: demo -Labels: -Annotations: -API Version: kubedb.com/v1alpha2 -Kind: MSSQLServer -Metadata: - Creation Timestamp: 2024-11-14T12:45:36Z - Finalizers: - kubedb.com - Generation: 2 - Resource Version: 438804 - UID: 83ebe191-3754-41af-8d86-ed211bf9c31c -Spec: - Auth Secret: - Name: ms-standalone-auth - Deletion Policy: WipeOut - Health Checker: - Failure Threshold: 1 - Period Seconds: 10 - Timeout Seconds: 10 - Pod Template: - Controller: - Metadata: - Spec: - Containers: - Env: - Name: ACCEPT_EULA - Value: Y - Name: MSSQL_PID - Value: Evaluation - Name: mssql - Resources: - Limits: - Memory: 4Gi - Requests: - Cpu: 500m - Memory: 4Gi - Security Context: - Allow Privilege Escalation: false - Capabilities: - Add: - NET_BIND_SERVICE - Drop: - ALL - Run As Group: 10001 - Run As Non Root: true - Run As User: 10001 - Seccomp Profile: - Type: RuntimeDefault - Init Containers: - Name: mssql-init - Resources: - Limits: - Memory: 512Mi - Requests: - Cpu: 200m - Memory: 512Mi - Security Context: - Allow Privilege Escalation: false - Capabilities: - Drop: - ALL - Run As Group: 10001 - Run As Non Root: true - Run As User: 10001 - Seccomp Profile: - Type: RuntimeDefault - Pod Placement Policy: - Name: default - Security Context: - Fs Group: 10001 - Replicas: 1 - Storage: - Access Modes: - ReadWriteOnce - Resources: - Requests: - Storage: 1Gi - Storage Class Name: standard - Storage Type: Durable - Tls: - Certificates: - Alias: server - Secret Name: ms-standalone-server-cert - Subject: - Organizational Units: - server - Organizations: - kubedb - Alias: client - Secret Name: ms-standalone-client-cert - Subject: - Organizational Units: - client - Organizations: - kubedb - Client TLS: false - Issuer Ref: - API Group: cert-manager.io - Kind: Issuer - Name: mssqlserver-ca-issuer - Version: 2022-cu12 -Status: - Conditions: - Last Transition Time: 2024-11-14T12:45:36Z - Message: The KubeDB operator has started the provisioning of MSSQLServer: demo/ms-standalone - Observed Generation: 1 - Reason: DatabaseProvisioningStartedSuccessfully - Status: True - Type: ProvisioningStarted - Last Transition Time: 2024-11-14T12:46:36Z - Message: All replicas are ready for MSSQLServer demo/ms-standalone - Observed Generation: 2 - Reason: AllReplicasReady - Status: True - Type: ReplicaReady - Last Transition Time: 2024-11-14T12:46:46Z - Message: database demo/ms-standalone is accepting connection - Observed Generation: 2 - Reason: AcceptingConnection - Status: True - Type: AcceptingConnection - Last Transition Time: 2024-11-14T12:46:46Z - Message: database demo/ms-standalone is ready - Observed Generation: 2 - Reason: AllReplicasReady - Status: True - Type: Ready - Last Transition Time: 2024-11-14T12:47:06Z - Message: The MSSQLServer: demo/ms-standalone is successfully provisioned. - Observed Generation: 2 - Reason: DatabaseSuccessfullyProvisioned - Status: True - Type: Provisioned - Phase: Ready -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal Successful 4m20s KubeDB Ops-manager Operator Successfully created MSSQLServer server certificates - Normal Successful 4m20s KubeDB Ops-manager Operator Successfully created MSSQLServer client certificates - +NAME VERSION STATUS AGE +mssql-ag-cluster 2022-cu12 Ready 4m38s ``` Now, connect to this database by exec into a pod and verify the TLS is disabled. @@ -276,23 +144,22 @@ Now, connect to this database by exec into a pod and verify the TLS is disabled. ```bash -$ kubectl get secrets -n demo ms-standalone-auth -o jsonpath='{.data.\username}' | base64 -d +$ kubectl get secrets -n demo mssql-ag-cluster-auth -o jsonpath='{.data.\username}' | base64 -d sa -$ kubectl get secrets -n demo ms-standalone-auth -o jsonpath='{.data.\password}' | base64 -d -b1HLv9EV4CaSalX6 +$ kubectl get secrets -n demo mssql-ag-cluster-auth -o jsonpath='{.data.\password}' | base64 -d +Q9kDWVQMnawLcnZq -$ kubectl exec -it -n demo ms-standalone-0 -c mssql -- bash -mssql@ms-standalone-0:/$ cat /var/opt/mssql/mssql.conf +$ kubectl exec -it -n demo mssql-ag-cluster-0 -c mssql -- bash +mssql@mssql-ag-cluster-0:/$ cat /var/opt/mssql/mssql.conf [language] lcid = 1033 -mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "b1HLv9EV4CaSalX6" -N +mssql@mssql-ag-cluster-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "Q9kDWVQMnawLcnZq" -N Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSL Provider: [error:0A000086:SSL routines::certificate verify failed:self-signed certificate]. Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish connection. - So Now, we have to connect with -C [Trust Server Certificate] -mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "b1HLv9EV4CaSalX6" -N -C +mssql@mssql-ag-cluster-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "Q9kDWVQMnawLcnZq" -N -C 1> ``` @@ -307,12 +174,12 @@ In order to add TLS to the database, we have to create a `MSSQLServerOpsRequest` apiVersion: ops.kubedb.com/v1alpha1 kind: MSSQLServerOpsRequest metadata: - name: msops-add-tls + name: msops-ag-add-tls namespace: demo spec: type: ReconfigureTLS databaseRef: - name: ms-standalone + name: mssql-ag-cluster tls: issuerRef: name: mssqlserver-ca-issuer @@ -332,7 +199,7 @@ spec: Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mssql-ag-cluster` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.issuerRef` specifies the issuer name, kind and api group. - `spec.tls.certificates` specifies the certificates. You can learn more about this field from [here](/docs/guides/mssqlserver/concepts/mssqlserver.md#spectls). @@ -340,8 +207,8 @@ Here, Let's create the `MSSQLServerOpsRequest` CR we have shown above, ```bash -$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-add-tls.yaml -mssqlserveropsrequest.ops.kubedb.com/msops-add-tls created +$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-ag-add-tls.yaml +mssqlserveropsrequest.ops.kubedb.com/msops-ag-add-tls created ``` #### Verify TLS Enabled Successfully @@ -351,30 +218,29 @@ Let's wait for `MSSQLServerOpsRequest` to be `Successful`. Run the following co ```bash $ watch kubectl get msops -n demo Every 2.0s: kubectl get msops -n demo - -NAME TYPE STATUS AGE -msops-add-tls ReconfigureTLS Successful 115s +NAME TYPE STATUS AGE +msops-ag-add-tls ReconfigureTLS Successful 3m32s ``` We can see from the above output that the `MSSQLServerOpsRequest` has succeeded. If we describe the `MSSQLServerOpsRequest` we will get an overview of the steps that were followed. ```bash -$ kubectl describe mssqlserveropsrequest -n demo msops-add-tls -Name: msops-add-tls +$ kubectl describe mssqlserveropsrequest -n demo msops-ag-add-tls +Name: msops-ag-add-tls Namespace: demo Labels: Annotations: API Version: ops.kubedb.com/v1alpha1 Kind: MSSQLServerOpsRequest Metadata: - Creation Timestamp: 2024-11-15T11:48:03Z + Creation Timestamp: 2024-11-18T14:13:46Z Generation: 1 - Resource Version: 491162 - UID: 007ad725-0a3f-4290-8814-d85592cfc247 + Resource Version: 555629 + UID: 329b1815-6002-4d20-8df8-662ec6bedb2a Spec: Apply: IfReady Database Ref: - Name: ms-standalone + Name: mssql-ag-cluster Timeout: 5m Tls: Certificates: @@ -392,67 +258,97 @@ Spec: Type: ReconfigureTLS Status: Conditions: - Last Transition Time: 2024-11-15T11:48:03Z + Last Transition Time: 2024-11-18T14:13:46Z Message: MSSQLServer ops-request has started to reconfigure tls for mssqlserver nodes Observed Generation: 1 Reason: ReconfigureTLS Status: True Type: ReconfigureTLS - Last Transition Time: 2024-11-15T11:48:06Z + Last Transition Time: 2024-11-18T14:13:49Z Message: Successfully paused database Observed Generation: 1 Reason: DatabasePauseSucceeded Status: True Type: DatabasePauseSucceeded - Last Transition Time: 2024-11-15T11:48:16Z + Last Transition Time: 2024-11-18T14:13:59Z Message: Successfully synced all certificates Observed Generation: 1 Reason: CertificateSynced Status: True Type: CertificateSynced - Last Transition Time: 2024-11-15T11:48:11Z + Last Transition Time: 2024-11-18T14:13:54Z Message: get certificate; ConditionStatus:True Observed Generation: 1 Status: True Type: GetCertificate - Last Transition Time: 2024-11-15T11:48:11Z + Last Transition Time: 2024-11-18T14:13:54Z Message: check ready condition; ConditionStatus:True Observed Generation: 1 Status: True Type: CheckReadyCondition - Last Transition Time: 2024-11-15T11:48:11Z + Last Transition Time: 2024-11-18T14:13:54Z Message: issuing condition; ConditionStatus:True Observed Generation: 1 Status: True Type: IssuingCondition - Last Transition Time: 2024-11-15T11:48:21Z + Last Transition Time: 2024-11-18T14:14:04Z Message: successfully reconciled the MSSQLServer with tls configuration Observed Generation: 1 Reason: UpdatePetSets Status: True Type: UpdatePetSets - Last Transition Time: 2024-11-15T11:49:06Z + Last Transition Time: 2024-11-18T14:16:10Z Message: Successfully restarted all nodes Observed Generation: 1 Reason: RestartNodes Status: True Type: RestartNodes - Last Transition Time: 2024-11-15T11:48:26Z - Message: get pod; ConditionStatus:True; PodName:ms-standalone-0 + Last Transition Time: 2024-11-18T14:14:10Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:14:10Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:14:45Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:14:50Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:14:50Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:15:25Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:15:30Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 Observed Generation: 1 Status: True - Type: GetPod--ms-standalone-0 - Last Transition Time: 2024-11-15T11:48:26Z - Message: evict pod; ConditionStatus:True; PodName:ms-standalone-0 + Type: GetPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:15:30Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 Observed Generation: 1 Status: True - Type: EvictPod--ms-standalone-0 - Last Transition Time: 2024-11-15T11:49:01Z - Message: check pod running; ConditionStatus:True; PodName:ms-standalone-0 + Type: EvictPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:16:05Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-2 Observed Generation: 1 Status: True - Type: CheckPodRunning--ms-standalone-0 - Last Transition Time: 2024-11-15T11:49:07Z + Type: CheckPodRunning--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:16:10Z Message: Successfully completed reconfigureTLS for mssqlserver. Observed Generation: 1 Reason: Successful @@ -464,15 +360,12 @@ Status: Now, Let's exec into a database node - - ```bash -$ kubectl exec -it ms-standalone-0 -n demo -c mssql -- bash -mssql@ms-standalone-0:/$ ls /var/opt/mssql/tls -ca.crt client.crt client.key server.crt server.key -mssql@ms-standalone-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -subject -nameopt RFC2253 -noout +$ kubectl exec -it mssql-ag-cluster-0 -n demo -c mssql -- bash +mssql@mssql-ag-cluster-0:/$ ls /var/opt/mssql/tls +mssql@mssql-ag-cluster-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -subject -nameopt RFC2253 -noout subject=CN=mssql,OU=client,O=mssqlserver -mssql@ms-standalone-0:/$ cat /var/opt/mssql/mssql.conf +mssql@mssql-ag-cluster-0:/$ cat /var/opt/mssql/mssql.conf [language] lcid = 1033 [network] @@ -480,7 +373,7 @@ forceencryption = 1 tlscert = /var/opt/mssql/tls/server.crt tlskey = /var/opt/mssql/tls/server.key tlsprotocols = 1.2,1.1,1.0 -mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P l2mGQRMETAS96QRb -N +mssql@mssql-ag-cluster-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P Q9kDWVQMnawLcnZq -N 1> ``` @@ -492,10 +385,10 @@ We can verify from the above output that TLS is enabled for this database, `mssq Now we are going to rotate the certificate of this database. First let's check the current expiration date of the certificate. ```bash -$ kubectl exec -it ms-standalone-0 -n demo -c mssql -- bash -mssql@ms-standalone-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -enddate -nameopt RFC2253 -noout -notAfter=Feb 16 13:11:02 2025 GMT -mssql@ms-standalone-0:/$ +$ kubectl exec -it mssql-ag-cluster-0 -n demo -c mssql -- bash +mssql@mssql-ag-cluster-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -enddate -nameopt RFC2253 -noout +notAfter=Feb 16 14:13:49 2025 GMT +mssql@mssql-ag-cluster-0:/$ ``` So, the certificate will expire on this time `Feb 16 13:11:02 2025 GMT`. @@ -509,12 +402,12 @@ Now we are going to increase it using a MSSQLServerOpsRequest. Below is the yaml apiVersion: ops.kubedb.com/v1alpha1 kind: MSSQLServerOpsRequest metadata: - name: msops-rotate + name: msops-ag-rotate namespace: demo spec: type: ReconfigureTLS databaseRef: - name: ms-standalone + name: mssql-ag-cluster tls: rotateCertificates: true timeout: 5m @@ -523,15 +416,15 @@ spec: Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mssql-ag-cluster` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.rotateCertificates` specifies that we want to rotate the certificate of this database. Let's create the `MSSQLServerOpsRequest` CR we have shown above, ```bash -$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-rotate.yaml -mssqlserveropsrequest.ops.kubedb.com/msops-rotate created +$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-ag-rotate.yaml +mssqlserveropsrequest.ops.kubedb.com/msops-ag-rotate created ``` #### Verify Certificate Rotated Successfully @@ -541,102 +434,132 @@ Let's wait for `MSSQLServerOpsRequest` to be `Successful`. Run the following co ```bash $ kubectl get mssqlserveropsrequest -n demo Every 2.0s: kubectl get mssqlserveropsrequest -n demo -NAME TYPE STATUS AGE -msops-rotate ReconfigureTLS Successful 2m47s +NAME TYPE STATUS AGE +msops-ag-rotate ReconfigureTLS Successful 5m14s ``` We can see from the above output that the `MSSQLServerOpsRequest` has succeeded. If we describe the `MSSQLServerOpsRequest` we will get an overview of the steps that were followed. ```bash -$ kubectl describe mssqlserveropsrequest -n demo msops-rotate -Name: msops-rotate +$ kubectl describe mssqlserveropsrequest -n demo msops-ag-rotate +Name: msops-ag-rotate Namespace: demo Labels: Annotations: API Version: ops.kubedb.com/v1alpha1 Kind: MSSQLServerOpsRequest Metadata: - Creation Timestamp: 2024-11-18T13:17:50Z + Creation Timestamp: 2024-11-18T14:36:38Z Generation: 1 - Resource Version: 549743 - UID: af51934d-1fb4-4fa6-b254-46b1de199fae + Resource Version: 558973 + UID: 54eca6e2-5e08-4730-a18a-1a754d2d8ea3 Spec: Apply: IfReady Database Ref: - Name: ms-standalone + Name: mssql-ag-cluster Timeout: 5m Tls: Rotate Certificates: true Type: ReconfigureTLS Status: Conditions: - Last Transition Time: 2024-11-18T13:17:50Z + Last Transition Time: 2024-11-18T14:36:38Z Message: MSSQLServer ops-request has started to reconfigure tls for mssqlserver nodes Observed Generation: 1 Reason: ReconfigureTLS Status: True Type: ReconfigureTLS - Last Transition Time: 2024-11-18T13:17:50Z + Last Transition Time: 2024-11-18T14:36:54Z Message: Successfully paused database Observed Generation: 1 Reason: DatabasePauseSucceeded Status: True Type: DatabasePauseSucceeded - Last Transition Time: 2024-11-18T13:17:50Z + Last Transition Time: 2024-11-18T14:36:54Z Message: successfully add issuing condition to all the certificates Observed Generation: 1 Reason: IssueCertificatesSucceeded Status: True Type: IssueCertificatesSucceeded - Last Transition Time: 2024-11-18T13:18:00Z + Last Transition Time: 2024-11-18T14:37:04Z Message: Successfully synced all certificates Observed Generation: 1 Reason: CertificateSynced Status: True Type: CertificateSynced - Last Transition Time: 2024-11-18T13:17:55Z + Last Transition Time: 2024-11-18T14:36:59Z Message: get certificate; ConditionStatus:True Observed Generation: 1 Status: True Type: GetCertificate - Last Transition Time: 2024-11-18T13:17:55Z + Last Transition Time: 2024-11-18T14:36:59Z Message: check ready condition; ConditionStatus:True Observed Generation: 1 Status: True Type: CheckReadyCondition - Last Transition Time: 2024-11-18T13:17:55Z + Last Transition Time: 2024-11-18T14:36:59Z Message: issuing condition; ConditionStatus:True Observed Generation: 1 Status: True Type: IssuingCondition - Last Transition Time: 2024-11-18T13:18:05Z + Last Transition Time: 2024-11-18T14:37:09Z Message: successfully reconciled the MSSQLServer with tls configuration Observed Generation: 1 Reason: UpdatePetSets Status: True Type: UpdatePetSets - Last Transition Time: 2024-11-18T13:18:51Z + Last Transition Time: 2024-11-18T14:40:14Z Message: Successfully restarted all nodes Observed Generation: 1 Reason: RestartNodes Status: True Type: RestartNodes - Last Transition Time: 2024-11-18T13:18:11Z - Message: get pod; ConditionStatus:True; PodName:ms-standalone-0 + Last Transition Time: 2024-11-18T14:37:14Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:37:14Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:38:19Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:38:24Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 Status: True - Type: GetPod--ms-standalone-0 - Last Transition Time: 2024-11-18T13:18:11Z - Message: evict pod; ConditionStatus:True; PodName:ms-standalone-0 + Type: GetPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:38:24Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 Status: True - Type: EvictPod--ms-standalone-0 - Last Transition Time: 2024-11-18T13:18:46Z - Message: check pod running; ConditionStatus:True; PodName:ms-standalone-0 + Type: EvictPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:39:09Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 Status: True - Type: CheckPodRunning--ms-standalone-0 - Last Transition Time: 2024-11-18T13:18:51Z + Type: CheckPodRunning--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:39:14Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:39:14Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:40:09Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:40:14Z Message: Successfully completed reconfigureTLS for mssqlserver. Observed Generation: 1 Reason: Successful @@ -649,9 +572,9 @@ Status: Now, let's check the expiration date of the certificate. ```bash -$ kubectl exec -it ms-standalone-0 -n demo -c mssql -- bash -mssql@ms-standalone-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -enddate -nameopt RFC2253 -noout -notAfter=Feb 16 13:17:50 2025 GMT +$ kubectl exec -it mssql-ag-cluster-0 -n demo -c mssql -- bash +mssql@mssql-ag-cluster-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -enddate -nameopt RFC2253 -noout +notAfter=Feb 16 14:36:54 2025 GMT ``` As we can see from the above output, the certificate has been rotated successfully. @@ -687,7 +610,7 @@ Now, Let's create a new `Issuer` using the `mssqlserver-new-ca` secret that we h apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: ms-new-issuer + name: mssqlserver-new-ca-issuer namespace: demo spec: ca: @@ -698,7 +621,7 @@ Let's apply the `YAML` file: ```bash $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/new-issuer.yaml -issuer.cert-manager.io/ms-new-issuer created +issuer.cert-manager.io/mssqlserver-new-ca-issuer created ``` ### Create MSSQLServerOpsRequest @@ -709,30 +632,30 @@ In order to use the new issuer to issue new certificates, we have to create a `M apiVersion: ops.kubedb.com/v1alpha1 kind: MSSQLServerOpsRequest metadata: - name: mops-change-issuer + name: msops-ag-change-issuer namespace: demo spec: type: ReconfigureTLS databaseRef: - name: ms-standalone + name: mssql-ag-cluster tls: issuerRef: - name: ms-new-issuer + name: mssqlserver-new-ca-issuer kind: Issuer apiGroup: "cert-manager.io" ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mssql-ag-cluster` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.issuerRef` specifies the issuer name, kind and api group. Let's create the `MSSQLServerOpsRequest` CR we have shown above, ```bash -$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/mops-change-issuer.yaml -mssqlserveropsrequest.ops.kubedb.com/mops-change-issuer created +$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-ag-change-issuer.yaml +mssqlserveropsrequest.ops.kubedb.com/msops-ag-change-issuer created ``` #### Verify Issuer is changed successfully @@ -742,111 +665,142 @@ Let's wait for `MSSQLServerOpsRequest` to be `Successful`. Run the following co ```bash $ kubectl get mssqlserveropsrequest -n demo Every 2.0s: kubectl get mssqlserveropsrequest -n demo -NAME TYPE STATUS AGE -mops-change-issuer ReconfigureTLS Successful 105s +NAME TYPE STATUS AGE +msops-ag-change-issuer ReconfigureTLS Successful 3m56s ``` We can see from the above output that the `MSSQLServerOpsRequest` has succeeded. If we describe the `MSSQLServerOpsRequest` we will get an overview of the steps that were followed. ```bash -$ kubectl describe mssqlserveropsrequest -n demo mops-change-issuer -Name: mops-change-issuer +$ kubectl describe mssqlserveropsrequest -n demo msops-ag-change-issuer +Name: msops-ag-change-issuer Namespace: demo Labels: Annotations: API Version: ops.kubedb.com/v1alpha1 Kind: MSSQLServerOpsRequest Metadata: - Creation Timestamp: 2021-03-11T16:27:47Z + Creation Timestamp: 2024-11-18T14:46:57Z Generation: 1 - Managed Fields: - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:metadata: - f:annotations: - .: - f:kubectl.kubernetes.io/last-applied-configuration: - f:spec: - .: - f:databaseRef: - .: - f:name: - f:tls: - .: - f:issuerRef: - .: - f:apiGroup: - f:kind: - f:name: - f:type: - Manager: kubectl-client-side-apply - Operation: Update - Time: 2021-03-11T16:27:47Z - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:status: - .: - f:conditions: - f:observedGeneration: - f:phase: - Manager: kubedb-enterprise - Operation: Update - Time: 2021-03-11T16:27:47Z - Resource Version: 523903 - Self Link: /apis/ops.kubedb.com/v1alpha1/namespaces/demo/mssqlserveropsrequests/mops-change-issuer - UID: cdfe8a7d-52ef-466c-a5dd-97e74ad598ca + Resource Version: 560150 + UID: 5bf3e378-01b4-4dc9-aeeb-8cf5765aed10 Spec: + Apply: IfReady Database Ref: - Name: ms-standalone + Name: mssql-ag-cluster Tls: Issuer Ref: API Group: cert-manager.io Kind: Issuer - Name: ms-new-issuer + Name: mssqlserver-new-ca-issuer Type: ReconfigureTLS Status: Conditions: - Last Transition Time: 2021-03-11T16:27:47Z - Message: MSSQLServer ops request is reconfiguring TLS + Last Transition Time: 2024-11-18T14:46:57Z + Message: MSSQLServer ops-request has started to reconfigure tls for mssqlserver nodes Observed Generation: 1 Reason: ReconfigureTLS Status: True Type: ReconfigureTLS - Last Transition Time: 2021-03-11T16:27:52Z - Message: Successfully Issued New Certificates + Last Transition Time: 2024-11-18T14:47:00Z + Message: Successfully paused database + Observed Generation: 1 + Reason: DatabasePauseSucceeded + Status: True + Type: DatabasePauseSucceeded + Last Transition Time: 2024-11-18T14:47:10Z + Message: Successfully synced all certificates + Observed Generation: 1 + Reason: CertificateSynced + Status: True + Type: CertificateSynced + Last Transition Time: 2024-11-18T14:47:05Z + Message: get certificate; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: GetCertificate + Last Transition Time: 2024-11-18T14:47:05Z + Message: check ready condition; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: CheckReadyCondition + Last Transition Time: 2024-11-18T14:47:05Z + Message: issuing condition; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: IssuingCondition + Last Transition Time: 2024-11-18T14:47:15Z + Message: successfully reconciled the MSSQLServer with tls configuration + Observed Generation: 1 + Reason: UpdatePetSets + Status: True + Type: UpdatePetSets + Last Transition Time: 2024-11-18T14:49:40Z + Message: Successfully restarted all nodes + Observed Generation: 1 + Reason: RestartNodes + Status: True + Type: RestartNodes + Last Transition Time: 2024-11-18T14:47:20Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:47:20Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:48:05Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-0 Observed Generation: 1 - Reason: CertificateIssuingSuccessful Status: True - Type: CertificateIssuingSuccessful - Last Transition Time: 2021-03-11T16:29:37Z - Message: Successfully Restarted ReplicaSet nodes + Type: CheckPodRunning--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:48:10Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 - Reason: RestartReplicaSet Status: True - Type: RestartReplicaSet - Last Transition Time: 2021-03-11T16:29:37Z - Message: Successfully Reconfigured TLS + Type: GetPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:48:10Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:48:50Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:48:55Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:48:55Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:49:35Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T14:49:40Z + Message: Successfully completed reconfigureTLS for mssqlserver. Observed Generation: 1 Reason: Successful Status: True Type: Successful Observed Generation: 1 Phase: Successful -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal CertificateIssuingSuccessful 2m27s KubeDB Ops-manager operator Successfully Issued New Certificates - Normal RestartReplicaSet 42s KubeDB Ops-manager operator Successfully Restarted ReplicaSet nodes - Normal Successful 42s KubeDB Ops-manager operator Successfully Reconfigured TLS ``` -Now, Let's exec into a database node and find out the ca subject to see if it matches the one we have provided. +Now, Lets exec into a database node and find out the ca subject to see if it matches the one we have provided. ```bash -$ kubectl exec -it ms-standalone-2 -n demo bash -root@ms o-rs-tls-2:/$ openssl x509 -in /var/run/mssqlserver/tls/ca.crt -inform PEM -subject -nameopt RFC2253 -noout +$ kubectl exec -it mssql-ag-cluster-2 -n demo -c mssql -- bash +mssql@mssql-ag-cluster-2:/$ openssl x509 -in /var/opt/mssql/tls/ca.crt -inform PEM -subject -nameopt RFC2253 -noout subject=O=kubedb-updated,CN=ca-updated ``` @@ -864,27 +818,27 @@ Below is the YAML of the `MSSQLServerOpsRequest` CRO that we are going to create apiVersion: ops.kubedb.com/v1alpha1 kind: MSSQLServerOpsRequest metadata: - name: mops-remove + name: msops-ag-remove namespace: demo spec: type: ReconfigureTLS databaseRef: - name: ms-standalone + name: mssql-ag-cluster tls: remove: true ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mssql-ag-cluster` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.remove` specifies that we want to remove tls from this database. Let's create the `MSSQLServerOpsRequest` CR we have shown above, ```bash -$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/mops-remove.yaml -mssqlserveropsrequest.ops.kubedb.com/mops-remove created +$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-ag-remove.yaml +mssqlserveropsrequest.ops.kubedb.com/msops-ag-remove created ``` #### Verify TLS Removed Successfully @@ -892,134 +846,142 @@ mssqlserveropsrequest.ops.kubedb.com/mops-remove created Let's wait for `MSSQLServerOpsRequest` to be `Successful`. Run the following command to watch `MSSQLServerOpsRequest` CRO, ```bash -$ kubectl get mssqlserveropsrequest -n demo +$ watch kubectl get mssqlserveropsrequest -n demo Every 2.0s: kubectl get mssqlserveropsrequest -n demo -NAME TYPE STATUS AGE -mops-remove ReconfigureTLS Successful 105s +NAME TYPE STATUS AGE +msops-ag-remove ReconfigureTLS Successful 5m17s ``` We can see from the above output that the `MSSQLServerOpsRequest` has succeeded. If we describe the `MSSQLServerOpsRequest` we will get an overview of the steps that were followed. ```bash -$ kubectl describe mssqlserveropsrequest -n demo mops-remove -Name: mops-remove +$ kubectl describe mssqlserveropsrequest -n demo msops-ag-remove +Name: msops-ag-remove Namespace: demo Labels: Annotations: API Version: ops.kubedb.com/v1alpha1 Kind: MSSQLServerOpsRequest Metadata: - Creation Timestamp: 2021-03-11T16:35:32Z + Creation Timestamp: 2024-11-18T14:56:16Z Generation: 1 - Managed Fields: - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:metadata: - f:annotations: - .: - f:kubectl.kubernetes.io/last-applied-configuration: - f:spec: - .: - f:databaseRef: - .: - f:name: - f:tls: - .: - f:remove: - f:type: - Manager: kubectl-client-side-apply - Operation: Update - Time: 2021-03-11T16:35:32Z - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:status: - .: - f:conditions: - f:observedGeneration: - f:phase: - Manager: kubedb-enterprise - Operation: Update - Time: 2021-03-11T16:35:32Z - Resource Version: 525550 - Self Link: /apis/ops.kubedb.com/v1alpha1/namespaces/demo/mssqlserveropsrequests/mops-remove - UID: 99184cc4-1595-4f0f-b8eb-b65c5d0e86a6 + Resource Version: 561471 + UID: 7f43e8b9-4ae9-4f5d-9355-c58a4dbf4504 Spec: + Apply: IfReady Database Ref: - Name: ms-standalone + Name: mssql-ag-cluster Tls: Remove: true Type: ReconfigureTLS Status: Conditions: - Last Transition Time: 2021-03-11T16:35:32Z - Message: MSSQLServer ops request is reconfiguring TLS + Last Transition Time: 2024-11-18T14:56:16Z + Message: MSSQLServer ops-request has started to reconfigure tls for mssqlserver nodes Observed Generation: 1 Reason: ReconfigureTLS Status: True Type: ReconfigureTLS - Last Transition Time: 2021-03-11T16:35:37Z - Message: Successfully Updated PetSets + Last Transition Time: 2024-11-18T14:56:19Z + Message: Successfully paused database + Observed Generation: 1 + Reason: DatabasePauseSucceeded + Status: True + Type: DatabasePauseSucceeded + Last Transition Time: 2024-11-18T14:56:24Z + Message: successfully reconciled the MSSQLServer with tls configuration + Observed Generation: 1 + Reason: UpdatePetSets + Status: True + Type: UpdatePetSets + Last Transition Time: 2024-11-18T15:01:29Z + Message: Successfully restarted all nodes + Observed Generation: 1 + Reason: RestartNodes + Status: True + Type: RestartNodes + Last Transition Time: 2024-11-18T14:56:29Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:56:29Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:59:19Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-0 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-0 + Last Transition Time: 2024-11-18T14:59:24Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 - Reason: TLSRemoved Status: True - Type: TLSRemoved - Last Transition Time: 2021-03-11T16:37:07Z - Message: Successfully Restarted ReplicaSet nodes + Type: GetPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T14:59:25Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-1 Observed Generation: 1 - Reason: RestartReplicaSet Status: True - Type: RestartReplicaSet - Last Transition Time: 2021-03-11T16:37:07Z - Message: Successfully Reconfigured TLS + Type: EvictPod--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T15:00:09Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-1 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-1 + Last Transition Time: 2024-11-18T15:00:14Z + Message: get pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: GetPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T15:00:14Z + Message: evict pod; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: EvictPod--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T15:01:24Z + Message: check pod running; ConditionStatus:True; PodName:mssql-ag-cluster-2 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--mssql-ag-cluster-2 + Last Transition Time: 2024-11-18T15:01:29Z + Message: Successfully completed reconfigureTLS for mssqlserver. Observed Generation: 1 Reason: Successful Status: True Type: Successful Observed Generation: 1 Phase: Successful -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal PauseDatabase 2m5s KubeDB Ops-manager operator Pausing MSSQLServer demo/ms-standalone - Normal PauseDatabase 2m5s KubeDB Ops-manager operator Successfully paused MSSQLServer demo/ms-standalone - Normal TLSRemoved 2m5s KubeDB Ops-manager operator Successfully Updated PetSets - Normal RestartReplicaSet 35s KubeDB Ops-manager operator Successfully Restarted ReplicaSet nodes - Normal ResumeDatabase 35s KubeDB Ops-manager operator Resuming MSSQLServer demo/ms-standalone - Normal ResumeDatabase 35s KubeDB Ops-manager operator Successfully resumed MSSQLServer demo/ms-standalone - Normal Successful 35s KubeDB Ops-manager operator Successfully Reconfigured TLS ``` -Now, Let's exec into the database primary node and find out that TLS is disabled or not. +Now, Lets exec into the database node and find out that TLS is disabled or not. ```bash -$ kubectl exec -it -n demo ms-standalone-1 -- mongo admin -u root -p 'U6(h_pYrekLZ2OOd' -rs0:PRIMARY> db.adminCommand({ getParameter:1, sslMode:1 }) -{ - "sslMode" : "disabled", - "ok" : 1, - "$clusterTime" : { - "clusterTime" : Timestamp(1615480817, 1), - "signature" : { - "hash" : BinData(0,"CWJngDTQqDhKXyx7WMFJqqUfvhY="), - "keyId" : NumberLong("6938294279689207810") - } - }, - "operationTime" : Timestamp(1615480817, 1) -} +$ kubectl exec -it -n demo mssql-ag-cluster-1 -c mssql -- bash +mssql@mssql-ag-cluster-1:/$ cat /var/opt/mssql/mssql.conf +[language] +lcid = 1033 +mssql@mssql-ag-cluster-1:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P Q9kDWVQMnawLcnZq -N +Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSL Provider: [error:0A000086:SSL routines::certificate verify failed:self-signed certificate]. +Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish connection. + + +So Now, we have to connect with -C [Trust Server Certificate] +mssql@mssql-ag-cluster-1:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P Q9kDWVQMnawLcnZq -N -C +1> ``` So, we can see from the above that, output that tls is disabled successfully. ## Cleaning up -To cleanup the Kubernetes resources created by this tutorial, run: +To clean up the Kubernetes resources created by this tutorial, run: ```bash -kubectl delete mssqlserver -n demo ms-standalone -kubectl delete issuer -n demo ms-issuer ms-new-issuer -kubectl delete mssqlserveropsrequest msops-add-tls mops-remove msops-rotate mops-change-issuer +kubectl delete mssqlserver -n demo mssql-ag-cluster +kubectl delete issuer -n demo mssqlserver-ca-issuer mssqlserver-new-ca-issuer +kubectl delete mssqlserveropsrequest msops-ag-add-tls msops-ag-remove msops-ag-rotate msops-ag-change-issuer kubectl delete ns demo ```