Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added hostAliases support for coordinator and worker deployment #255

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

hosseinabaiyani
Copy link

Adding hostAliases template and values for coordinator deployment and worker deployment

This is useful for connect to databases with selfsigned certificate and invalid domain name

Copy link

cla-bot bot commented Nov 16, 2024

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla

@nineinchnick
Copy link
Member

Which data sources you need this for? For example, in PostgreSQL, you can disable host verification by setting sslmode=verify-ca instead of sslmode=verify-full. Maybe other data sources also have an option like this?

@hosseinabaiyani
Copy link
Author

hosseinabaiyani commented Nov 16, 2024

Which data sources you need this for? For example, in PostgreSQL, you can disable host verification by setting sslmode=verify-ca instead of sslmode=verify-full. Maybe other data sources also have an option like this?

for my situation it was MongoDB but the key is that I wanted to use SSL verification for security reasons
and I think it may be useful for other users, so I've added support for it in chart

@nineinchnick
Copy link
Member

It doesn't add any security, if you fake the hostname. That's why there are options to disable hostname verification. MongoDB has tlsAllowInvalidHostnames.

@hosseinabaiyani
Copy link
Author

I think I did not properly present my point. this is not a security feature, I'm sorry.

Imagine we have a ha MongoDB cluster with private IPs which is inaccessible from the internet, and we have to reach it through a router server. the router sends traffic to a desired internal server by the requested hostname.

for example I have a server with ip 10.2.5.1(assume it is a valid public ip) and have 3 mongo servers with ips
192.168.1.1
192.168.1.2
192.168.1.3

and 10.2.5.1 configured to send traffic to 192.168.1.2 if it comes with hostname mongo-2

in this case to reach that database server, we have to set hostname in trino server for it

@nineinchnick
Copy link
Member

Could you achieve the same with a headless service, with one endpoint?

@hosseinabaiyani
Copy link
Author

headless service isn't the point in this particular architecture think of one proxy server in front of multiple databases with private ips :

mongo-prod , mongo-sgate , mariadb-users , etc
all are can be connected using one IP address but with different hostnames

@nineinchnick
Copy link
Member

WDYM it isn't the point? Have you tried it to set aliases for other hostnames?

@hosseinabaiyani
Copy link
Author

hosseinabaiyani commented Nov 17, 2024

dude this headless service is useful when database is hosted in a Kubernetes cluster beside trino not in another network , look at the diagram I made

image

we set proxy server address in host alias and in aliases enter the internal hostname
proxy server determine which server send traffic to based on passed hostname

@hosseinabaiyani
Copy link
Author

Have you checked my last comment?

@nineinchnick
Copy link
Member

Sorry, I couldn't respond earlier. I was suggesting using services, but I was not specific enough - you could use them with external names to manage aliases: https://kubernetes.io/docs/concepts/services-networking/service/#externalname

There might be some limitations to services names - like you might not be able to use IP addresses there.

I'm only trying to make sure the use case for this feature is well-defined, and useful to the wider community. Every new feature in the chart adds testing overhead.

@hosseinabaiyani
Copy link
Author

I believe that this feature is highly useful in complex situations, however, cla is signed if you want to merge it

@nineinchnick
Copy link
Member

@cla-bot check

@cla-bot cla-bot bot added the cla-signed label Jan 7, 2025
Copy link

cla-bot bot commented Jan 7, 2025

The cla-bot has been summoned, and re-checked this pull request!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

2 participants