Since Harbor is commonly run in Kubernetes there is a high need to make it fully highly available.
As a database option i would love to use cockroachdb since it is the easiest and most robust way of running a postgres like database in Kubernetes.
Sadly this is not possible with a secure (ssl protected) cockroachdb cluster because it is using self signed certificates.
In the core configmap you can only set POSTGRESQL_SSLMODE, but also
sslrootcert, sslcert and sslkey are needed to create a psql string like this:
...?sslmode=verify-full&sslrootcert=/cockroach-certs/ca.crt&sslcert=/cockroach-certs/client.harbor.crt&sslkey=/cockroach-certs/client.harbor.key
KarstenSiemer
All 2 comments
Hi @KarstenSiemer, just a heads up in case you are not aware: You can create password-authenticated users on secure CockroachDB clusters, see the documentation (CREATE USER statements etc).
~Unfortunately CockroachDB doesnt support pg_advisory_lock(), which means resolving this issue won't help with CockroachDB usage. Nonetheless it's obviously a nice to have and should be possible.~
I noticed you talked about that in #6942, so I opened an issue for full CockroachDB support (#8649).
embik
on 13 Aug 2019
Hi @embik, thanks for your answer.
Yes, I am aware that this is possible but I'd rate it unfavorable since one should always shoot for making roll-outs completely automatable and passwords are harder to use than certificates are.
Since you wouldn't want to check a password in a repository and would have to crypt it, then you have to save the key somewhere, also you would want to randomly generate it, then you'd need to decrypt and load into a secret somehow.....
With certificates however this is far easier. I'd only have to request a certificate via a crd for vault and then just mount, use and enjoy. This makes it a lot easier and safer in my opinion. The whole deployment is manageable via yaml and can be automatically rolled out by e.g. argocd
KarstenSiemer
on 13 Aug 2019
Related issues
problame
路
3Comments
Hotege
路
3Comments
cten
路
3Comments
steveal
路
3Comments
protochron
路
3Comments
Most helpful comment
Hi @embik, thanks for your answer.
Yes, I am aware that this is possible but I'd rate it unfavorable since one should always shoot for making roll-outs completely automatable and passwords are harder to use than certificates are.
Since you wouldn't want to check a password in a repository and would have to crypt it, then you have to save the key somewhere, also you would want to randomly generate it, then you'd need to decrypt and load into a secret somehow.....
With certificates however this is far easier. I'd only have to request a certificate via a crd for vault and then just mount, use and enjoy. This makes it a lot easier and safer in my opinion. The whole deployment is manageable via yaml and can be automatically rolled out by e.g. argocd