|
1 | 1 | # Set up a demo etcd installation |
2 | 2 |
|
3 | | -This guide will help you set up an example etcd cluster that you can use with CN-WAN Operator. For the scope of this demo and keep things simple, the etcd cluster will consist of only one node - or instance. |
| 3 | +**IMPORTANT NOTE**: this guide will only help you create a **demo** cluster so that you can quickly have a working example to use with the CN-WAN Operator and is not intended to be used in production. We strongly encourage you to follow more thorough guides if you want to use etcd in production. |
4 | 4 |
|
5 | | -In the first part, *Create the etcd cluster*, we will install and start etcd. The second part, *Make it more secure*, is not mandatory but **highly** suggested. |
| 5 | +If you want to install etcd on Kubernetes, follow [the first section](#quick-install-on-kubernetes). For a standalone installation using a binary or docker jump to [Standalone installation](#standalone-installation). The section [Make it more secure](#make-it-more-secure), is not mandatory but **highly** suggested. |
6 | 6 |
|
7 | | -**IMPORTANT NOTE**: this guide will only help you create a **demo** cluster so that you can quickly have a working example to use with the CN-WAN Operator and is not intended to be used in production. We strongly encourage you to follow more thorough guides if you want to use etcd in production. |
| 7 | +## Quick install on Kubernetes |
| 8 | + |
| 9 | +Since the operator runs on Kubernetes, it's safe to assume you have a Kubernetes cluster available, and the simplest way to get up and running quickly with etcd is to install it on the same Kubernetes cluster where you will run the operator. Please note that this etcd installation is separate from the etcd service that comes bundled with Kubernetes. |
| 10 | + |
| 11 | +If you prefer to use a binary on your favorite OS or docker instead, jump to the next section. |
| 12 | + |
| 13 | +We will use *Helm* to install etcd on Kubernetes. The `bitnami` Helm repo holds a chart that is well maintained, so let's add that repo: |
| 14 | + |
| 15 | +```bash |
| 16 | +helm repo add bitnami https://charts.bitnami.com/bitnami |
| 17 | +helm repo update |
| 18 | +``` |
| 19 | + |
| 20 | +Check customization options for the `bitnami/etcd` chart: |
| 21 | + |
| 22 | +```bash |
| 23 | +helm show values bitnami/etcd | less |
| 24 | +``` |
| 25 | + |
| 26 | +Custom options can be added to a `values.yaml` file, or specified on the command line. The following commands will create a separate namespace `etcd` and use Helm to install etcd into that namespace, exposing the etcd Service using a LoadBalancer, enabling RBAC authentication for etcd and creating a root user with password `dem0-pwd`: |
| 27 | + |
| 28 | +```bash |
| 29 | +kubectl create namespace etcd |
| 30 | +helm install etcd bitnami/etcd --namespace etcd --set service.type=LoadBalancer,auth.rbac.enabled=true,auth.rbac.rootPassword=dem0-pwd |
| 31 | +``` |
| 32 | + |
| 33 | +The notes printed after the helm chart installation are very thorough on how to use your shiny new etcd installation. First, you should run a pod with the etcdctl client: |
8 | 34 |
|
9 | | -## Create the etcd cluster |
| 35 | +```bash |
| 36 | +kubectl run etcd-client --restart='Never' --image docker.io/bitnami/etcd --env ROOT_PASSWORD=$(kubectl get secret --namespace etcd etcd -o jsonpath="{.data.etcd-root-password}" | base64 --decode) --env ETCDCTL_ENDPOINTS="etcd.etcd.svc.cluster.local:2379" --namespace etcd --command -- sleep infinity |
| 37 | +``` |
| 38 | + |
| 39 | +And then create a local shell alias for the etcdctl command on the pod: |
10 | 40 |
|
11 | | -This section will guide you through installing, setting up and start a demo etcd cluster made up of only one node. |
| 41 | +```bash |
| 42 | +alias etcdctl="kubectl exec -it etcd-client -n etcd -- etcdctl" |
| 43 | +``` |
| 44 | + |
| 45 | +Now try to insert value "test" with key `/test`: |
| 46 | + |
| 47 | +```bash |
| 48 | +etcdctl --user root:<password> put /test "test" |
| 49 | +``` |
| 50 | + |
| 51 | +Now try to read it |
| 52 | + |
| 53 | +```bash |
| 54 | +etcdctl --user root:<password> get /test |
| 55 | +``` |
| 56 | + |
| 57 | +From this moment on you can either continue working using the root account (see section [Next steps](#next-steps)), or following the *Create new user and role* section and updating the above alias accordingly. |
| 58 | + |
| 59 | +## Standalone installation |
| 60 | + |
| 61 | +This section will guide you through installing, setting up and start a demo etcd cluster made up of only one node (for demo purposes, and for keeping things simple). |
12 | 62 |
|
13 | 63 | Please note that while it will create a ready-to-use and working cluster, we **strongly** encourage you to read etcd's [official documentation](https://etcd.io/docs/latest/) to learn how to make it more robust, resilient and secure in case you want to use it in production. |
14 | 64 |
|
@@ -111,6 +161,8 @@ Before going any further, we once again remind you that this is a **demo** clust |
111 | 161 |
|
112 | 162 | ## Make it more secure |
113 | 163 |
|
| 164 | +**NOTE:** If you installed on Kubernetes you can skip to [Create new user and role](#create-new-user-and-role). |
| 165 | + |
114 | 166 | While technically only being a demo, this section is not strictly required, but will be very useful for you in case you want to use this solution in production. |
115 | 167 |
|
116 | 168 | At this point, your demo cluster is fully operative and can already be used as it is, but we will make one step further and make it a bit more secure by adding a dedicated user with limited access to the cluster and no ability to make sensitive modifications to etcd. The CN-WAN Operator will authenticate as this user and thus will have limited visibility to the data stored in the cluster, that is only to data for the service registry. |
|
0 commit comments