safety commit

kubernetes/full-create-and-install.sh

@@ -26,21 +26,21 @@ print_env() {
     echo "export NODE_POOL_NAME_AVS=$NODE_POOL_NAME_AVS"
     echo "export ZONE=$ZONE"
     echo "export FEATURES_CONF=$FEATURES_CONF"
-    echo "export AEROSPIKE_CR=$AEROSPIKE_CR"
     echo "export CHART_LOCATION=$CHART_LOCATION"
+
 }
 
 # Function to set environment variables
 set_env_variables() {
     export WORKSPACE="$(pwd)"
     export PROJECT_ID="$(gcloud config get-value project)"
-    export CLUSTER_NAME="${PROJECT_ID}-avs-auth"
+    export CLUSTER_NAME="${PROJECT_ID}-avs-noauth"
     export NODE_POOL_NAME_AEROSPIKE="aerospike-pool"
     export NODE_POOL_NAME_AVS="avs-pool"
     export ZONE="us-central1-c"
     export FEATURES_CONF="$WORKSPACE/features.conf"
-    export AEROSPIKE_CR="$WORKSPACE/manifests/ssd_storage_cluster_cr.yaml"
     export BUILD_DIR="$WORKSPACE/generated"
+    export RUN_INSECURE=1
     export REVERSE_DNS_AVS
 
 }
@@ -50,9 +50,15 @@ reset_build() {
         temp_dir=$(mktemp -d /tmp/avs-deploy-previous.XXXXXX)
         mv -f "$BUILD_DIR" "$temp_dir"
     fi
-    mkdir -p "$BUILD_DIR/input" "$BUILD_DIR/output" "$BUILD_DIR/secrets" "$BUILD_DIR/certs"
+    mkdir -p "$BUILD_DIR/input" "$BUILD_DIR/output" "$BUILD_DIR/secrets" "$BUILD_DIR/certs" "$BUILD_DIR/manifests"
     cp "$FEATURES_CONF" "$BUILD_DIR/secrets/features.conf"
-
+    if [[ "${RUN_INSECURE}" == 1 ]]; then
+        cp $WORKSPACE/manifests/avs-gke-values.yaml $BUILD_DIR/manifests/avs-gke-values.yaml
+        cp $WORKSPACE/manifests/aerospike-cr.yaml $BUILD_DIR/manifests/aerospike-cr.yaml
+    else
+        cp $WORKSPACE/manifests/avs-gke-values-auth.yaml $BUILD_DIR/manifests/avs-gke-values.yaml
+        cp $WORKSPACE/manifests/aerospike-cr-auth.yaml $BUILD_DIR/manifests/aerospike-cr.yaml
+    fi
 }
 
 generate_certs() {
@@ -343,7 +349,7 @@ setup_aerospike() {
     kubectl apply -f https://raw.githubusercontent.com/aerospike/aerospike-kubernetes-operator/master/config/samples/storage/gce_ssd_storage_class.yaml
 
     echo "Deploying Aerospike cluster..."
-    kubectl apply -f "$AEROSPIKE_CR"
+    kubectl apply -f $BUILD_DIR/manifests/aerospike-cr.yaml
 }
 
 # Function to setup AVS node pool and namespace
@@ -387,9 +393,9 @@ deploy_avs_helm_chart() {
     helm repo add aerospike-helm https://artifact.aerospike.io/artifactory/api/helm/aerospike-helm
     helm repo update
     if [ -z "$CHART_LOCATION" ]; then
-        helm install avs-gke --values "manifests/avs-gke-values.yaml" --namespace avs aerospike-helm/aerospike-vector-search --version 0.4.1 --wait
+        helm install avs-gke --values $BUILD_DIR/manifests/avs-gke-values.yaml --namespace avs aerospike-helm/aerospike-vector-search --version 0.4.1 --wait
     else
-        helm install avs-gke --values "manifests/avs-gke-values.yaml" --namespace avs "$CHART_LOCATION" --wait
+        helm install avs-gke --values $BUILD_DIR/manifests/avs-gke-values.yaml --namespace avs "$CHART_LOCATION" --wait
     fi
 }
 

kubernetes/manifests/aerospike-cr.yaml

@@ -0,0 +1,140 @@
+apiVersion: asdb.aerospike.com/v1
+kind: AerospikeCluster
+metadata:
+  name: aerocluster
+  namespace: aerospike
+
+spec:
+  size: 3
+  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  storage:
+    filesystemVolumePolicy:
+      initMethod: deleteFiles
+      cascadeDelete: true
+    blockVolumePolicy:
+      cascadeDelete: true
+    volumes:
+      - name: workdir
+        aerospike:
+          path: /opt/aerospike
+        source:
+          persistentVolume:
+            storageClass: ssd
+            volumeMode: Filesystem
+            size: 1Gi
+      - name: avs-meta
+        aerospike:
+          path: /avs/dev/xvdf
+        source:
+          persistentVolume:
+            storageClass: ssd
+            volumeMode: Block
+            size: 20Gi
+
+      - name: ns
+        aerospike:
+          path: /test/dev/xvdf
+        source:
+          persistentVolume:
+            storageClass: ssd
+            volumeMode: Block
+            size: 20Gi
+      - name: aerospike-config-secret
+        source:
+          secret:
+            secretName: aerospike-secret
+        aerospike:
+          path: /etc/aerospike/secret
+      - name: aerospike-tls-config
+        source:
+          secret:
+            secretName: aerospike-tls
+        aerospike:
+          path: /etc/aerospike/ssl
+
+
+  podSpec:
+    sidecars:
+    - name: aerospike-prometheus-exporter
+      image: aerospike/aerospike-prometheus-exporter:v1.9.0
+      ports:
+        - containerPort: 9145
+          name: exporter
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: aerospike.com/node-pool
+              operator: In
+              values:
+              - "default-rack"
+    multiPodPerHost: false
+
+  # aerospikeAccessControl:
+  #   users:
+  #     - name: admin
+  #       secretName: auth-secret
+  #       roles:
+  #         - sys-admin
+  #         - user-admin
+  #     - name: tester
+  #       secretName: auth-secret
+  #       roles:
+  #         - truncate
+  #         - sindex-admin
+  #         - user-admin
+  #         - data-admin
+  #         - read-write
+  #         - read
+  #         - write
+  #         - read-write-udf
+  #         - sys-admin
+  #         - udf-admin
+  # operatorClientCert:
+  #   secretCertSource:
+  #     secretName: aerospike-tls
+  #     caCertsFilename: ca.aerospike.com.pem
+  #     clientCertFilename: asd.aerospike.com.pem
+  #     clientKeyFilename: asd.aerospike.com.key
+
+  aerospikeConfig:
+    service:
+      feature-key-file: /etc/aerospike/secret/features.conf
+    # security: {}
+    network:
+      service:
+        #        port: 3000
+        tls-name: asd.aerospike.com
+        tls-authenticate-client: "false"
+        tls-port: 4333
+      fabric:
+        #        port: 3001
+        tls-name: asd.aerospike.com
+        tls-port: 3012
+      heartbeat:
+        #        port: 3002
+        tls-name: asd.aerospike.com
+        tls-port: 3011
+      tls:
+        - name: asd.aerospike.com
+          cert-file: /etc/aerospike/ssl/asd.aerospike.com.pem
+          key-file: /etc/aerospike/ssl/asd.aerospike.com.key
+          ca-file: /etc/aerospike/ssl/ca.aerospike.com.pem
+    namespaces:
+      - name: test
+        replication-factor: 2
+        storage-engine:
+          type: device
+          devices:
+            - /test/dev/xvdf
+
+      - name: avs-meta
+        nsup-period: 600
+        nsup-threads: 2
+        evict-tenths-pct: 5
+        replication-factor: 2
+        storage-engine:
+          type: device
+          devices:
+            - /avs/dev/xvdf

kubernetes/manifests/avs-gke-values-auth.yaml

@@ -0,0 +1,129 @@
+replicaCount: 3
+aerospikeVectorSearchConfig:
+  cluster:
+    cluster-name: "avs-db-1"
+  feature-key-file: "/etc/aerospike-vector-search/secrets/features.conf"
+  service:
+    metadata-namespace: "avs-meta"
+    ports:
+      5433:
+        addresses:
+          "0.0.0.0"
+        tls-id: service-tls
+  manage:
+    ports:
+      5040: { }
+
+  heartbeat:
+    seeds:
+      - address: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.avs.svc.cluster.local
+#        port: 5001
+        port: 5444
+  interconnect:
+    client-tls-id: interconnect-tls
+    ports:
+      5444:
+        addresses:
+          "0.0.0.0"
+        tls-id: interconnect-tls
+#    ports:
+#      5001:
+#        addresses:
+#          "0.0.0.0"
+  storage:
+    client-policy:
+#      cluster-name: aerocluster
+#      max-conns-per-node: 1000
+      tls-id: aerospike-tls
+      credentials:
+        username: tester
+        password-file: "/etc/aerospike-vector-search/secrets/aerospike-password.txt"
+    seeds:
+      - aerocluster-0-0.aerocluster.aerospike.svc.cluster.local:
+#          port: 3000
+          port: 4333
+          tls-name: "asd.aerospike.com"
+  security:
+    auth-token:
+      private-key: "/etc/aerospike-vector-search/secrets/private_key.pem"
+      private-key-password: "/etc/aerospike-vector-search/secrets/client-password.txt"
+      public-key: "/etc/aerospike-vector-search/secrets/public_key.pem"
+  tls:
+    service-tls:
+      trust-store:
+        store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks
+        store-password-file: /etc/ssl/certs/storepass
+        key-password-file: "/etc/ssl/certs/keypass"
+      key-store:
+        store-file: /etc/ssl/certs/svc.aerospike.com.keystore.jks
+        store-password-file: /etc/ssl/certs/storepass
+        key-password-file: /etc/ssl/certs/keypass
+#      override-tls-hostname: avs-gke-aerospike-vector-search-0.avs-gke-aerospike-vector-search.aerospike.svc.cluster.local
+
+    interconnect-tls:
+      trust-store:
+        store-file: /etc/ssl/certs/ca.aerospike.com.truststore.jks
+        store-password-file: /etc/ssl/certs/storepass
+        key-password-file: "/etc/ssl/certs/keypass"
+      key-store:
+        store-file: /etc/ssl/certs/avs.aerospike.com.keystore.jks
+        store-password-file: /etc/ssl/certs/storepass
+        key-password-file: /etc/ssl/certs/keypass
+      override-tls-hostname: avs.aerospike.com
+
+    aerospike-tls:
+      trust-store:
+        store-file: "/etc/ssl/certs/ca.aerospike.com.truststore.jks"
+        store-password-file: "/etc/ssl/certs/storepass"
+        key-password-file: "/etc/ssl/certs/keypass"
+      key-store:
+        store-file: "/etc/ssl/certs/avs.aerospike.com.keystore.jks"
+        store-password-file: "/etc/ssl/certs/storepass"
+        key-password-file: "/etc/ssl/certs/keypass"
+#      override-tls-hostname: "asd.aerospike.com"
+  logging:
+    #    file: /var/log/aerospike-vector-search/aerospike-vector-search.log
+    enable-console-logging: false
+    format: simple
+    max-history: 30
+    levels:
+      metrics-ticker: debug
+      root: info
+    ticker-interval: 10
+
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsUser: 0
+image:
+  repository: "aerospike/aerospike-vector-search"
+  pullPolicy: "IfNotPresent"
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "0.9.0"
+extraSecretVolumeMounts:
+  - name: aerospike-tls
+    mountPath: "/etc/ssl/certs"
+    readOnly: true
+
+extraVolumes:
+  - name: aerospike-tls
+    secret:
+      secretName: aerospike-tls
+      optional: false
+affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: aerospike.com/node-pool
+            operator: In
+            values:
+            - "avs"
+# podAntiAffinity:
+#     requiredDuringSchedulingIgnoredDuringExecution:
+#       - topologyKey: "kubernetes.io/hostname"
+#         labelSelector:
+#           matchExpressions:
+#             - key: "app.kubernetes.io/name"
+#               operator: In
+#               values:
+#                 - "aerospike-vector-search"

kubernetes/manifests/avs-gke-values.yaml

@@ -43,11 +43,11 @@ aerospikeVectorSearchConfig:
 #          port: 3000
           port: 4333
           tls-name: "asd.aerospike.com"
-  security:
-    auth-token:
-      private-key: "/etc/aerospike-vector-search/secrets/private_key.pem"
-      private-key-password: "/etc/aerospike-vector-search/secrets/client-password.txt"
-      public-key: "/etc/aerospike-vector-search/secrets/public_key.pem"
+  # security:
+  #   auth-token:
+  #     private-key: "/etc/aerospike-vector-search/secrets/private_key.pem"
+  #     private-key-password: "/etc/aerospike-vector-search/secrets/client-password.txt"
+  #     public-key: "/etc/aerospike-vector-search/secrets/public_key.pem"
   tls:
     service-tls:
       trust-store: