How to set up secure cockroachdb on Kubernetes to be accessible from NodeJs

1
votes

I am a newbie with both Kubernetes and CockroachDB. I have a secured multinode node database running on a Kubernetes cluster and have been able to expose it externally and monitor it using the cockroach UI.

service list

Now I want to access it from a node app using either pg for Node or sequelize. However I get connection timeouts.

I believe I have to create a client certificate and use it to make the connection but I can find no Kubernetes specific docs on how to do this. If anyone has succeeded with this, how did you create the cert, and how did you use it in your node app?

1
kubernetespgcockroachdb
How did you deploy cockroach? There's a helm chart for it. Are you deploying your node app into the same cluster? - Lev Kuznetsov
Your app needs to run in the same kubernetes cluster to get client certificates (see docs), or you can run with sslmode=require (warning: not MITM protection with that mode). - Marc
I used the method documented by cockroach. cockroachlabs.com/docs/stable/… . Everything works well for local built in client. Now I want to to be able to access it from external apps, not part of any kubernetes environment. - bruce
If you want to access a secure deployment from outside kubernetes, you'll need to reduce the ssl level to skip host checking and even ignore the CA if you don't have the ca.crt. - Marc

1 Answers

2
votes

I've figured out how to do this by picking up the certificates I generated for the local sql client and re-using them in my node app - like this

const pool = new Pool({
  host: 'xxxx',
  max: 20,
  idleTimeoutMillis: 30000,
  connectionTimeoutMillis: 2000,
  port:26257,
  user:"root",
  database:"xxxx",
  ssl : {
      rejectUnauthorized : false,
      ca   : fs.readFileSync("./ca/ca.crt").toString(),
      key  : fs.readFileSync("./ca/client.xxxx.key").toString(),
      cert : fs.readFileSync("./ca/client.xxxx.crt").toString()
  }

});

I exposed the public pod as a service in kubernetes like this

kubectl expose service cockroachdb-public --port=26257 --target-port=26257 --name=cp --type=LoadBalancer

and picked up the external ip address that eventually got assigned to the service.

Pretty straightforward actually, but head scratching when you approach it for the first time. Thanks to those that took the time to comment.

@samstride just noticed your comment. Probably better to use a user other than root, but you can get these certs like this (probably other ways too).

ca (using the cockroachdb-client-secure pod if you still have it running)

kubectl exec cockroachdb-client-secure -it -- cat /cockroach-certs/ca.crt  > ./ca.crt

key

kubectl get secret default.client.root -o jsonpath='{.data.key}' | base64 --decode > client.root.key

cert

kubectl get secret default.client.root -o jsonpath='{.data.cert}' | base64 --decode > client.root.crt