K
Q

How to set up secure cockroachdb on Kubernetes to be accessible from NodeJs

2/8/2018

I am a newbie with both Kubernetes and CockroachDB. I have a secured multinode node database running on a Kubernetes cluster and have been able to expose it externally and monitor it using the cockroach UI.

service list

Now I want to access it from a node app using either pg for Node or sequelize. However I get connection timeouts.

I believe I have to create a client certificate and use it to make the connection but I can find no Kubernetes specific docs on how to do this. If anyone has succeeded with this, how did you create the cert, and how did you use it in your node app?

-- bruce
cockroachdb
kubernetes
pg

Similar Questions

Postgres connection refused (via CloudSQL proxy) when doing rolling update Kubernetes
Helm - Launching a group of PVC in same AZ on AWS
Not able to provide additional User-Data in instance groups through kops edit
Using Fluentd for store logs in ElasticSearch

1 Answer

2/8/2018

I've figured out how to do this by picking up the certificates I generated for the local sql client and re-using them in my node app - like this

const pool = new Pool({
  host: 'xxxx',
  max: 20,
  idleTimeoutMillis: 30000,
  connectionTimeoutMillis: 2000,
  port:26257,
  user:"root",
  database:"xxxx",
  ssl : {
      rejectUnauthorized : false,
      ca   : fs.readFileSync("./ca/ca.crt").toString(),
      key  : fs.readFileSync("./ca/client.xxxx.key").toString(),
      cert : fs.readFileSync("./ca/client.xxxx.crt").toString()
  }

});

I exposed the public pod as a service in kubernetes like this

kubectl expose service cockroachdb-public --port=26257 --target-port=26257 --name=cp --type=LoadBalancer

and picked up the external ip address that eventually got assigned to the service.

Pretty straightforward actually, but head scratching when you approach it for the first time. Thanks to those that took the time to comment.

@samstride just noticed your comment. Probably better to use a user other than root, but you can get these certs like this (probably other ways too).

ca (using the cockroachdb-client-secure pod if you still have it running)

kubectl exec cockroachdb-client-secure -it -- cat /cockroach-certs/ca.crt  > ./ca.crt

key

kubectl get secret default.client.root -o jsonpath='{.data.key}' | base64 --decode > client.root.key

cert

kubectl get secret default.client.root -o jsonpath='{.data.cert}' | base64 --decode > client.root.crt
-- bruce
Source: StackOverflow