Skip to content

Commit 0aff637

Browse files
barkhachoithanibarkhachoithani
authored
Merge pull request #43 from barkhachoithani/feature/CLD-278
CLD-278: Enable Intra-Cluster Network Traffic Encryption (XDQP)
2 parents 4a03482 + 6df942b commit 0aff637

File tree

4 files changed

+20
-10
lines changed

4 files changed

+20
-10
lines changed

README.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -272,6 +272,14 @@ kubectl logs pod/terminated-host-pod-name
272272
```
273273

274274
If you are permanently removing the host from the MarkLogic cluster, once the pod is terminated, follow standard MarkLogic administrative procedures using the administrative UI or APIs to remove the MarkLogic host from the cluster. Also, because Kubernetes keeps the Persistent Volume Claims and Persistent Volumes around until they are explicitly deleted, you must manually delete them using the Kubernetes APIs before attempting to scale the hosts in the StatefulSet back up again.
275+
276+
### Enabling SSL over XDQP
277+
278+
To enable SSL over XDQP, set the `enableXdqpSsl` to true either in the values.yaml file or using the `--set` flag. All communications to and from hosts in the cluster will be secured. When this setting is on, default SSL certificates will be used for XDQP encryption.
279+
280+
Note: To enable other XDQP/SSL settings like `xdqp ssl allow sslv3`, `xdqp ssl allow tls`, `xdqp ssl ciphers`, use MarkLogic REST Management API. See the MarkLogic documentation [here](https://docs.marklogic.com/REST/management).
281+
282+
275283
# Access the MarkLogic Server
276284

277285
## Service
@@ -385,7 +393,10 @@ This table describes the list of available parameters for Helm Chart.
385393
| `nameOverride` | String to override the app name | `""` |
386394
| `fullnameOverride` | String to completely replace the generated name | `""` |
387395
| `auth.adminUsername` | Username for default MarkLogic Administrator | `admin` |
388-
| `auth.adminPassword` | Password for default MarkLogic Administrator | `admin` |
396+
| `auth.adminPassword` | Password for default MarkLogic Administrator | `admin`
397+
| `bootstrapHostName` | Host name of MarkLogic bootstrap host | `""`
398+
| `group.name` | group name for joining MarkLogic cluster | `Default` |
399+
| `group.enableXdqpSsl` | SSL encryption for XDQP | `true` |
389400
| `affinity` | Affinity property for pod assignment | `{}` |
390401
| `nodeSelector` | nodeSelector property for pod assignment | `{}` |
391402
| `persistence.enabled` | Enable MarkLogic data persistence using Persistence Volume Claim (PVC). If set to false, EmptyDir will be used | `true` |

charts/templates/configmap.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ data:
1414
MARKLOGIC_FQDN_SUFFIX: {{ include "marklogic.headlessURL" . }}
1515
MARKLOGIC_INIT: "true"
1616
MARKLOGIC_JOIN_CLUSTER: "true"
17+
MARKLOGIC_GROUP: {{ .Values.group.name }}
18+
XDQP_SSL_ENABLED: {{ quote .Values.group.enableXdqpSsl }}
1719
---
1820
{{- if .Values.logCollection.enabled }}
1921
apiVersion: v1

charts/templates/statefulset.yaml

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,8 @@ spec:
4343
log "Error: [initContainer] Bootstrap host $MARKLOGIC_BOOTSTRAP_HOST not found, exiting Init container."
4444
exit 1
4545
fi
46-
GROUP_CFG_TEMPLATE='{"group-name":"%s"}'
47-
GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP")
46+
GROUP_CFG_TEMPLATE='{"group-name":"%s", "xdqp-ssl-enabled":"%s"}'
47+
GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP" "$XDQP_SSL_ENABLED")
4848
GROUP_RESP_CODE=`curl --anyauth -m 20 -s -o /dev/null -w "%{http_code}" -X GET http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/${MARKLOGIC_GROUP} --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD}`
4949
if [[ ${GROUP_RESP_CODE} -eq 200 ]]; then
5050
log "Info: [initContainer] Skipping creation of group $MARKLOGIC_GROUP as it already exists on the MarkLogic cluster."
@@ -64,8 +64,6 @@ spec:
6464
[ $i -eq 5 ] && exit 1
6565
done
6666
env:
67-
- name: MARKLOGIC_GROUP
68-
value: {{ .Values.group.name }}
6967
- name: MARKLOGIC_ADMIN_USERNAME
7068
valueFrom:
7169
secretKeyRef:
@@ -105,8 +103,6 @@ spec:
105103
secretKeyRef:
106104
name: {{ include "marklogic.fullname" . }}
107105
key: password
108-
- name: MARKLOGIC_GROUP
109-
value: {{ .Values.group.name }}
110106
- name: POD_NAME
111107
valueFrom:
112108
fieldRef:
@@ -152,8 +148,8 @@ spec:
152148
sleep 5s
153149
done
154150
155-
GROUP_CFG_TEMPLATE='{"group-name":"%s"}'
156-
GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP")
151+
GROUP_CFG_TEMPLATE='{"group-name":"%s", "xdqp-ssl-enabled":"%s"}'
152+
GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP" "$XDQP_SSL_ENABLED")
157153
158154
log "Info: [poststart] Updating Default group on cluster"
159155
curl --anyauth -m 20 -s -X PUT -H "Content-type: application/json" -d "${GROUP_CFG}" http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/Default/properties --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD}

charts/values.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,12 @@ terminationGracePeriod: 120
1010
group:
1111
# the group name of the current Marklogic Helm Deployment
1212
name: Default
13+
# xdqp encryption for intra cluster network traffic
14+
enableXdqpSsl: true
1315

1416
# The name of the host to join. If not provided, the deployment is a bootstrap host.
1517
bootstrapHostName: ""
1618

17-
1819
# Marklogic image parameters
1920
image:
2021
repository: marklogicdb/marklogic-db

0 commit comments

Comments
 (0)