Sorry, I’m here again.
I don’t understand how allowedCIDRs works or mybe I don’t understand host authentication.
Before restricting network access with allowedCIDRs I was able to access the CrateDB UI both from the load balancer address and from the nginx reverse proxy (that manages HTTPS protocol and load balance three kubernetes nodes).
Now, using allowedCIDRs i receive the errors after trying the authentication: the login popup window appear but clicking the access button nothing happens; clicking the cancel button gives an error page.
Here the errors:
With “http://192.168.151.21:4200/” URL I receive:
No valid auth.host_based.config entry found for host "192.168.151.1", user "crate", protocol "http". Did you enable TLS in your client?
with the “https://crate.h5a.net/” URL I receive:
No valid auth.host_based.config entry found for host "192.168.151.33", user "crate", protocol "http". Did you enable TLS in your client?
I created the CrateDB cluster with crate-operator with these commands
kubectl create namespace crate-operator
kubectl create namespace for-crate
helm install crate-operator crate-operator/crate-operator --namespace crate-operator --set env.CRATEDB_OPERATOR_DEBUG_VOLUME_STORAGE_CLASS=longhorn --set env.CRATEDB_OPERATOR_DEBUG_VOLUME_SIZE=4GiB
kubectl --namespace for-crate create -f my-crate.yaml
where my-crate.yaml contains
apiVersion: cloud.crate.io/v1
kind: CrateDB
metadata:
name: my-cluster
namespace: for-crate
spec:
cluster:
imageRegistry: crate
name: my-crate
version: 5.8.1
allowedCIDRs:
- 192.168.151.0/24
- 10.0.0.0/8
nodes:
data:
- name: hot
replicas: 3
resources:
limits:
cpu: 4
memory: 4Gi
disk:
count: 1
size: 16GiB
storageClass: longhorn
heapRatio: 0.25
The services are
sysop@h5a-dev:~$ kubectl get svc -n for-crate
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
crate-discovery-my-cluster ClusterIP None <none> 4300/TCP,4200/TCP,5432/TCP 3d8h
crate-my-cluster LoadBalancer 10.43.47.153 192.168.151.21,192.168.151.22,192.168.151.23 4200:31656/TCP,5432:30136/TCP 3d8h
sysop@h5a-dev:~$
So I’m trying to enable host authentication restricted to the “192.168.151.0/24” external network and “10.0.0.0/8” internal network
What I’m doing wrong?