How to enable HBA when using crate-operator?

CrateDB Configuration
1

Hi all,
I’m trying to install and configure CrateDB using the crate-operator.

I’m using a reverse proxy in front of the kubernetes cluster and I need to restrict the crate loadbalancer access to the internal network.

From the documentation at

https://cratedb.com/docs/crate/reference/en/latest/config/node.html#host-based-auth

I suppose I have to add this line to the configuration of every crate node

auth.host_based.config.a.192.168.151.0/24

But I don’t know how to do this with the crate operator.

How can I configure the crate-operator to create a cluster that uses HBA?

2

The crate-operator creates a k8s/svc of the type LoadBalancer. To limit access to the k8s/svc in your cratedbs you could set something like this:


spec:
  cluster:
     allowedCIDRS:
     - 192.168.1.0/24

This does not cover your use case for using a reverse proxy. You may be able to setup something similar to that, for the proxy you are using.

Coming to the core of your question, the crate-operator currently does not allow to setup custom HBA configurations. Which the operator leaves like this - unless I am mistaken:

        - -Cauth.host_based.config.0.user=crate
        - -Cauth.host_based.config.0.address=_local_
        - -Cauth.host_based.config.0.method=trust
        - -Cauth.host_based.config.99.method=password

You might want to check https://cratedb.com/docs/crate/reference/en/latest/config/node.html#host-based-auth and Host-Based Authentication (HBA) - CrateDB: Reference to check the possible settings for HBA, as it rather allows to set different AUTH settings.

I hope that clarifies your question.

Best,
Walter

3

Thanks.
I’ll try asap to redo the CrateDB installation and I’ll report here

4

Well, I tried but I receive error: unknown field “spec.cluster.allowedCIDRS”

sysop@h5a-dev:~/h5a/software/pcams/storehouse/cratedb$ kubectl --namespace for-crate create -f my-crate.yaml
Error from server (BadRequest): error when creating "my-crate.yaml": CrateDB in version "v1" cannot be handled as a CrateDB: strict decoding error: unknown field "spec.cluster.allowedCIDRS"
sysop@h5a-dev:~/h5a/software/pcams/storehouse/cratedb$

The my-crate.yaml file contains:

apiVersion: cloud.crate.io/v1
kind: CrateDB
metadata:
  name: my-cluster
  namespace: for-crate
spec:
  cluster:
    imageRegistry: crate
    name: my-crate
    version: 5.8.1
    allowedCIDRS:
    - 192.168.151.0/24
  nodes:
    data:
    - name: hot
      replicas: 3
      resources:
        limits:
          cpu: 4
          memory: 4Gi
        disk:
          count: 1
          size: 16GiB
          storageClass: longhorn
        heapRatio: 0.25

I took the commands from https://cratedb.com/docs/guide/install/container/kubernetes/kubernetes-operator.html

Looking at the crate-operator helm chart I see apiVersion: v2

sysop@h5a-dev:~/h5a/software/pcams/storehouse/cratedb$ helm show chart crate-operator/crate-operator
apiVersion: v2
appVersion: 2.42.0
dependencies:
- condition: crate-operator-crds.enabled
  name: crate-operator-crds
  repository: file://../crate-operator-crds
  version: 2.42.0
description: Crate Operator - Helm chart for installing and upgrading Crate Operator.
maintainers:
- name: Crate.io
name: crate-operator
type: application
version: 2.42.0

So I tried to change the apiversion in my-crate.yaml file:

apiVersion: cloud.crate.io/v2
kind: CrateDB
metadata:
  name: my-cluster
  namespace: for-crate
spec:
  cluster:
    imageRegistry: crate
    name: my-crate
    version: 5.8.1
    allowedCIDRS:
    - 192.168.151.0/24
  nodes:
    data:
    - name: hot
      replicas: 3
      resources:
        limits:
          cpu: 4
          memory: 4Gi
        disk:
          count: 1
          size: 16GiB
          storageClass: longhorn
        heapRatio: 0.25

At this time I receive a different error:

sysop@h5a-dev:~/h5a/software/pcams/storehouse/cratedb$ kubectl --namespace for-crate create -f my-crate.yaml
error: resource mapping not found for name: "my-cluster" namespace: "for-crate" from "my-crate.yaml": no matches for kind "CrateDB" in version "cloud.crate.io/v2"
ensure CRDs are installed first

Mybe I’m misunderstanding the api version?

Best
Mirto

5

a) sorry for the mistake: it is allowedCIDRs allowedCIDRS

b) It should be apiVersion: cloud.crate.io/v1!

Apologies for providing false information.

Best,
Walter

1 Like
6

Fantastic! It worked.

I used

apiVersion: cloud.crate.io/v1
kind: CrateDB
metadata:
  name: my-cluster
  namespace: for-crate
spec:
  cluster:
    imageRegistry: crate
    name: my-crate
    version: 5.8.1
    allowedCIDRs:
    - 192.168.151.0/24
  nodes:
    data:
    - name: hot
      replicas: 3
      resources:
        limits:
          cpu: 4
          memory: 4Gi
        disk:
          count: 1
          size: 16GiB
          storageClass: longhorn
        heapRatio: 0.25

and everything worked.

Thanks a lot!

Best
Mirto