Articles in this section

Kuberentes Operator throws an error while enabling security authentication

Data Migration Agent

Problem Description

Kubernetes Operator throws an error “cannot update cluster security config enable-security was changed” while trying to enable security authentication after deployment.

Explanation

The issue is mainly due to limitation mentioned in the document

  • Cluster security config flag "enable-security" cannot be updated after the first deployment

Solution

There is no direct method to surpass the limitation. But we have a workaround that should be tested in a non-production environment before any change is attempted in the production cluster.

Steps:

  1. Disable the Aerospike validation webhook. This bypasses the validation concerning the Aerospike security update. Use kubectl get validatingwebhookconfigurations -n test to locate the Aerospike-related validation webhook. Change rules.resources fields from aerospikeclusters to some random string eg, aerospikeclusters -> aerospikeclusters123

    Use the command: kubectl edit validatingwebhookconfigurations aerospike-operator-validating-webhook-configuration

  2. Add security{} to the aerospikeConfig section in the status of the AerospikeCluster CR by editing the CR.

    Use the command: kubectl edit aerospikeclusters <clusterName> --subresource=status -n <nsName>.

  3. Add security{} to the aerospikeConfig and aerospikeAccessControl sections in the spec of the AerospikeCluster CR by editing the CR.

    Use the command: kubectl edit aerospikeclusters <clusterName> -n <nsName>.

  4. Connect to the cluster using asadm and assign sys-admin and user-admin roles to the admin user.

    kubectl exec <podName> -n <nsName> -it -- /bin/bash
root@aerocluster-1-0:/# asadm -U admin -P admin
Admin> enable                                       
Admin+> manage acl grant user admin roles sys-admin user-admin

  5. Wait for the cluster to complete the warm restart of all the nodes. Please check for the security feature if the same is enabled on all nodes using the Admin> features command in asadm.

  6. Re-enable the validation webhook by restoring the resources field or reversing the changes made in step 1.


FYI: When a single Operator is used  to manage multiple clusters, changing the validation webhook could impact all other clusters. Consequently, it is recommended to create a new cluster and migrate the data for a safer and more isolated approach.
 
Was this article helpful?
0 out of 0 found this helpful