There are two aspects to security with Volt Active Data — security within the database with is managed through user accounts and roles and network security between the database nodes, between the cluster and client applications, and between clusters in the case of cross datacenter replication (XDCR). For internal security, you define user accounts as part of the database configuration and assign them to roles that are defined as part of the schema. For network security, Volt recommends encryption and authentication certificates using the TLS/SSL protocol. The following sections explain how to configure both types of security within Kubernetes.
User accounts allow you to control who has access to specific functions and procedures within the database. Security
is enabled in the configuration with the cluster.config.deployment.security.enabled property. You must
also use the properties to define the actual user names, passwords, and assigned roles. The users
property expects a list of sub-elements so you must prefix each set of properties with a hyphen. The following example
enables security and defines two user accounts:
Documentationcluster:
config:
deployment:
security:
enabled: true
users:
- name: controller
password: superman
roles: administrator
- name: mitty
password: thurber
roles: userIf you enable basic security, you must also tell the VoltDB operator which account to use when accessing the
database. To do that, you define the cluster.config.auth properties, as shown below, which must specify
an account with the built-in administrator role. The following example assigns the
controller account for use by the VoltDB Operator:
cluster:
config:
auth:
username: controller
password: supermanNormally, the definitions of user accounts and passwords are part of the overall database configuration options. To provide an additional level of security, you can store the user definitions separately in a Kubernetes secret so they are not visible to operators or other personnel when starting or managing the database pods with Helm.
To hide the user definitions, you include them as a separate YAML file in a Kubernetes secret. You can name the
secret whatever you like. But the secret must contain only one key and the key must be named
users.yaml. The easiest way to do this is to create the secret using a file named
users.yaml. If not, you must use the syntax create secret
--from-file=users.yaml={local-file-name}.
The file in the secret must be a YAML file containing the user definitions and must start with the YAML file separator, three hyphens ("---"). For example:
$ cat users.yaml --- cluster: config: deployment: users: - name: controller password: superman roles: administrator - name: mitty password: thurber roles: user $ kubectl create secret generic secure-users-secret --from-file=users.yaml
Note that the users.yaml secret file contains only the user definitions. It does not contain the assignment of an
administrators account to the Volt Operator. To hide the Operator assignment, you can create another Kubernetes secret
with the keys username and password:
$ kubectl create secret generic operator-auth-secret \
--from-literal=username=controller \
--from-literal=password=supermanOnce you create the user definition and Operator authorization secrets, you can start the cluster using those
secrets by assigning them to the cluster.config.usersSecretName and
cluster.config.auth.credSecretName properties, respectively. For example:
$ helm install mydb voltdb/voltdb \ --values myconfig.yaml \ --set cluster.config.usersSecretName=secure-users-secret \ --set cluster.config.auth.credSecretName=operator-auth-secret \ [ . . . ]
If you define user accounts as part of the Helm configuration properties, you can update, add, or remove accounts like other Helm properties using the helm upgrade command. If you define the user accounts using a Kubernetes secret, you can update the account information either by updating the secret itself or by replacing the current secret with a new one with the updated information. Using the External Secrets Operator (ESO) simplifies the process of updating the secret in place. Or if you are managing your secrets manually, creating a new secret may be the easier approach. For example:
$ cat newusers.yaml --- cluster: config: deployment: users: - name: controller password: superman roles: administrator - name: jimmyolsen password: photography roles: user $ kubectl create secret generic new-users-secret \ --from-file=users.yaml=newusers.yaml $ helm upgrade mydb voltdb/voltdb --reuse-values \ --set cluster.config.usersSecretName=new-users-secret
If you alter the account used to authorize access for the Volt Operator, you must update the
config.auth... properties in the same helm upgrade command that updates the
accounts.