Encryption at rest

How would I set that in the CRDs, is there a way to either manually run the configure new command or someway to pass options that aren’t yet supported?

Thanks!

How would I set that in the CRDs, is there a way to either manually run the configure new command or someway to pass options that aren’t yet supported?

We don’t have a way to pass down configuration options that are not supported. We could probably extend the DatabaseConfiguration struct to take some additional configuration arguments that are not checked, which could be used to test new options that are not yet implemented in the operator. Feel free to open an issue in the operator repository and we can see how to implement that feature (happy to review a PR if you want to work on this).

You can configure your database manually by setting configureDatabase to false (see: fdb-kubernetes-operator/cluster_spec.md at main · FoundationDB/fdb-kubernetes-operator · GitHub) I would recommend to let thee operator do the initial configuration and after that you can run your manual configuration command. You have to set this option to false to ensure the operator is not overwritting your manual changes (since the configuration would be different from the desired one). Just keep in mind that the operator won’t do any configuration changes in this case e.g. all/most changes to the DatabaseConfiguration will be ignored.

edit I have to correct myself: If the configuration option is unknown to the operator it will be ignored, even if the value is set (or not). So running the according configure command manually should be enough.

Docs for running commands in the FDB cluster: fdb-kubernetes-operator/debugging.md at main · FoundationDB/fdb-kubernetes-operator · GitHub

As a reference here is the code where we generate the configuration string fdb-kubernetes-operator/foundationdb_database_configuration.go at main · FoundationDB/fdb-kubernetes-operator · GitHub appending an unchecked set of arguments for testing should be fairly easy to implement.

Thanks for the help, I haven’t written an operator or messed with one, but ill try my hand. Worst case scenario I can use the don’t configure option. Out of curiosity, how does

I would recommend to let thee operator do the initial configuration and after that you can run your manual configuration command

Play out, do I create the cluster with configureDatabase as false, do the initialization myself, then update it to true?

The easiest way to enable the encryption setup is by doing it manually via a configure command on the running cluster.

Play out, do I create the cluster with configureDatabase as false, do the initialization myself, then update it to true

Actually it’s the other way create the cluster without defining configureDatabase or set to true after the cluster is created and reconciled you can set configureDatabase to false and do some configuration changes.

But like I mentioned above: If the configuration option is unknown to the operator it will be ignored, even if the value is set (or not). So running the according configure command manually should be enough. So just running the configure command manually should be enough to enable encryption at rest.