k8s: docs: DCAP kustomization + non-release images #375
Conversation
mythi
changed the title
|
Unfortunately I strongly prefer using the builtin AS. When the KBS and AS are separate the attack surface increases because they are communicating over the network. We have already found one issue with the API between the two and I suspect there could be more. |
Do you mean this is not meant to be just a test setup for CI but something people would use for real? Previously the only argument for a built-in was just that it's easier for developers to use... |
|
Using an all-in-one KBS image is useful in real scenarios where one want to run it as a single binary or container image using docker/podman without using compose. The same can also be run via systemd. So I would also prefer to have the inbuilt AS support to be tested in CI. |
We support both but I would prefer having our sample deployment use the builtin AS because it will make users more likely to adopt that model. |
As noted in the commit message, this aligns with the docker-compose sample we have. I'm fine moving this to an overlay (i.e., away from |
I would be fine with adding an overlay that allows people to use a separate AS if they want to. |
Signed-off-by: Mikko Ylinen <[email protected]>
Signed-off-by: Mikko Ylinen <[email protected]>
mythi
changed the title
I decided to drop this idea for now since it's not super critical. I proposed the changes only because I had the work done while I was debugging the crash. Instead, I'm now proposing to add an optional doc entry on how users can use custom images if needed. I've now verified the crash is gone with the latest staged images following the steps documented in this PR. |
The KBS crash problem (ee1a8ce) was difficult to debug with the "built-in-as" image since all the logs from AS were lost.
Make the k8s sample deployment to use AS separately. This also makes it aligned with what docker-compose offers by default.