Skip to content

Commit 5541b67

Browse files
migruiz4migruiz4
authored
[bitnami/elasticsearch] Don't regenerate self-signed certs on upgrade (#14618)
* [bitnami/elasticsearch] Don't regenerate self-signed certs on upgrade Signed-off-by: Miguel Ruiz <miruiz@vmware.com> * [bitnami/elasticsearch] Don't regenerate TLS secrets + add warning note Signed-off-by: Miguel Ruiz <miruiz@vmware.com> --------- Signed-off-by: Miguel Ruiz <miruiz@vmware.com>
1 parent 32cac87 commit 5541b67

File tree

4 files changed

+37
-30
lines changed

4 files changed

+37
-30
lines changed

bitnami/elasticsearch/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,4 +25,4 @@ name: elasticsearch
2525
sources:
2626
- https://github.com/bitnami/containers/tree/main/bitnami/elasticsearch
2727
- https://www.elastic.co/products/elasticsearch
28-
version: 19.5.9
28+
version: 19.5.10

bitnami/elasticsearch/templates/ingress-tls-secrets.yaml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,13 @@ data:
2121
{{- end }}
2222
{{- end }}
2323
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
24+
{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
2425
{{- $ca := genCA "elasticsearch-ca" 365 }}
2526
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
2627
apiVersion: v1
2728
kind: Secret
2829
metadata:
29-
name: {{ printf "%s-tls" .Values.ingress.hostname }}
30+
name: {{ $secretName }}
3031
namespace: {{ template "common.names.namespace" . }}
3132
labels: {{- include "common.labels.standard" . | nindent 4 }}
3233
{{- if .Values.commonLabels }}
@@ -37,9 +38,9 @@ metadata:
3738
{{- end }}
3839
type: kubernetes.io/tls
3940
data:
40-
tls.crt: {{ $cert.Cert | b64enc | quote }}
41-
tls.key: {{ $cert.Key | b64enc | quote }}
42-
ca.crt: {{ $ca.Cert | b64enc | quote }}
41+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
42+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
43+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
4344
---
4445
{{- end }}
4546
{{- end }}
@@ -67,12 +68,13 @@ data:
6768
{{- end }}
6869
{{- end }}
6970
{{- if and .Values.ingest.ingress.tls .Values.ingest.ingress.selfSigned }}
71+
{{- $secretName := printf "%s-tls" .Values.ingest.ingress.hostname }}
7072
{{- $ca := genCA "elasticsearch-ingest-ca" 365 }}
7173
{{- $cert := genSignedCert .Values.ingest.ingress.hostname nil (list .Values.ingest.ingress.hostname) 365 $ca }}
7274
apiVersion: v1
7375
kind: Secret
7476
metadata:
75-
name: {{ printf "%s-ingest-tls" .Values.ingest.ingress.hostname }}
77+
name: {{ $secretName }}
7678
namespace: {{ template "common.names.namespace" $ }}
7779
labels: {{- include "common.labels.standard" . | nindent 4 }}
7880
app.kubernetes.io/component: ingest
@@ -84,9 +86,9 @@ metadata:
8486
{{- end }}
8587
type: kubernetes.io/tls
8688
data:
87-
tls.crt: {{ $cert.Cert | b64enc | quote }}
88-
tls.key: {{ $cert.Key | b64enc | quote }}
89-
ca.crt: {{ $ca.Cert | b64enc | quote }}
89+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
90+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
91+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
9092
---
9193
{{- end }}
9294
{{- end }}

bitnami/elasticsearch/templates/tls-secret.yaml

Lines changed: 24 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,12 @@
1111
{{- $altNames = append $altNames (include "elasticsearch.service.name" .) }}
1212
{{- $altNames = append $altNames (printf "%s.%s.svc.%s" (include "elasticsearch.service.name" .) $releaseNamespace $clusterDomain) }}
1313
{{- end }}
14-
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
14+
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
15+
{{- $secretName := printf "%s-crt" (include "elasticsearch.master.fullname" .) }}
1516
apiVersion: v1
1617
kind: Secret
1718
metadata:
18-
name: {{ printf "%s-crt" (include "elasticsearch.master.fullname" .) }}
19+
name: {{ $secretName }}
1920
namespace: {{ include "common.names.namespace" . | quote }}
2021
labels: {{- include "common.labels.standard" . | nindent 4 }}
2122
{{- if .Values.commonLabels }}
@@ -27,20 +28,21 @@ metadata:
2728
{{- end }}
2829
type: kubernetes.io/tls
2930
data:
30-
ca.crt: {{ $ca.Cert | b64enc | quote }}
31-
tls.crt: {{ $crt.Cert | b64enc | quote }}
32-
tls.key: {{ $crt.Key | b64enc | quote }}
31+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
32+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
33+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
3334
{{- end }}
3435
{{- if and (include "elasticsearch.data.enabled" .) (not .Values.security.tls.data.existingSecret) }}
3536
{{- $fullname := include "elasticsearch.data.fullname" . }}
3637
{{- $serviceName := include "elasticsearch.data.servicename" . }}
3738
{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname "127.0.0.1" "localhost" }}
38-
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
39+
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
40+
{{- $secretName := printf "%s-crt" (include "elasticsearch.data.fullname" .) }}
3941
---
4042
apiVersion: v1
4143
kind: Secret
4244
metadata:
43-
name: {{ printf "%s-crt" (include "elasticsearch.data.fullname" .) }}
45+
name: {{ $secretName }}
4446
namespace: {{ include "common.names.namespace" . | quote }}
4547
labels: {{- include "common.labels.standard" . | nindent 4 }}
4648
{{- if .Values.commonLabels }}
@@ -52,20 +54,21 @@ metadata:
5254
{{- end }}
5355
type: kubernetes.io/tls
5456
data:
55-
ca.crt: {{ $ca.Cert | b64enc | quote }}
56-
tls.crt: {{ $crt.Cert | b64enc | quote }}
57-
tls.key: {{ $crt.Key | b64enc | quote }}
57+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
58+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
59+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
5860
{{- end }}
5961
{{- if and (include "elasticsearch.coordinating.enabled" .) (not .Values.security.tls.coordinating.existingSecret) }}
6062
{{- $fullname := include "elasticsearch.coordinating.fullname" . }}
6163
{{- $serviceName := include "elasticsearch.coordinating.servicename" . }}
6264
{{- $altNames := list (include "elasticsearch.service.name" .) (printf "%s.%s.svc.%s" (include "elasticsearch.service.name" .) $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) $fullname "127.0.0.1" "localhost" }}
63-
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
65+
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
66+
{{- $secretName := printf "%s-crt" (include "elasticsearch.coordinating.fullname" .) }}
6467
---
6568
apiVersion: v1
6669
kind: Secret
6770
metadata:
68-
name: {{ printf "%s-crt" (include "elasticsearch.coordinating.fullname" .) }}
71+
name: {{ $secretName }}
6972
namespace: {{ include "common.names.namespace" . | quote }}
7073
labels: {{- include "common.labels.standard" . | nindent 4 }}
7174
{{- if .Values.commonLabels }}
@@ -77,9 +80,9 @@ metadata:
7780
{{- end }}
7881
type: kubernetes.io/tls
7982
data:
80-
ca.crt: {{ $ca.Cert | b64enc | quote }}
81-
tls.crt: {{ $crt.Cert | b64enc | quote }}
82-
tls.key: {{ $crt.Key | b64enc | quote }}
83+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
84+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
85+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
8386
{{- end }}
8487
{{- if and (include "elasticsearch.ingest.enabled" .) (not .Values.security.tls.ingest.existingSecret) }}
8588
{{- $fullname := include "elasticsearch.ingest.fullname" . }}
@@ -89,12 +92,13 @@ data:
8992
{{- $altNames = append $altNames (include "elasticsearch.ingest.fullname" .) }}
9093
{{- $altNames = append $altNames (printf "%s.%s.svc.%s" (include "elasticsearch.ingest.fullname" .) $releaseNamespace $clusterDomain) }}
9194
{{- end }}
92-
{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }}
95+
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
96+
{{- $secretName := printf "%s-crt" (include "elasticsearch.ingest.fullname" .) }}
9397
---
9498
apiVersion: v1
9599
kind: Secret
96100
metadata:
97-
name: {{ printf "%s-crt" (include "elasticsearch.ingest.fullname" .) }}
101+
name: {{ $secretName }}
98102
namespace: {{ include "common.names.namespace" . | quote }}
99103
labels: {{- include "common.labels.standard" . | nindent 4 }}
100104
{{- if .Values.commonLabels }}
@@ -106,8 +110,8 @@ metadata:
106110
{{- end }}
107111
type: kubernetes.io/tls
108112
data:
109-
ca.crt: {{ $ca.Cert | b64enc | quote }}
110-
tls.crt: {{ $crt.Cert | b64enc | quote }}
111-
tls.key: {{ $crt.Key | b64enc | quote }}
113+
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
114+
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
115+
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
112116
{{- end }}
113117
{{- end }}

bitnami/elasticsearch/values.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -231,7 +231,8 @@ security:
231231
##
232232
restEncryption: true
233233
## @param security.tls.autoGenerated Create self-signed TLS certificates.
234-
## Note: Currently only supports PEM certificates.
234+
## NOTE: If autoGenerated certs are enabled and a new node type is enabled using helm upgrade, make sure you remove previously existing Elasticsearch TLS secrets.
235+
## Otherwise, the new node certs won't match the existing certs.
235236
##
236237
autoGenerated: false
237238
## @param security.tls.verificationMode Verification mode for SSL communications.

0 commit comments

Comments
 (0)