New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the public transport CA as remote CA if the remote CA list is empty #3993
Conversation
6f88299
to
223a347
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I did a quick test and seems to work. The only thing I noticed is that the remote connection is initially disconnected because the CA certificate was not available yet when the remote cluster was set up in ES via the API, but I believe the same could happen before if the CA propagation was too slow.
@@ -101,14 +104,24 @@ func TestReconcile(t *testing.T) { | |||
Data: map[string][]byte{certificates.CAFileName: []byte("cert2\n")}, | |||
}, | |||
}, | |||
ca: nil, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should pass in the testCA
here and on L64 as well to make sure it does not get included when there are remote CA certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that makes sense.
pkg/controller/elasticsearch/certificates/remoteca/reconcile.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I also did a few tests 👍
@@ -36,6 +36,7 @@ func Labels(esName string) client.MatchingLabels { | |||
func Reconcile( | |||
c k8s.Client, | |||
es esv1.Elasticsearch, | |||
ca certificates.CA, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: transportCA
would make things even more explicit
@@ -24,7 +24,9 @@ func TestReconcile(t *testing.T) { | |||
type args struct { | |||
es esv1.Elasticsearch | |||
secrets []runtime.Object | |||
ca *certificates.CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't be a pointer
run full pr build |
…ty (elastic#3993) * Addresses an issue where remote transport ca.crt is empty if remote clusters are not set for an ES cluster * Preserves the behavior where it is not needed to restart ES when configuring remote clusters, post the initial deployment of the cluster
If remote clusters are not set for an ES cluster, the remote CA
ca.crt
mounted on the ES container is empty, which causes the_ssl/certificates
ES REST API call to fail. In this PR, if remote clusters are not set for an ES cluster, the remote CA is populated with the public transport CA as a "dummy" CA.This fix preserves the behavior where adding/setting remote clusters for ES does not require restarting the ES cluster.
Fixes #3881