New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
always add es and es-ops hostname to the es server cert #7931
Conversation
/test gcp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than question regarding omit LGMT
We have to make sure when we want to regen the certs that we delete it from the host before rerunning the playbook also.
@@ -64,7 +64,7 @@ | |||
when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists | |||
|
|||
- name: Run JKS generation script | |||
local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} | |||
local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}} {{openshift_logging_es_hostname | default(omit)}} {{openshift_logging_es_ops_hostname | default(omit)}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does omit
actually work? I've just done default()
in the past to null it out
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ewolinetz good question - there are many other places in the openshift-ansible code where default(omit)
is used for a similar purpose
/retest |
/lgtm |
/test gcp |
1 similar comment
/test gcp |
/test travis |
/test travis-ci |
/retest |
tests passing - can I get a /lgtm? |
/cherrypick release-3.9 |
@richm: new pull request created: #7940 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This will add X509v3 Subject Alternative Name items to the Elasticsearch
server cert like this:
This allows external Elasticsearch clients using client cert auth
and the Elasticsearch service using externalIPs to be able to turn
on cert verification.