-
Notifications
You must be signed in to change notification settings - Fork 10
Make sure certificate handling is idempotent and reacts to changes #35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Deleting files after transport and unique temporary directories might break idempotence tests. Seems like checking is the only way to go. If you find better ways: They are very welcome. Maybe don't check the contents of the files but use timestamps with |
I agree with you Thomas, deleting the temporary files will break the idempotent. I have tested the collection more times, but I did not come on the same error, which you both noticed. I need really more input about the error to be able to handle this issue. As I understood, copy and fetch modules do not work as they should do. They do not update the files on target/destination when the file do not match the source. When his right, then we should open an issue by the maintainers of these modules, because their job is to update the file on the target host. |
I'm sorry to be a bit misleading. In many of our tests, the collection exactly worked as expected. It's more about rethinking the whole copy and move process to make sure it really works under all conditions. Especially when you want to renew certificates. e.g. make sure that the PKCS8 version of the Logstash key is replaced when we replace the default variant. |
* Enable renew CA * Enable renew Elasticsearch cert * Enable renew Logstash cert * Enable renew Kibana cert * Enable renew beats cert * Check CA and Certs validity date and renew them * Let Logstash write data on disk * Prevent Logstash to stick by Elasticsearch dead connection * Make sure certificate handling is idempotent and reacts to changes #35 * Make Kibana use its certificate and not share the on from elasticsearch #56 * Let Kibana start after reboot #57 #69 * Allow to use persisted queues per pipeline #60 * Restart the available beat service when create or renew certificates #83
We're creating a lot of certificates via different ways. And we're copying them via different hosts. We need to make very sure that we have a stable and reliable way to recreate certificates and even the whole CA. We need all versions: Just one certificate, all files for one host, whole CA.
Make especially sure that creating different formats like pkcs8 for Logstash is not broken because e.g. we only check for presence of the file when deciding whether we need to recreate it or not.
There are a few ideas about how to handle this:
The text was updated successfully, but these errors were encountered: