Skip to content

Make sure certificate handling is idempotent and reacts to changes #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
widhalmt opened this issue Feb 3, 2023 · 3 comments
Closed
Assignees
Labels
feature New feature or request
Milestone

Comments

@widhalmt
Copy link
Member

widhalmt commented Feb 3, 2023

We're creating a lot of certificates via different ways. And we're copying them via different hosts. We need to make very sure that we have a stable and reliable way to recreate certificates and even the whole CA. We need all versions: Just one certificate, all files for one host, whole CA.

Make especially sure that creating different formats like pkcs8 for Logstash is not broken because e.g. we only check for presence of the file when deciding whether we need to recreate it or not.

There are a few ideas about how to handle this:

  • Deleteing temporary files right after transport
  • Using unique temporary directories or filenames which won't be reused in the next run
  • Checking whether the generated targets still match the source
@widhalmt widhalmt added the feature New feature or request label Feb 3, 2023
@widhalmt widhalmt added this to the 1.0.0 milestone Feb 3, 2023
@widhalmt widhalmt mentioned this issue Feb 3, 2023
20 tasks
@widhalmt
Copy link
Member Author

widhalmt commented Feb 3, 2023

Deleting files after transport and unique temporary directories might break idempotence tests. Seems like checking is the only way to go. If you find better ways: They are very welcome.

Maybe don't check the contents of the files but use timestamps with stat?

@afeefghannam89
Copy link
Member

afeefghannam89 commented Feb 8, 2023

I agree with you Thomas, deleting the temporary files will break the idempotent. I have tested the collection more times, but I did not come on the same error, which you both noticed. I need really more input about the error to be able to handle this issue. As I understood, copy and fetch modules do not work as they should do. They do not update the files on target/destination when the file do not match the source.

When his right, then we should open an issue by the maintainers of these modules, because their job is to update the file on the target host.

@widhalmt
Copy link
Member Author

widhalmt commented Feb 8, 2023

I'm sorry to be a bit misleading. In many of our tests, the collection exactly worked as expected. It's more about rethinking the whole copy and move process to make sure it really works under all conditions. Especially when you want to renew certificates.

e.g. make sure that the PKCS8 version of the Logstash key is replaced when we replace the default variant.

@widhalmt widhalmt pinned this issue Feb 13, 2023
afeefghannam89 added a commit that referenced this issue Feb 20, 2023
* Enable renew CA
* Enable renew Elasticsearch cert
* Enable renew Logstash cert
* Enable renew Kibana cert
* Enable renew beats cert
* Check CA and Certs validity date and renew them 
* Let Logstash write data on disk
* Prevent Logstash to stick by Elasticsearch dead connection
* Make sure certificate handling is idempotent and reacts to changes #35
* Make Kibana use its certificate and not share the on from
elasticsearch #56
* Let Kibana start after reboot #57 #69
* Allow to use persisted queues per pipeline #60
* Restart the available beat service when create or renew certificates
#83
@widhalmt widhalmt unpinned this issue Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants