Fix external CA first-install config and remove cert restart#86
Merged
Conversation
…tart on cert changes The elasticsearch.yml template checked whether ca.crt existed on disk to decide whether to include certificate_authorities. On first install the CA file hasn't been deployed yet, so the config rendered without it — breaking inter-node transport TLS. Now we check the input variables instead of the file, so the template reflects intent rather than transient state. Closes #78. Elasticsearch auto-reloads SSL certificates from disk, so the Restart Elasticsearch handler notifications on every cert copy task were causing unnecessary restarts. Removed them; the Kibana restart notification is kept since Node.js does not auto-reload. Added config assertions to the custom_certs verify to catch this class of bug: CA presence in both transport and HTTP sections, verification_mode sanity, and cert path existence.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On first install with
elasticsearch_cert_source: external, the template renderedelasticsearch.ymlwithoutcertificate_authoritiesbecause it checked whetherca.crtexisted on disk — which it doesn't yet at template render time. The config now checks the input variables (elasticsearch_tls_ca_certificate/*_content) instead, so the CA reference is included from the first run. This fixes inter-node transport TLS failures on fresh external-cert deployments.Separately, removed the
notify: Restart Elasticsearchfrom all certificate distribution tasks. Elasticsearch auto-reloads SSL contexts when cert files change on disk, so these restarts were unnecessary. The Kibana restart notification is preserved since Node.js requires a process restart to pick up new certs.Added verify assertions to the
elasticsearch_custom_certsscenario: CA presence in both transport and HTTP config sections,verification_modesanity check, and cert path existence validation.Closes #78