solr-operator icon indicating copy to clipboard operation
solr-operator copied to clipboard
verified publisher icon apache

Using a preexisting kubernetes.io/tls secret prevents creation of SolrCloud StatefulSet

Open jdgiddings opened this issue 3 years ago • 1 comments

Hello, I am fairly new to SolrCloud to please bear with me if anything here is obvious

I am trying to have my solrcloud use a preexisting TLS cert. I am following the documentation here. The secret is known-good and contains tls.crt and tls.key values, but importantly does not already have a pkcs12 keystore. It appears that SolrCloud should handle this situation

However, when I set both the keyStorePasswordSecret.name and pkcs12Secret.name to the name of my kubernetes.io/tls secret, the solrcloud StatefulSet is never created, and I get the following error from Solr Operator

2022-04-29T20:32:50.817Z ERROR controller-runtime.manager.controller.solrcloud Reconciler error {"reconciler group": "solr.apache.org", "reconciler kind": "SolrCloud", "name": "test4", "namespace": "redacted-test4", "error": "password-key key not found in password secret redacted"}

I think this may have something to do with the fact that the openssl pkcs12... command in initContainer is never run? I'm unsure, any help is appreciated

Solr version: 8.11.1

UPDATE:

I was able to get it to create the StatefulSet by generating a pkcs12 secret and using it on both the certificate and keyStorePasswordSecret.name. Now the pod has a container 'gen-pkcs12-keystore` that is throwing the following error

Can't open /var/solr/tls/ca.crt for reading, No such file or directory 140588678120768:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/var/solr/tls/ca.crt','r') 140588678120768:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:

jdgiddings avatar Apr 29 '22 20:04 jdgiddings

Can you provide the yaml you are using to create the SolrCloud, as well as the redacted Secrets you are using? (Just need to see the names of the keys). If you generated a pkcs12 secret yourself, there shouldn't be a gen-pkcs12-keystore init container. I think you aren't using the pkcs12Secret.key option correctly, because that's the only reason the init container would be created.

HoustonPutman avatar May 09 '22 14:05 HoustonPutman