charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/elasticsearch] Fix alt names in generated TLS certs

Open psiroky opened this issue 2 years ago • 0 comments

Description of the change

Minor fix in the generated Elasticsearch TLS certs, specifically one of the alternative DNS names. Before this change, the name would be generated like this: DNS:elasticsearch.%!s(MISSING).svc.%!s(MISSING).

Benefits

Those fixed alt names are now usable.

Possible drawbacks

Can't think of any.

Applicable issues

I haven't created an issue for this, since it is a very simple fix. If preferred I can also file GitHub issue and link it here.

Additional information

One additional (super minor) fix in the README.

Checklist

  • [X] Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • [X] Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • [X] Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • [X] All commits signed off and in agreement of Developer Certificate of Origin (DCO)

psiroky avatar Aug 08 '22 08:08 psiroky

Yes, this definitely changes the generated cert (which contains the altnames), but I am not sure I understand what you mean with upgrade.

As far as I was able to observe, the keys/certificates are re-generated on every helm upgrade anyway -- even if there are no changes in values.yaml/the chart itself. I suspect this happens, because the certs/keys are always generated differently (which is obviously a good thing), so helm assumes the resource (the secrets) changed and it just replaces them. This feels like a bug, since I would assume the certificates would only be generated once and then re-used if they are already present - however, I am not 100% sure about a proper behavior. Please let me know if I am missing something here, which might be the case.

psiroky avatar Aug 17 '22 14:08 psiroky

I was worried about the change in the private key. Some applications use it to encrypt the data, so a change in the private key could cause a data loss, but it seems that is not the case.

Thanks a lot for your contribution, well done

fmulero avatar Aug 18 '22 06:08 fmulero

@fmulero. Thanks. I have an slightly unrelated follow-up question -- what is the best place to start a discussion/post a question regarding this chart? I don't want to open Github issue/feature-request since I don't even know if that's correct or if I am just misunderstanding something.

It is basically about the fact that all the certs/keys are re-generated with each helm upgrade. I am not sure I would call this a bug or feature request or something else (maybe a known limitation?).

psiroky avatar Aug 18 '22 07:08 psiroky

You can open a bug, there is no problem. I think that is a very interesting topic, and likely other charts are affected also

fmulero avatar Aug 18 '22 07:08 fmulero