You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2021/02/01 20:21:49 UTC

[GitHub] [lucene-solr-operator] thelabdude commented on a change in pull request #151: Integrate with cert-manager to issue TLS certs for Solr

thelabdude commented on a change in pull request #151:
URL: https://github.com/apache/lucene-solr-operator/pull/151#discussion_r568114059



##########
File path: controllers/solrcloud_controller.go
##########
@@ -261,12 +268,77 @@ func (r *SolrCloudReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 		blockReconciliationOfStatefulSet = true
 	}
 
+	tlsCertMd5 := ""
+	needsPkcs12InitContainer := false // flag if the StatefulSet needs an additional initCont to create PKCS12 keystore
+	// don't start reconciling TLS until we have ZK connectivity, avoids TLS code having to check for ZK
+	if !blockReconciliationOfStatefulSet && instance.Spec.SolrTLS != nil {
+		ctx := context.TODO()
+		// Create the autogenerated TLS Cert and wait for it to be issued
+		if instance.Spec.SolrTLS.AutoCreate != nil {
+			tlsReady, err := r.reconcileAutoCreateTLS(ctx, instance)
+			// don't create the StatefulSet until we have a cert, which can take a while for a Let's Encrypt Issuer
+			if !tlsReady || err != nil {
+				if err != nil {
+					r.Log.Error(err, "Reconcile TLS Certificate failed")
+				} else {
+					wait := 30 * time.Second
+					if instance.Spec.SolrTLS.AutoCreate.IssuerRef == nil {
+						// this is a self-signed cert, so no need to wait very long for it to issue
+						wait = 2 * time.Second
+					}
+					requeueOrNot.RequeueAfter = wait
+				}
+				return requeueOrNot, err

Review comment:
       Certs can take several minutes to issue, so I think we want to return here with the extended wait period otherwise you get a ton of noise in the logs until the cert issues ...




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org