Synch changes in cert generation script with CLO

[pavolloffay]

Upstream script: https://github.com/openshift/cluster-logging-operator/blob/master/scripts/cert_generation.sh
Full history: https://github.com/openshift/cluster-logging-operator/commits/master/scripts/cert_generation.sh

Ported changes

• openshift/cluster-logging-operator@9793597#diff-5a317832296dcbda4dee718589dca819
• openshift/cluster-logging-operator@d639d0c#diff-5a317832296dcbda4dee718589dca819
• openshift/cluster-logging-operator@43974cd#diff-5a317832296dcbda4dee718589dca819
• openshift/cluster-logging-operator@1473937#diff-5a317832296dcbda4dee718589dca819

Signed-off-by: Pavol Loffay [email protected]

[codecov]

Codecov Report

Merging #1008 into master will increase coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1008      +/-   ##
==========================================
+ Coverage   64.55%   64.60%   +0.05%     
==========================================
  Files          82       82              
  Lines        6540     6547       +7     
==========================================
+ Hits         4222     4230       +8     
+ Misses       2177     2176       -1     
  Partials      141      141              

Impacted Files	Coverage Δ
pkg/apis/jaegertracing/v1/logger.go	0.00% <0.00%> (ø)
pkg/apis/jaegertracing/v1/options.go	89.65% <0.00%> (+1.65%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5151c77...b9d6ce7. Read the comment docs.

[objectiser]

@pavolloffay KevinE is running the internal e2e tests, so will wait for those results. But wanted to find out are there going to be any upgrade issues with this? Is there a procedure that will need to be followed - e.g. stop / restart jaeger instance and ES cluster.

[pavolloffay]

I would say it should not cause problems. Once new operator is deployed existing certs are reconstructed from secrets and stored on operator's filesystem in /tmp.

jaeger-operator/pkg/storage/elasticsearch_secrets.go

Line 94 in fc99304

func (ed *ElasticsearchDeployment) CreateCerts() error {

Then the script checks whether certs exist and are not expired

jaeger-operator/scripts/cert_generation.sh

Line 23 in b9d6ce7

if [ ! -f ${WORKING_DIR}/ca.crt ] || [ ! -f ${WORKING_DIR}/ca.key ] || ! openssl x509 -checkend 0 -noout -in ${WORKING_DIR}/ca.crt; then

.

[objectiser]

@pavolloffay ok thanks - internal tests passed, so will approve/merge.

[ewolinetz]

Is there a procedure that will need to be followed - e.g. stop / restart jaeger instance and ES cluster.

You will need to restart the ES cluster, but the Elasticsearch Operator handles this for you.
The operator also tries to connect to the ES cluster using a service account token first, so it bypasses any potential issues where the secret has rotated but ES hasn't yet loaded it in.

[pavolloffay]

Thanks for looking into this @ewolinetz.

You will need to restart the ES cluster, but the Elasticsearch Operator handles this for you.

Could you please explain why the ES cluster will have to be restarted? Will the certs change? Could you please point me to the code?

The operator also tries to connect to the ES cluster using a service account token first, so it bypasses any potential issues where the secret has rotated but ES hasn't yet loaded it in.

Which operator? Jaeger/jaeger operator is using only certs for auth. If certs change jaeger collector will not able to connect. I am not sure if it restarts automatically. I am going to test this.