search

Azure / open-service-broker-azure

The Open Service Broker API Server for Azure Services
https://osba.sh
MIT License
248 stars 100 forks source link

Add checksum of broker.yaml to annotation in deployment.yaml #717

Closed ivanov-aleksander closed 5 years ago

ivanov-aleksander commented 5 years ago

There is a bug:

OSBA brokes after deployment because every release it creates new TLS certificate in broker.yaml 

{{- $ca := genCA "osba-ca" 3650 }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2 $altName3 $altName4) 3650 $ca }}

Error looks like 

NAME   URL                                                             STATUS                 AGE
osba   https://osba-open-service-broker-azure.osba.svc.cluster.local   ErrorFetchingCatalog   33m

OSBA logs

Error getting broker catalog: Get https://osba-open-service-broker-azure.osba.svc.cluster.local/v2/catalog: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "osba-ca")

The main reason of this error is that osba pod doesn't recreates and it uses certificate from previous release, but brocker is registered in service catalog with new certificate and ca.

To solve this issue, i have added checksum of broker.yaml to annotation in deployment.yaml related to Chart Development best prectice

ivanov-aleksander commented 5 years ago

@krancour you are right. I have added a label. @krancour @norshtein could you please review and merge. The last question, when will be a new docker image that contains these changes?

krancour commented 5 years ago

Thanks for the change.