Open barkbay opened 1 year ago
Thanks @barkbay for raising the issue! Do you think it makes sense to throw some warning in ECK operator, if a user specifies a headless service in SAN part?
I'm not sure it is easy to detect that a DNS name refers to a headless Service
. As mentioned in the the k8s documentation the DNS record for a Service
may end with the cluster domain name which is not something we can detect in the operator (this is at least not something we have today). We could still try to parse the name, and detect if the first segments match one of the headless Services
name, but it seems a bit involved for a small improvement? Also we would have to decide if we do the same for Pods DNS records.
I would first update our documentation to mention why we consider it is deprecated to use them.
The traffic splitting documentation does not mention that referencing a custom
Service
usingelasticsearchRef.serviceName
does not update the HTTP certificate exposed by the Elasticsearch nodes.It works for Kibana as documented because the
verificationMode
is set tocertificate
by the Kibana controller:But in the case of
Beats
, and maybe other stack applications (see https://github.com/elastic/cloud-on-k8s/issues/4812 about this inconsistency), a full validation is done, which leads to a validation failure:I think we should at least document the workaround of adding the expected hostname in the SAN extension:
I also think an improvement could be that the Elasticsearch controller automatically adds the expected hostname to the SAN extension?