add "ca_file" option to the elasticstack provider #35
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
|
💚 CLA has been signed |
|
Thanks so much for putting up the first community PR @utilitynerd , I have to ask though - is there a specific reason for not implementing "insecure=true" like mentioned in the issue? that would be the direction we'd like to take to resolve this one. Specifying a root_ca file is often quite cumbersome, and doesn't add much value in TF as it does on browsers for example (where browsers will show if a cert is trusted or not) |
There was a problem hiding this comment.
Hey @utilitynerd,
Thanks for your contribution!
There are few more steps to get this over and get merged:
- things we're also support the per elasticsearch-resource
elasticsearch_connectionblock, we will need to addca_filein there as well, seeso this way we will stay consistent in all the places, and then you can update code interraform-provider-elasticstack/internal/utils/utils.go
Lines 124 to 149 in f0c6a1f
to read the newly added optionterraform-provider-elasticstack/internal/clients/api_client.go
Lines 123 to 135 in f0c6a1f
- after changes are maybe, the docs must be updates as well, you can run
make gencommand which will re-generate the docs and adds this options as well - and one more step is you will have you sign the Contributor Agreement for the account you're pushing your commits from, in this case it looks like the commit is coming from https://github.com./mikejones-ucb
Once this is done we can once more go over the PR and see if there are any missing things to be added.
Thanks again for your contribution!
| Severity: diag.Error, | ||
| Summary: "Unable to read CA File", | ||
| Detail: err.Error(), | ||
| }) |
There was a problem hiding this comment.
| }) | |
| }) | |
| return nil, diags |
It would be great if we immediately return the diags here to report the error sooner.
|
Thanks for the feedback! I'm not opposed to the "insecure=true" method instead of validating against a custom cert. Although maybe it would be nice to eventually have both options available. Since it sounds like the project would prefer the insecure route, why don't I take your suggestions and see if I can put together a separate PR implementing it. |
|
@utilitynerd thank you so much. We've actually discussed internally after our discussion here, and decided to allow for both options. So again, really a lot of appreciation for these 2 PRs |
|
I believe I've addressed the issues above:
Let me know if there is anything else |
|
jenkins test this please |
|
@utilitynerd please, merge |
allows connecting to an elasticsearch cluster using a custom certificate authority.
utilitynerd
force-pushed
the
custom-ca
branch
from
3edd5cf to
8956b80
Compare
|
ok to test |
allows connecting to an elasticsearch cluster using a custom certificate authority.
I know just enough go to get myself in trouble, but figured I would try to solve my own problem anyways. resolves #34
It adds the "ca_file" parameter to the elasticstack provider. If ca_file is set, the certificate is read and its contents are added to the CACert field in the elasticsearch.Config struct.