thelabdude commented on a change in pull request #151: URL: https://github.com/apache/lucene-solr-operator/pull/151#discussion_r568114059
########## File path: controllers/solrcloud_controller.go ########## @@ -261,12 +268,77 @@ func (r *SolrCloudReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { blockReconciliationOfStatefulSet = true } + tlsCertMd5 := "" + needsPkcs12InitContainer := false // flag if the StatefulSet needs an additional initCont to create PKCS12 keystore + // don't start reconciling TLS until we have ZK connectivity, avoids TLS code having to check for ZK + if !blockReconciliationOfStatefulSet && instance.Spec.SolrTLS != nil { + ctx := context.TODO() + // Create the autogenerated TLS Cert and wait for it to be issued + if instance.Spec.SolrTLS.AutoCreate != nil { + tlsReady, err := r.reconcileAutoCreateTLS(ctx, instance) + // don't create the StatefulSet until we have a cert, which can take a while for a Let's Encrypt Issuer + if !tlsReady || err != nil { + if err != nil { + r.Log.Error(err, "Reconcile TLS Certificate failed") + } else { + wait := 30 * time.Second + if instance.Spec.SolrTLS.AutoCreate.IssuerRef == nil { + // this is a self-signed cert, so no need to wait very long for it to issue + wait = 2 * time.Second + } + requeueOrNot.RequeueAfter = wait + } + return requeueOrNot, err Review comment: Certs can take several minutes to issue, so I think we want to return here with the extended wait period otherwise you get a ton of noise in the logs until the cert issues ... ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org