feat: validate http custom ca#8992
Merged
pkoutsovasilis merged 7 commits intoelastic:mainfrom Jan 20, 2026
Merged
Conversation
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
pkoutsovasilis
force-pushed
the
fix/validate_http_custom_ca
branch
2 times, most recently
from
ba2e3ee to
9734230
Compare
pkoutsovasilis
force-pushed
the
fix/validate_http_custom_ca
branch
from
9734230 to
e58d046
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements validation for user-supplied CA certificates in the Elasticsearch HTTP layer, addressing a gap where expired or invalid certificates would silently fail without alerting users.
Changes:
- Adds validation logic for custom HTTP CA certificates (checking expiration, validity period, and key matching)
- Implements error reporting through Kubernetes events when validation fails
- Adds comprehensive unit tests for HTTP CA certificate validation scenarios
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/controller/common/certificates/reconcile.go | Adds validation call and requeue logic for custom HTTP CA certificates |
| pkg/controller/common/certificates/reconcile_test.go | Adds comprehensive test cases covering valid, expired, not-yet-valid, and mismatched key scenarios |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkoutsovasilis
force-pushed
the
fix/validate_http_custom_ca
branch
from
e58d046 to
1464f72
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkoutsovasilis
requested review from
barkbay,
kvalliyurnatt,
moukoublen,
naemono,
pebrc and
rhr323
pebrc
reviewed
Jan 16, 2026
pebrc
reviewed
Jan 19, 2026
Co-authored-by: Peter Brachwitz <peter.brachwitz@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses #8990 by implementing validation for user-supplied CA certificates in the Elasticsearch HTTP layer, closing the behavioral gap identified in #8953.
Previously, when users configured expired or invalid CA certificates via HTTP TLS configuration, the operator would silently fail without alerting them to the problem. This PR adds validation logic similar to what was implemented for the Elasticsearch transport layer, ensuring consistent certificate handling across both communication layers.
Changes
Added Validation Logic
Error Reporting
Test Coverage
Related Issues