From 09dfafbd6bf1aba8f666ed853a1422921ecdd0fa Mon Sep 17 00:00:00 2001
From: "Lo, Chi (cl566n)" <cl566n@att.com>
Date: Tue, 10 Aug 2021 10:00:06 -0700
Subject: [PATCH] Enable TLS path between Curator and Elasticsearch

Elasticsearch is TLS enabled.  Curator needs to be configured to use
cacert when communicating with Elasticsearch.

Change-Id: Ia78458516d6c8f975e478d85643dc4436b70b87c
---
 elasticsearch/Chart.yaml                      | 2 +-
 elasticsearch/templates/cron-job-curator.yaml | 2 ++
 elasticsearch/values_overrides/tls.yaml       | 6 ++++++
 releasenotes/notes/elasticsearch.yaml         | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/elasticsearch/Chart.yaml b/elasticsearch/Chart.yaml
index cf6ac267b..4a4da0fd4 100644
--- a/elasticsearch/Chart.yaml
+++ b/elasticsearch/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v7.6.2
 description: OpenStack-Helm ElasticSearch
 name: elasticsearch
-version: 0.2.10
+version: 0.2.11
 home: https://www.elastic.co/
 sources:
   - https://github.com/elastic/elasticsearch
diff --git a/elasticsearch/templates/cron-job-curator.yaml b/elasticsearch/templates/cron-job-curator.yaml
index e23b23960..ef7513844 100644
--- a/elasticsearch/templates/cron-job-curator.yaml
+++ b/elasticsearch/templates/cron-job-curator.yaml
@@ -80,6 +80,7 @@ spec:
                   mountPath: /etc/config/action_file.yml
                   subPath: action_file.yml
                   readOnly: true
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/etc/elasticsearch/certs" "certs" tuple "ca.crt" | include "helm-toolkit.snippets.tls_volume_mount" | indent 16 }}
           volumes:
             - name: pod-tmp
               emptyDir: {}
@@ -93,4 +94,5 @@ spec:
               secret:
                 secretName: elastic-curator-etc
                 defaultMode: 0444
+{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 12 }}
 {{- end }}
diff --git a/elasticsearch/values_overrides/tls.yaml b/elasticsearch/values_overrides/tls.yaml
index 50f4f5b97..62fd4822c 100644
--- a/elasticsearch/values_overrides/tls.yaml
+++ b/elasticsearch/values_overrides/tls.yaml
@@ -144,6 +144,12 @@ conf:
               key: /usr/share/elasticsearch/config/tls.key
               certificate: /usr/share/elasticsearch/config/tls.crt
               certificate_authorities: ["/usr/share/elasticsearch/config/ca.crt"]
+  curator:
+    config:
+      client:
+        use_ssl: True
+        ssl_no_validate: False
+        certificate: '/etc/elasticsearch/certs/ca.crt'
 manifests:
   certificates: true
 ...
diff --git a/releasenotes/notes/elasticsearch.yaml b/releasenotes/notes/elasticsearch.yaml
index 718531aa1..4a0f020d1 100644
--- a/releasenotes/notes/elasticsearch.yaml
+++ b/releasenotes/notes/elasticsearch.yaml
@@ -20,4 +20,5 @@ elasticsearch:
   - 0.2.8 Use full image ref for docker official images
   - 0.2.9 Removed repo verification check from helm-test
   - 0.2.10 Enable TLS path between Prometheus-elasticsearch-exporter and Elasticsearch
+  - 0.2.11 Enable TLS path between Curator and Elasticsearch
 ...