Enable TLS for Elasticsearch
The change enables: (1) TLS for the Elasticsearch transport networking layer. The transport networking layer is used for internal communication between nodes in a cluster. (2) TLS path between Elasticsearch and Ceph-rgw host. Change-Id: Ifb6cb5db19bc5db2c8cb914f6a5887cf3d0f9434
This commit is contained in:
parent
3435a3a82a
commit
fd4bf57211
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v7.6.2
|
||||
description: OpenStack-Helm ElasticSearch
|
||||
name: elasticsearch
|
||||
version: 0.2.5
|
||||
version: 0.2.6
|
||||
home: https://www.elastic.co/
|
||||
sources:
|
||||
- https://github.com/elastic/elasticsearch
|
||||
|
@ -54,7 +54,7 @@ CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
|
||||
if [ "$RGW_PROTO" = "http" ]; then
|
||||
CONNECTION_ARGS+=" --no-ssl"
|
||||
else
|
||||
CONNECTION_ARGS+=" --no-check-certificate"
|
||||
CONNECTION_ARGS+=" ${TLS_OPTION}"
|
||||
fi
|
||||
|
||||
USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
|
||||
|
@ -19,7 +19,6 @@ set -e
|
||||
COMMAND="${@:-start}"
|
||||
|
||||
function initiate_keystore () {
|
||||
set -ex
|
||||
bin/elasticsearch-keystore create
|
||||
|
||||
{{- if .Values.conf.elasticsearch.snapshots.enabled }}
|
||||
@ -30,6 +29,12 @@ function initiate_keystore () {
|
||||
echo ${{$secret_key}} | /usr/share/elasticsearch/bin/elasticsearch-keystore add -xf s3.client.{{ $client }}.secret_key
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- $alias := .Values.secrets.tls.elasticsearch.elasticsearch.internal }}
|
||||
/usr/share/elasticsearch/jdk/bin/keytool -storepasswd -cacerts -new ${ELASTICSEARCH_PASSWORD} -storepass changeit
|
||||
/usr/share/elasticsearch/jdk/bin/keytool -importcert -alias {{$alias}} -cacerts -trustcacerts -noprompt -file ${JAVA_KEYSTORE_CERT_PATH} -storepass ${ELASTICSEARCH_PASSWORD}
|
||||
{{- end }}
|
||||
}
|
||||
|
||||
function start () {
|
||||
|
@ -172,6 +172,15 @@ spec:
|
||||
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
- name: ES_JAVA_OPTS
|
||||
value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: JAVA_KEYSTORE_CERT_PATH
|
||||
value: "/usr/share/elasticsearch/config/ca.crt"
|
||||
- name: ELASTICSEARCH_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $esUserSecret }}
|
||||
key: ELASTICSEARCH_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.conf.elasticsearch.snapshots.enabled }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }}
|
||||
{{- end }}
|
||||
@ -204,6 +213,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -115,6 +115,15 @@ spec:
|
||||
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
- name: ES_JAVA_OPTS
|
||||
value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: JAVA_KEYSTORE_CERT_PATH
|
||||
value: "/usr/share/elasticsearch/config/ca.crt"
|
||||
- name: ELASTICSEARCH_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $esUserSecret }}
|
||||
key: ELASTICSEARCH_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.conf.elasticsearch.snapshots.enabled }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }}
|
||||
{{- end }}
|
||||
@ -144,6 +153,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -160,5 +170,6 @@ spec:
|
||||
defaultMode: 0444
|
||||
- name: storage
|
||||
emptyDir: {}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
@ -15,5 +15,9 @@ limitations under the License.
|
||||
{{- if and (.Values.manifests.job_s3_bucket) (.Values.conf.elasticsearch.snapshots.enabled) }}
|
||||
{{- $esBucket := .Values.conf.elasticsearch.snapshots.bucket }}
|
||||
{{- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" "s3Bucket" $esBucket -}}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
{{- $_ := set $s3BucketJob "tlsCertificateSecret" .Values.secrets.tls.elasticsearch.elasticsearch.internal -}}
|
||||
{{- $_ := set $s3BucketJob "tlsCertificatePath" "/etc/elasticsearch/certs/ca.crt" -}}
|
||||
{{- end }}
|
||||
{{ $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }}
|
||||
{{- end -}}
|
||||
|
@ -117,7 +117,9 @@ spec:
|
||||
value: {{ printf "%s://%s" (tuple "elasticsearch" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup") (tuple "elasticsearch" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") }}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: CACERT_OPTION
|
||||
value: "--cacert /etc/elasticsearch/certs/ca.crt"
|
||||
value: "--cacert /usr/share/elasticsearch/config/ca.crt"
|
||||
- name: JAVA_KEYSTORE_CERT_PATH
|
||||
value: "/usr/share/elasticsearch/config/ca.crt"
|
||||
{{- end }}
|
||||
- name: NODE_MASTER
|
||||
value: "false"
|
||||
@ -162,7 +164,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/etc/elasticsearch/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
|
@ -15,8 +15,6 @@ limitations under the License.
|
||||
{{- if .Values.manifests.statefulset_master }}
|
||||
{{- $envAll := . }}
|
||||
|
||||
{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }}
|
||||
|
||||
{{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }}
|
||||
|
||||
{{- $serviceAccountName := "elasticsearch-master" }}
|
||||
@ -122,6 +120,15 @@ spec:
|
||||
value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
- name: ES_JAVA_OPTS
|
||||
value: "{{ .Values.conf.elasticsearch.env.java_opts.master }}"
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: JAVA_KEYSTORE_CERT_PATH
|
||||
value: "/usr/share/elasticsearch/config/ca.crt"
|
||||
- name: ELASTICSEARCH_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.secrets.elasticsearch.user }}
|
||||
key: ELASTICSEARCH_PASSWORD
|
||||
{{- end }}
|
||||
{{- if .Values.conf.elasticsearch.snapshots.enabled }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }}
|
||||
{{- end }}
|
||||
@ -151,6 +158,7 @@ spec:
|
||||
readOnly: true
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.config.path.data }}
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -165,6 +173,7 @@ spec:
|
||||
secret:
|
||||
secretName: elasticsearch-etc
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }}
|
||||
{{- if not .Values.storage.master.enabled }}
|
||||
- name: storage
|
||||
|
@ -133,6 +133,17 @@ conf:
|
||||
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
SSLHonorCipherOrder on
|
||||
</VirtualHost>
|
||||
elasticsearch:
|
||||
config:
|
||||
xpack:
|
||||
security:
|
||||
transport:
|
||||
ssl:
|
||||
enabled: true
|
||||
verification_mode: certificate
|
||||
key: /usr/share/elasticsearch/config/tls.key
|
||||
certificate: /usr/share/elasticsearch/config/tls.crt
|
||||
certificate_authorities: ["/usr/share/elasticsearch/config/ca.crt"]
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
||||
|
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Helm-Toolkit
|
||||
name: helm-toolkit
|
||||
version: 0.2.12
|
||||
version: 0.2.13
|
||||
home: https://docs.openstack.org/openstack-helm
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
||||
sources:
|
||||
|
@ -31,6 +31,8 @@ limitations under the License.
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
|
||||
{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
|
||||
{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
|
||||
{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
|
||||
{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
@ -73,6 +75,10 @@ spec:
|
||||
- -c
|
||||
- /tmp/create-s3-bucket.sh
|
||||
env:
|
||||
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
|
||||
- name: TLS_OPTION
|
||||
value: {{ printf "--ca-certs=%s" $tlsCertificatePath | quote }}
|
||||
{{- end }}
|
||||
{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
@ -96,6 +102,12 @@ spec:
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
|
||||
- name: {{ $tlsCertificateSecret }}
|
||||
mountPath: {{ $tlsCertificatePath }}
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
@ -120,4 +132,10 @@ spec:
|
||||
secret:
|
||||
secretName: pvc-ceph-client-key
|
||||
{{ end }}
|
||||
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
|
||||
- name: {{ $tlsCertificateSecret }}
|
||||
secret:
|
||||
secretName: {{ $tlsCertificateSecret }}
|
||||
defaultMode: 292
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
@ -15,4 +15,5 @@ elasticsearch:
|
||||
- 0.2.3 Add configurable backoffLimit to templates job
|
||||
- 0.2.4 Update helm-test script
|
||||
- 0.2.5 Enable TLS with Kibana
|
||||
- 0.2.6 Enable TLS path between nodes in cluster and TLS path between ceph-rgw
|
||||
...
|
||||
|
@ -19,4 +19,5 @@ helm-toolkit:
|
||||
- 0.2.10 Add more S3 configuration options
|
||||
- 0.2.11 Revert S3 User & Bucket job scripts to v0.2.9
|
||||
- 0.2.12 Remove hook-delete-policy
|
||||
- 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled
|
||||
...
|
||||
|
Loading…
x
Reference in New Issue
Block a user