From 3cc76589a9fb7d030cc36a4a3e93c91f01fb78c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Laurent=20Saint-F=C3=A9lix?= Date: Tue, 9 Apr 2024 20:30:34 +0200 Subject: [PATCH] Elasticsearch disable CA retrieval when ssl is disabled (#2475) * skip search for CACert if ssl has been turned off * add tests with and without ssl enabled * add all config keys that disable CA gen, restrict check to version 8 * rename test to match content --- modules/elasticsearch/elasticsearch.go | 15 +++++++ modules/elasticsearch/elasticsearch_test.go | 45 +++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/modules/elasticsearch/elasticsearch.go b/modules/elasticsearch/elasticsearch.go index 79a364fd01..ea846ecbfd 100644 --- a/modules/elasticsearch/elasticsearch.go +++ b/modules/elasticsearch/elasticsearch.go @@ -127,6 +127,21 @@ func configureAddress(ctx context.Context, c *ElasticsearchContainer) (string, e // The certificate is only available since version 8, and will be located in a well-known location. func configureCertificate(settings *Options, req *testcontainers.GenericContainerRequest) error { if isAtLeastVersion(req.Image, 8) { + // These configuration keys explicitly disable CA generation. + // If any are set we skip the file retrieval. + configKeys := []string{ + "xpack.security.enabled", + "xpack.security.http.ssl.enabled", + "xpack.security.transport.ssl.enabled", + } + for _, configKey := range configKeys { + if value, ok := req.Env[configKey]; ok { + if value == "false" { + return nil + } + } + } + // The container needs a post ready hook to copy the certificate from the container to the host. // This certificate is only available since version 8 req.LifecycleHooks[0].PostReadies = append(req.LifecycleHooks[0].PostReadies, diff --git a/modules/elasticsearch/elasticsearch_test.go b/modules/elasticsearch/elasticsearch_test.go index 31431346e0..0bfdca7793 100644 --- a/modules/elasticsearch/elasticsearch_test.go +++ b/modules/elasticsearch/elasticsearch_test.go @@ -163,6 +163,51 @@ func TestElasticsearch(t *testing.T) { } } +func TestElasticsearch8WithoutSSL(t *testing.T) { + tests := []struct { + name string + configKey string + }{ + { + name: "security disabled", + configKey: "xpack.security.enabled", + }, + { + name: "transport ssl disabled", + configKey: "xpack.security.transport.ssl.enabled", + }, + { + name: "http ssl disabled", + configKey: "xpack.security.http.ssl.enabled", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + ctx := context.Background() + container, err := elasticsearch.RunContainer( + ctx, + testcontainers.WithImage(baseImage8), + testcontainers.WithEnv(map[string]string{ + test.configKey: "false", + })) + if err != nil { + t.Fatal(err) + } + + t.Cleanup(func() { + if err := container.Terminate(ctx); err != nil { + t.Fatalf("failed to terminate container: %s", err) + } + }) + + if len(container.Settings.CACert) > 0 { + t.Fatal("expected CA cert to be empty") + } + }) + } + +} + func TestElasticsearch8WithoutCredentials(t *testing.T) { ctx := context.Background()