IN-105: Enabled SSL and HTTPS for Elasticsearch

.versionfile

@@ -1 +1 @@
-0.1.12
+0.1.13

charts/elasticsearch-chart/Chart.yaml

@@ -1,5 +1,5 @@
 name: elasticsearch-chart
-version: 0.1.12
+version: 0.2.00
 description: Elasticsearch for Kubernetes
 keywords:
 - elasticsearch
@@ -10,7 +10,7 @@ sources:
 - https://github.com/samsung-cnct/chart-elasticsearch
 - https://github.com/elastic/elasticsearch
 maintainers:
-- name: Samsung CNCT
-  email: samsung[email protected]
+- name: Samsung CNCT OSS Maintainers
+  email: oss-maintainer@samsung-cnct.io
 icon: https://github.com/samsung-cnct/solas/docs/images/samsung-logo.svg
 engine: gotpl

charts/elasticsearch-chart/templates/configmap.yaml

@@ -18,3 +18,7 @@ data:
   elasticsearch.yml: |-
 {{- include "elasticsearch.yml.tpl" . | indent 4}}
 {{ end }}
+  unencode-certificates.sh: |-
+{{- include "unencode-certificates.sh.tpl" . | indent 4}}
+  elastic-certificates.p12.b64: |-
+    MIINbwIBAzCCDSgGCSqGSIb3DQEHAaCCDRkEgg0VMIINETCCBW0GCSqGSIb3DQEHAaCCBV4EggVaMIIFVjCCBVIGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBSrTzyNwO6NPNKPDqQWk829cJnTWgIDAMNQBIIEyAnqtJHxp5lW2fg8J5DzKjAMjKQnY0lZ+M/Q6Bm0bNgQ+9QVRo+JjVXfIUTN7lFrLthPFNEmPToJmCWATTdy4j8B7mSvIXxk7VoOwCtwvxwMDgAGP/t7faSMx3F2pU7OADok8bv/BSS9QJx5P5ZJ/NsK/3ahPsxFJLWkxS6ZeWyfQympo7SkB8uyfMoBdf8OqjFtSU9INB9OM3V6dSt/KFg6wdEOXcJXt6Boplkj0SG/wa8HYQ8RO8wt8J7kEjM1NnRpP+o5SmkaS10Tn9m97EgdmOXd/ARYyqZBQSie6xUIL0b1yFqHK4y4XI0TlPb3cS372u8MyuBole1vEFfEqGu6goVquL7mx5YkK41vS/2Sed1gtzb5wpDKstblPgSS8ZaN5+DPeU2WMk0nuoKMZdNs0FPK33ZqkKKsy0asPdeIhCcPE+qPVRj9cdC1yw0wFJTyPs5Gh3l2Zsz3o15SeyWY9DyGnOninTZ0vz4eqv/Nlmc8A1b9XChkQReUDoYvFo8t24CrOPWyNySNb8P2NGqKF2Zbyw9K54u75QE9704BU+DeUhqB5VjtUCBDt8ZTCPWBut38J0f/IzqCY3pw5nVCsmyRqQpziFnvxBuIESrODjtt5v6of+C/BuZQUhRcGeq6P/s8WbhbvD/GfQCQtt+rNugWUnO5ZUARzS80Z+aen7YqDlnTTsHAc3ZMI1BQjUynyH8qcC+YBX0vVnGv8l0XrNN+MmJt6MKQ/M/VFsupFhXIvlaVZzoqZQMlc8yRgISDK55s8wNRwlpWvSWgLjxNZNqrZUU504dRgWfhH7fCqVWkN4ZJ2/5jSUDxBCWST4qIZMZtU9xnwW6KF17WcuQWjVDYb3ibL7jV0+PC640qb4mjwZudEMYYRWqPFkeUknl8USRjWiN/rknFLdF+8G9quUYFHUTjxgLR2642wprRFHXckXDZ5ThiwbhDKpmUZQHCe1b/R/4ShV8XDaqYYHuQQgnUsmhgW+96jXbXQL3FLlQmbZg5TmvqjtGJGYbHvPX0l5LKgKEJZUO1Vou5M3qPRUqUOyuXGU0XOwBRL/qay9ZDhJM1oSX1SPIcnO+UqbceS4EWfpn3TGiVskU0HHs81lP+iP4ERA10F7gwu7kyLPs6BsPkqJQZaZrrLbgMCkxBjOdG3NOd5/OcjhAJiadwfSL3A/YHoISN2OhNZ6vWl8+axYfeMp/u21/5c03pdoxzHCUI031EkhsMvlKLZetNy90nRZHbfzcq/KAVfdMMDeax+JYZ2n1s/QBC93Qzoh8gQ0RCh7nmVLGNXB2cw2Qx7I5tWjd/Ax9M73xigyo+FML7Ah5CXyiqBZBEuJHb/VdPod77arvS46lnS2+BhqzCQVmsenkulyjKplQMSLRpwdceBXkD47cP5Ygzf9FUWzkNXTDAgzdQ+UgFtMVuZ4tQeLIwtcvCZeGhypuaNXvdY25E0YBTyZjFggwG17fPV2W42mN4lrMKQy7+Ky9Hjz5wQ5xBrfT+nKedeCpLioZ8VNwcbXt+TlLMx/7E+pYq4U13XialissOr/+C0vRE9abtVj6631LibNC8HoPNh3ctoWE3slLj6ZN4g+rwrQLJYRa7h2VKglD19JSN97BXNHgyxc7DBFv1sTFEMB8GCSqGSIb3DQEJFDESHhAAaQBuAHMAdABhAG4AYwBlMCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE1NDIyMTkzMDIyMzUwggecBgkqhkiG9w0BBwagggeNMIIHiQIBADCCB4IGCSqGSIb3DQEHATApBgoqhkiG9w0BDAEGMBsEFP3F4mWbIY/C9o1br/nRVIkjgmvnAgMAw1CAggdILKswTlrRTnVSbL8aDUbrEhE2krJ+EyNXwPL/TPBvaCRho+UzcJ/dZMl/T/WT51ClM6dzu6v8OHxLwIvMHMmvVbnUKj5ilSi3bOur63wv4N92Hk0RYLT0iMhlpLIkQ9+8ciECw0udg00gtoJpTE/TG1uGN5YLudAYA2JfcBhOaXCiSgYjlbfZ43FqNH9/OAXY7stxcgoL2KAY+TVNFT4uDC+zqeW3m2DKeIsX6bGs1zEdiTvP5CZet8rKt2Wux3P883/QIhyXTop9jc3w4RHW04BTUppvO3RxYiEpTJXXWcOJnt4sOEKK/HDe4um0CXhY9Fal9fFLq/jOmNzWYY7dxWlspFTCooreeRq/m/83AqSe5FgkGGiHyPvAop6HsMzglHA6SU5WUN2PY6FFMaM4CWDRz3vmI6f+MD9unngQ+w6MZJkvHMZop1EvVyluLbKbB6T8IE51fgMa4lbdgcIukyczNITKWaawaziaPbMjRY2YhI+6s3YUeEHdNRthFPsh3YW2G1U/EVV74c5kqgFNvHgB1C/FfTiOkfv6zze9TsO+Jnt41IZ1Sv+ju8DJVf7DeHtuf7z/Uo3MEZ6f3/v8bcwdROGo6R0Lq24MVC/wFl3kgm9ZTeTR2iBiQUY/fteHK6l1g04eBNPSfD8I0QrYNwzRWsrNoT+j2PXW41ile7ZmxtGYpBBsYusDplz0/Za/jqY5FIl672J+SXJN4MEc0ujOg6QuxZ8/C/JuLCOXerBo3iKwOyrTO2pQkPf0sZArBakyWSt5dgLlzp3jhbJohP3SMZIymHifPrdt7JrUPcR2iTi1FjPSX5QmQR9zmeQPo61pyWWj++vDMbXDErmm4u1ofTFFJ3B1wAQjaobcGdDJh5BV3vJsES8ZUhGep2MMpBW7GzDscjgq9VuMoKtYBrRvGcKs0+SObau0Z0Xl+N1i6t2hgLYDyH/njqjeiOCvyezWWBby0XcRKHz8GJYz6hR80c9z6ANhlaENyZOWuhVHS4IYnNjSKKRFV9fepyXbFwp0BqABxdo2yEeDOGxGF1h/JrfTrloWIZnWl2TEzP5om45msTG2yXToFYnmYF4AWDTXYrJHZcnrjnxXv+OdqsT5C0ghY/atLdhWP4XOUIsI7p5/D3Fg4gDz9YXFtKsJssGikWELqUoamf7IHhr38XwUtfaAyURXavXLxQAATFMI6kfkp/TJrfaDXVfy1hhe9PFoy4wdtXm8GPm2RjtZSWdAp/DIxuQKaQ3tMkRSxHXCcQLDDylL264cTvuT2SWiTWqRYDdVLCloCdcLj4kFCfCkd2NXiWhUhT57zRx0jFxhDa6D9Hqggi8jS4H8mXvvdVp/JBvLxu6dTSO6R6iGng4yaJQaOb9uZ3XnowJ7gRoUAVrz7b8kOWwSXiH0fPjRgqQ3GsNaa5/QqjdLQHt1VwVc1DTOJ/4ugnYRzcADAaI2+KEsTWVadUgaYCLM29erG6+hI5ohepitQHUCaEbSZTlYAC4wr1/id2yUgnVeupHvOqdDVjyoxd+b9vsZaPSbJoTtVSUpQR++AizuusmUiPmRbI3LEc8Ojf11+QNoNlxo37ur7OX5xq3LlSU+A9V65KBQYNlCaBVqSraYQ0hLUSs1H6rOBz/+hT/CMaCMbWD4ZNgjRNOERAOepMFaHCIzyZJRSPztMsAof7zExYrFkSZ3HuUsylhM+CxGqKZWe90AYQOvRlOlHVUevyV+BGczhqPiHNcB9q52Dzrf/CwIZtdfHIwYxRGm7V1aExE0bBuZ535b8mkbF1fr7ePfdZ3bKTNv/pSipcHJfQpda8FlKjyKZ2JEZypwZAxxtIYcyfB8/9vXYQFbAuRvTCe+4dW76/HzKH12AfNFmq+EDwl/Nf0tc1vFjOUCJkMQsuBROEu2Wyku2ZI1M8w7cff4cIxYtR54kg3cN3V6zdR3dHObjFRmqYMZrTS5jO9RTHcORkOUGvGh8RA79DLsVQFiX0AONwn6oPib6Wv2sGNTf1LvIFc31J8Mu7ddPwGPxViJg38HFgZhUwnVCCS7wBNa9igRcM+ZvyZmsz4cKxBw1ZCDM58CfBsrD/F1MIY+XzMpKM76eFQXmA1teevNHfuDyCNQkM1IujG6zr1M2qoqpmkBDPdtC3KQ3aXrLbJfreFtlwLz1a3VGJU4opn/oxfZxfS7DSVH1En0ss3FAyUDuvB7bFiQHNUjsvg9MptHpIKTnCxDsgzVmvcTnbwBueJWvND+od+Pc5TOSMhkDGQPzRZ74FGllgr28B5f3AJCnijbNZ7l3iTxJWB+13Eyrw66bDWwdPVlE3RtHi2ZHB0MiVsYJ6xHXxWE5uP1EFRJ3BNiaWE+gStZ6nqRes3h5UVfcmQgasT1mClsUa+BPMpfDRInIwGUhSedN72rcTaCpNBHoGrKSQYqVqDiPr0LSgv8OZ7eJ8xeNOikBqd8wbX0v46aCF2gl4FmwsCKgvxAwnh3rrU6Fz5aMFxCUTA+MCEwCQYFKw4DAhoFAAQUWNwdo2TTaG/pJA13ZtfytFwyQt0EFAWBr+BamgLh50h4PIbRd6I6s/UMAgMBhqA=

charts/elasticsearch-chart/templates/elasticsearch.yml.tpl

@@ -36,6 +36,19 @@ action.auto_create_index: true
 xpack.security.enabled: true 
 xpack.license.self_generated.type: trial 
 xpack.monitoring.enabled: false
+
+# enable and configure SSL for intra-node communication
+# .p12 file must be executable (e.g. chmod 700)
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: certificate 
+xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 
+xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
+
+# enable HTTPS
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.keystore.path: elastic-certificates.p12 
+xpack.security.http.ssl.truststore.path: elastic-certificates.p12 
+
 #xpack.monitoring.exporters.my_local:
 #  type: local
 #  use_ingest: false

charts/elasticsearch-chart/templates/es-data-statefulset.yaml

@@ -33,6 +33,10 @@ spec:
       containers:
       - name: {{.Values.name}}
         image: {{.Values.image}}
+        # run unencode-certificates.sh
+        #                              Elasticsearch bin directory
+        #                                             copy from read only filesystem                                       chmod in read-write filesystem              run file                          run normal start script
+        command: [ "/bin/bash", "-c", "BIN=$(pwd)/bin;cp ${BIN}/unencode-certificates.sh ${BIN}/unencode-certificates2.sh; chmod 777 ${BIN}/unencode-certificates2.sh; ${BIN}/unencode-certificates2.sh; /usr/local/bin/docker-entrypoint.sh eswrapper" ]
         ports:
         - name: {{ .Values.services.discovery.cluster_port_name }}
           containerPort: {{ .Values.services.discovery.cluster_port }}
@@ -120,18 +124,31 @@ spec:
         - name: esconfig
           mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
           subPath: elasticsearch.yml
+        - name: unencode-certificates
+          mountPath: /usr/share/elasticsearch/bin/unencode-certificates.sh
+          subPath: unencode-certificates.sh
+        - name: elasticcertificates
+          mountPath: /usr/share/elasticsearch/config/elastic-certificates.p12.b64
+          subPath: elastic-certificates.p12.b64
         - name: esdata
           mountPath: {{ .Values.data_data_mount }}
       volumes:
       - name: esconfig
         configMap:
           name: {{ template "name" . }}
+      - name: unencode-certificates
+        configMap:
+          name: {{ template "name" . }}
+      - name: elasticcertificates
+        configMap:
+          name: {{ template "name" . }}
   volumeClaimTemplates:
   - metadata:
       name: esdata
       annotations:
               {{ .Values.data_storage_class_key }}: {{ .Values.data_storage_class_value }}
     spec:
+      # unbound persistant volume claims if ReadWriteMany
       accessModes: [ "ReadWriteOnce" ]
       resources:
         requests:

charts/elasticsearch-chart/templates/es-master-statefulset.yaml

@@ -33,6 +33,10 @@ spec:
       containers:
       - name: {{.Values.name}}
         image: {{.Values.image}}
+        # run unencode-certificates.sh
+        #                              Elasticsearch bin directory
+        #                                             copy from read only filesystem                                       chmod in read-write filesystem              run file                          run normal start script
+        command: [ "/bin/bash", "-c", "BIN=$(pwd)/bin;cp ${BIN}/unencode-certificates.sh ${BIN}/unencode-certificates2.sh; chmod 777 ${BIN}/unencode-certificates2.sh; ${BIN}/unencode-certificates2.sh; /usr/local/bin/docker-entrypoint.sh eswrapper" ]
         ports:
         - name: {{ .Values.services.discovery.cluster_port_name }}
           containerPort: {{ .Values.services.discovery.cluster_port }}
@@ -118,12 +122,24 @@ spec:
         - name: esconfig
           mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
           subPath: elasticsearch.yml
+        - name: unencode-certificates
+          mountPath: /usr/share/elasticsearch/bin/unencode-certificates.sh
+          subPath: unencode-certificates.sh
+        - name: elasticcertificates
+          mountPath: /usr/share/elasticsearch/config/elastic-certificates.p12.b64
+          subPath: elastic-certificates.p12.b64
         - name: esdata
           mountPath: {{ .Values.master_data_mount }}
       volumes:
       - name: esconfig
         configMap:
           name: {{ template "name" . }}
+      - name: unencode-certificates
+        configMap:
+          name: {{ template "name" . }}
+      - name: elasticcertificates
+        configMap:
+          name: {{ template "name" . }}
   volumeClaimTemplates:
   - metadata:
       name: esdata

charts/elasticsearch-chart/templates/es-rbac.yaml

@@ -19,7 +19,6 @@ rules:
   - endpoints
   verbs:
   - get
-
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1

charts/elasticsearch-chart/templates/tests/test-cluster-api-configmap.yaml

@@ -11,10 +11,13 @@ data:
 
         #  run until either cluster status is green or 10 minute timeout
         timeout=0
+        url=https://${ELASTICSEARCH_PORT_9200_TCP_ADDR}:9200/_cat/health
+        echo "Getting health status from url ${url}."
         until [ "${clusterHealth}" == "green" -o ${timeout} -gt 600 ]; do
-          run curl -s --connect-timeout 1 \
+          # -k lets us accept an unsigned certificate for HTTPS
+          run curl -s -k --connect-timeout 1 \
           -u {{ .Values.test.account }}:${ELASTIC_PASSWORD} \
-            --location http://{{ .Values.name }}.{{ .Release.Namespace }}:9200/_cat/health 
+            --location ${url} 
 
           if [ $status -ne 0 ];then
              echo "curl ES error: $status" >&3

charts/elasticsearch-chart/templates/unencode-certificates.sh.tpl

@@ -0,0 +1,21 @@
+{{ define "unencode-certificates.sh.tpl" }}
+
+#!/bin/bash
+
+echo 'Starting startup script.'
+
+# strict mode
+set -euo pipefail
+
+# lazy init elastic-certificates.p12 file; try to read and if read fails create cert and write it to Vault
+# an unset value comes back as as empty response return 0 (success)
+export P12=/usr/share/elasticsearch/config/elastic-certificates.p12
+base64 -d ${P12}.b64 > $P12
+
+echo "Setting permissions"
+# set permissions of elastic-certificates.p12
+chown elasticsearch $P12
+chmod 700 $P12
+echo "Done with startup script."
+
+{{ end }}