Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to specify transport certificate authorities #1133

Merged
merged 2 commits into from
Jun 24, 2019
Merged

Allow users to specify transport certificate authorities #1133

merged 2 commits into from
Jun 24, 2019

Conversation

pebrc
Copy link
Collaborator

@pebrc pebrc commented Jun 23, 2019
edited
Loading

Fixes #962

  • remove blacklisting for transport CAs (should we allow it for HTTP as well?)
  • changes default behaviour when merging config to append on conflict instead of replacing in order to allow user provided CAs to be merged with our internal CA
  • changes the validation checks to no longer rely on a naive prefix check but use ucfg's APIs instead.

With this in place we can configure mutual trust without relying on our TrustRelationship CRDs like so:

Consider this modified quickstart cluster:

apiVersion: elasticsearch.k8s.elastic.co/v1alpha1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 7.1.0
  nodes:
  - nodeCount: 3
    config:
      node.attr.server_name: ${POD_NAME}.node.quickstart.default.es.cluster.local
      xpack.security.transport.ssl.certificate_authorities:
      - /usr/share/elasticsearch/config/other/ca.crt
    podTemplate:
      spec:
        containers:
        - name: elasticsearch
          volumeMounts:
          - name: testing-certs
            mountPath: /usr/share/elasticsearch/config/other
        volumes:
        - name: testing-certs
          secret:
            secretName: testing-es-transport-certs-public

and a second cluster:

apiVersion: elasticsearch.k8s.elastic.co/v1alpha1
kind: Elasticsearch
metadata:
  name: testing
spec:
  version: 7.1.0
  nodes:
  - nodeCount: 1
    config:
      node.attr.server_name: ${POD_NAME}.node.testing.default.es.cluster.local
      xpack.security.transport.ssl.certificate_authorities:
      - /usr/share/elasticsearch/config/other/ca.crt
    podTemplate:
      spec:
        containers:
        - name: elasticsearch
          volumeMounts:
          - name: quickstart-certs
            mountPath: /usr/share/elasticsearch/config/other
        volumes:
        - name: quickstart-certs
          secret:
            secretName: quickstart-es-transport-certs-public

This would be the prerequisite to configure CCR/CCS w/o CRDs

@pebrc
Allow users to specify transport certificate authorities
1a6519c 
This implicitly changes the merging behaviour of config objects to append on conflict.
Previously we would replace on conflict.
sebgl
sebgl approved these changes Jun 24, 2019
View reviewed changes
Copy link
Contributor

@sebgl sebgl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
I don't see any reason the "append" merge approach would cause problems so far.

thbkrkr
thbkrkr approved these changes Jun 24, 2019
View reviewed changes
Copy link
Contributor

@thbkrkr thbkrkr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pebrc pebrc merged commit ec70ed3 into elastic:master Jun 24, 2019
@pebrc pebrc mentioned this pull request Jul 19, 2019
Closed
@pebrc pebrc added >enhancement Enhancement of existing functionality v0.9.0 labels Jul 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebgl sebgl sebgl approved these changes

@thbkrkr thbkrkr thbkrkr approved these changes

Assignees
No one assigned
Labels
>enhancement Enhancement of existing functionality v0.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow users to configure xpack.security.transport.ssl.certificate_authorities
3 participants
@pebrc @thbkrkr @sebgl