-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto configure TLS for new nodes of new clusters #77231
Auto configure TLS for new nodes of new clusters #77231
Conversation
x-pack/plugin/security/src/main/bin/elasticsearch-security-config
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
...lugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/ConfigInitialNode.java
Outdated
Show resolved
Hide resolved
Tracked down CI failures to the fact that with given changes we always need the xpack plugin in our TestClusters( because we need to use ConfigInitialNode even when to just determine that we should not autoconfigure security). That means that we need to add this to INTEG_TEST distribution I'll adjust the rest of the changes according to discussions above in my morning and reach out to es-delivery folks about ideas for the INTEG_TEST distribution. Then I'll work through the remaining packaging tests failures |
@mark-vieira @pugnascotia @jkakavas I've finally tracked it down!!! I've stepped debugged the tests on an Azure Win Server 2016 instance (IntelliJ running locally), and using the I'll be polishing the PR, and ask for reviews tomorrow. |
@albertzaharovits you're a hero! 🏆 |
@mark-vieira I have pushed 1f3b26d , which I think addresses your point from #77231 (comment) . Please take another look. |
Changes look good. Thanks @albertzaharovits! |
This change makes it so x-pack-core and x-pack-security are bundled in the INTEG TEST distribution that we use for testClusters in our tests. There are two reasons for this: - In elastic#77231 where we are looking into enabling and auto-configuring security by default for all nodes, we need to call out to ConfigInitialNode to determine whether we should do the auto-configuration or not. - Since we are enabling security by default, we should be looking into enabling security for all for our tests moving forward, or at least make a conscious decision about which ones run without security. This change is a step towards that direction. # Conflicts: # distribution/archives/build.gradle # distribution/packages/build.gradle
This commit introduces TLS auto-configuration for elasticsearch nodes, during
the first startup. A number of heuristics are performed in order to determine if
the node should get TLS auto-configuration which can also be explicitly
disallowed with the use of xpack.security.autoconfiguration.enabled setting.
This affects archive installations and docker. Packaged installations are
handled in #75144 and #75704 .
Co-Authored-By: Ioannis Kakavas ioannis@elastic.co