Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[elasticsearch] use security by default
Browse files Browse the repository at this point in the history
This commit update Elasticsearch chart to use security by default.

- Adds a new Secret templates for Elasticsearch credentials with a
  randomized password if password value isn't defined.

- Adds instructions to retrieve credentials in Elasticsearch chart
  deployment notes.

The other charts will be updated in follow-up PRs to use the proper
credentials

Relates to #1375
  • Loading branch information
jmlrt committed Oct 7, 2021
1 parent cd9e50c commit e9bb17f
Show file tree
Hide file tree
Showing 13 changed files with 156 additions and 68 deletions.
14 changes: 10 additions & 4 deletions elasticsearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,9 @@ support multiple versions with minimal changes.
| `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] |
| `roles` | A list with the specific [roles][] for the `nodeGroup` | see [values.yaml][] |
| `schedulerName` | Name of the [alternate scheduler][] | `""` |
| `secret.enabled` | Enable Secret creation for Elasticsearch credentials | `true` |
| `secret.username` | Name of the Elasticsearch user defined in Elasticsearch credentials | `elastic` |
| `secret.password` | Password of the Elasticsearch user defined in Elasticsearch credentials | `""` (generated randomly) |
| `secretMounts` | Allows you easily mount a secret as a file inside the StatefulSet. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `securityContext` | Allows you to set the [securityContext][] for the container | see [values.yaml][] |
| `service.annotations` | [LoadBalancer annotations][] that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` | `{}` |
Expand Down Expand Up @@ -260,9 +263,12 @@ sufficient.

### How to deploy clusters with security (authentication and TLS) enabled?

This Helm chart can use existing [Kubernetes secrets][] to setup
credentials or certificates for examples. These secrets should be created
outside of this chart and accessed using [environment variables][] and volumes.
This Helm chart can generate a [Kubernetes Secret][] or use an existing one to
setup Elastic credentials.

This Helm chart can use existing [Kubernetes Secret][] to setup Elastic
certificates for example. These secrets should be created outside of this chart
and accessed using [environment variables][] and volumes.

An example of Elasticsearch cluster using security can be found in
[examples/security][].
Expand Down Expand Up @@ -438,7 +444,7 @@ about our development and testing process.
[jvm heap size]: https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
[hostAliases]: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
[kind]: https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/kubernetes-kind
[kubernetes secrets]: https://kubernetes.io/docs/concepts/configuration/secret/
[kubernetes secret]: https://kubernetes.io/docs/concepts/configuration/secret/
[labels]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
[lifecycle hooks]: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
[loadBalancer annotations]: https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
Expand Down
8 changes: 5 additions & 3 deletions elasticsearch/examples/config/values.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
---

clusterName: "config"
replicas: 1

Expand Down Expand Up @@ -28,5 +27,8 @@ keystore:
- secretName: elastic-config-slack
- secretName: elastic-config-custom-path
items:
- key: slack_url
path: xpack.notification.slack.account.otheraccount.secure_url
- key: slack_url
path: xpack.notification.slack.account.otheraccount.secure_url

secret:
enabled: false
4 changes: 4 additions & 0 deletions elasticsearch/examples/default/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ http:
http://elasticsearch-master:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
- '"number_of_nodes":3'
Expand All @@ -14,6 +16,8 @@ http:
http://localhost:9200:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"number" : "8.0.0-SNAPSHOT"'
- '"cluster_name" : "elasticsearch"'
Expand Down
15 changes: 15 additions & 0 deletions elasticsearch/examples/multi/client.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@
clusterName: "multi"
nodeGroup: "client"

extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: username

roles: []

persistence:
Expand All @@ -12,3 +24,6 @@ persistence:
esConfig:
elasticsearch.yml: |
node.roles: []
secret:
enabled: false
15 changes: 15 additions & 0 deletions elasticsearch/examples/multi/data.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@
clusterName: "multi"
nodeGroup: "data"

extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: username

roles:
- data
- data_content
Expand All @@ -10,3 +22,6 @@ roles:
- data_cold
- data_frozen
- ingest

secret:
enabled: false
4 changes: 3 additions & 1 deletion elasticsearch/examples/multi/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ http:
http://localhost:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- 'green'
- "green"
- '"cluster_name":"multi"'
- '"number_of_nodes":9'
- '"number_of_data_nodes":3'
4 changes: 4 additions & 0 deletions elasticsearch/examples/openshift/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ http:
http://localhost:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
- '"number_of_nodes":3'
Expand All @@ -10,6 +12,8 @@ http:
http://localhost:9200:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"number" : "8.0.0-SNAPSHOT"'
- '"cluster_name" : "elasticsearch"'
Expand Down
4 changes: 1 addition & 3 deletions elasticsearch/examples/security/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ install:
test: secrets install goss

purge:
kubectl delete secrets elastic-credentials elastic-certificates elastic-certificate-pem elastic-certificate-crt|| true
kubectl delete secrets elastic-certificates elastic-certificate-pem elastic-certificate-crt|| true
helm del $(RELEASE)

pull-elasticsearch-image:
Expand All @@ -21,7 +21,6 @@ pull-elasticsearch-image:
secrets:
docker rm -f elastic-helm-charts-certs || true
rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12 || true
password=$$([ ! -z "$$ELASTIC_PASSWORD" ] && echo $$ELASTIC_PASSWORD || echo $$(docker run --rm busybox:1.31.1 /bin/sh -c "< /dev/urandom tr -cd '[:alnum:]' | head -c20")) && \
docker run --name elastic-helm-charts-certs -i -w /tmp \
$(ELASTICSEARCH_IMAGE) \
/bin/sh -c " \
Expand All @@ -34,5 +33,4 @@ secrets:
kubectl create secret generic elastic-certificates --from-file=elastic-certificates.p12 && \
kubectl create secret generic elastic-certificate-pem --from-file=elastic-certificate.pem && \
kubectl create secret generic elastic-certificate-crt --from-file=elastic-certificate.crt && \
kubectl create secret generic elastic-credentials --from-literal=password=$$password --from-literal=username=elastic && \
rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12
12 changes: 0 additions & 12 deletions elasticsearch/examples/security/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,6 @@ esConfig:
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username

secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
Expand Down
7 changes: 5 additions & 2 deletions elasticsearch/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
1. Watch all cluster members come up.
$ kubectl get pods --namespace={{ .Release.Namespace }} -l app={{ template "elasticsearch.uname" . }} -w
{{- if .Values.tests.enabled -}}
2. Test cluster health using Helm test.
2. Retrieve credentials.
$ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.username}' | base64 -d
$ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.password}' | base64 -d
{{- if .Values.tests.enabled }}
3. Test cluster health using Helm test.
$ helm --namespace={{ .Release.Namespace }} test {{ .Release.Name }}
{{- end -}}
23 changes: 23 additions & 0 deletions elasticsearch/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{- if .Values.secret.enabled -}}
{{- $passwordValue := (randAlphaNum 16) | b64enc | quote }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "elasticsearch.uname" . }}-credentials
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}"
app: "{{ template "elasticsearch.uname" . }}"
{{- range $key, $value := .Values.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
type: Opaque
data:
username: {{ .Values.secret.username | b64enc}}
{{- if .Values.secret.password }}
password: {{ .Values.secret.password | b64enc }}
{{- else }}
password: {{ $passwordValue }}
{{- end }}
{{- end }}
28 changes: 25 additions & 3 deletions elasticsearch/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,18 @@ spec:
- -c
- |
#!/usr/bin/env bash -e
# Exit if ELASTIC_PASSWORD in unset
if [ -z "${ELASTIC_PASSWORD}" ]; then
echo "ELASTIC_PASSWORD variable is missing, exiting"
exit 1
fi
# Set ELASTIC_USERNAME to "elastic" if unset
if [ -z "${ELASTIC_USERNAME}" ]; then
export ELASTIC_USERNAME=elastic
fi
# If the node is starting up wait for the cluster to be ready (request params: "{{ .Values.clusterHealthCheckParams }}" )
# Once it has started only check that the node itself is responding
START_FILE=/tmp/.es_start_file
Expand All @@ -248,9 +260,7 @@ spec:
set -- "$@" $args
fi
if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
fi
set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
curl --output /dev/null -k "$@" "{{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}${path}"
}
Expand Down Expand Up @@ -313,6 +323,18 @@ spec:
value: "{{ .Values.clusterName }}"
- name: network.host
value: "{{ .Values.networkHost }}"
{{- if .Values.secret.enabled }}
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "elasticsearch.uname" . }}-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "elasticsearch.uname" . }}-credentials
key: username
{{- end }}
{{- if .Values.esJavaOpts }}
- name: ES_JAVA_OPTS
value: "{{ .Values.esJavaOpts }}"
Expand Down
Loading

0 comments on commit e9bb17f

Please sign in to comment.