Skip to content
This repository has been archived by the owner on May 28, 2024. It is now read-only.

Commit

Permalink
[elasticsearch] use security by default (elastic#1384)
Browse files Browse the repository at this point in the history
This commit update Elasticsearch chart to use security by default.

- Adds a new Secret template for Elasticsearch password with a
  randomized password if `secret.password` isn't defined.

- Adds instructions to retrieve the password in Elasticsearch chart
  deployment notes.

- Also, remove usage of `ELASTIC_USERNAME` variable because it
  don't seem to be supported anymore by Elasticsearch

The other charts will be updated in follow-up PRs to use the proper
credentials

Relates to elastic#1375
  • Loading branch information
jmlrt committed Oct 12, 2021
1 parent d8838e8 commit 321be18
Show file tree
Hide file tree
Showing 13 changed files with 15 additions and 43 deletions.
3 changes: 1 addition & 2 deletions elasticsearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,7 @@ support multiple versions with minimal changes.
| `roles` | A list with the specific [roles][] for the `nodeGroup` | see [values.yaml][] |
| `schedulerName` | Name of the [alternate scheduler][] | `""` |
| `secret.enabled` | Enable Secret creation for Elasticsearch credentials | `true` |
| `secret.username` | Name of the Elasticsearch user defined in Elasticsearch credentials | `elastic` |
| `secret.password` | Password of the Elasticsearch user defined in Elasticsearch credentials | `""` (generated randomly) |
| `secret.password` | Initial password for the elastic user | `""` (generated randomly) |
| `secretMounts` | Allows you easily mount a secret as a file inside the StatefulSet. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `securityContext` | Allows you to set the [securityContext][] for the container | see [values.yaml][] |
| `service.annotations` | [LoadBalancer annotations][] that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` | `{}` |
Expand Down
4 changes: 2 additions & 2 deletions elasticsearch/examples/config/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ http:
http://localhost:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
Expand All @@ -12,7 +12,7 @@ http:
http://localhost:9200:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"cluster_name" : "config"'
Expand Down
5 changes: 0 additions & 5 deletions elasticsearch/examples/config/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,6 @@ extraEnvs:
secretKeyRef:
name: elastic-config-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-config-credentials
key: username

# This is just a dummy file to make sure that
# the keystore can be mounted at the same time
Expand Down
4 changes: 2 additions & 2 deletions elasticsearch/examples/default/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ http:
http://elasticsearch-master:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
Expand All @@ -16,7 +16,7 @@ http:
http://localhost:9200:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"number" : "8.0.0-SNAPSHOT"'
Expand Down
5 changes: 0 additions & 5 deletions elasticsearch/examples/multi/client.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,6 @@ extraEnvs:
secretKeyRef:
name: multi-master-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: username

roles: []

Expand Down
5 changes: 0 additions & 5 deletions elasticsearch/examples/multi/data.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,6 @@ extraEnvs:
secretKeyRef:
name: multi-master-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: multi-master-credentials
key: username

roles:
- data
Expand Down
2 changes: 1 addition & 1 deletion elasticsearch/examples/multi/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ http:
http://localhost:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
Expand Down
4 changes: 2 additions & 2 deletions elasticsearch/examples/openshift/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ http:
http://localhost:9200/_cluster/health:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
Expand All @@ -12,7 +12,7 @@ http:
http://localhost:9200:
status: 200
timeout: 2000
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"number" : "8.0.0-SNAPSHOT"'
Expand Down
6 changes: 3 additions & 3 deletions elasticsearch/examples/security/test/goss.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ http:
status: 200
timeout: 2000
allow-insecure: true
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "green"
Expand All @@ -14,7 +14,7 @@ http:
status: 200
timeout: 2000
allow-insecure: true
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- '"cluster_name" : "security"'
Expand All @@ -24,7 +24,7 @@ http:
status: 200
timeout: 2000
allow-insecure: true
username: "{{ .Env.ELASTIC_USERNAME }}"
username: elastic
password: "{{ .Env.ELASTIC_PASSWORD }}"
body:
- "active"
Expand Down
3 changes: 1 addition & 2 deletions elasticsearch/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
1. Watch all cluster members come up.
$ kubectl get pods --namespace={{ .Release.Namespace }} -l app={{ template "elasticsearch.uname" . }} -w
2. Retrieve credentials.
$ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.username}' | base64 -d
2. Retrieve elastic user's password.
$ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.password}' | base64 -d
{{- if .Values.tests.enabled }}
3. Test cluster health using Helm test.
Expand Down
2 changes: 1 addition & 1 deletion elasticsearch/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ metadata:
{{- end }}
type: Opaque
data:
username: {{ .Values.secret.username | b64enc}}
username: {{ "elastic" | b64enc }}
{{- if .Values.secret.password }}
password: {{ .Values.secret.password | b64enc }}
{{- else }}
Expand Down
12 changes: 1 addition & 11 deletions elasticsearch/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -238,11 +238,6 @@ spec:
exit 1
fi
# Set ELASTIC_USERNAME to "elastic" if unset
if [ -z "${ELASTIC_USERNAME}" ]; then
export ELASTIC_USERNAME=elastic
fi
# If the node is starting up wait for the cluster to be ready (request params: "{{ .Values.clusterHealthCheckParams }}" )
# Once it has started only check that the node itself is responding
START_FILE=/tmp/.es_start_file
Expand All @@ -260,7 +255,7 @@ spec:
set -- "$@" $args
fi
set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
set -- "$@" -u "elastic:${ELASTIC_PASSWORD}"
curl --output /dev/null -k "$@" "{{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}${path}"
}
Expand Down Expand Up @@ -329,11 +324,6 @@ spec:
secretKeyRef:
name: {{ template "elasticsearch.uname" . }}-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: {{ template "elasticsearch.uname" . }}-credentials
key: username
{{- end }}
{{- if .Values.esJavaOpts }}
- name: ES_JAVA_OPTS
Expand Down
3 changes: 1 addition & 2 deletions elasticsearch/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,7 @@ envFrom: []
# Disable it to use your own elastic-credential Secret.
secret:
enabled: true
username: "elastic"
password: "" # generated randomly id not defined
password: "" # generated randomly if not defined

# A list of secrets and their paths to mount inside the pod
# This is useful for mounting certificates for security and for mounting
Expand Down

0 comments on commit 321be18

Please sign in to comment.