refactor: rewrite xpack config handling

owncloud-ops · Jul 6, 2021 · fb927d7 · fb927d7
1 parent 35fe9b3
commit fb927d7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -27,8 +27,6 @@ ELASTICSEARCH_NODE_NAME=elastic-node1
 ELASTICSEARCH_NODE_MASTER=true
 ELASTICSEARCH_NODE_DATA=true
 ELASTICSEARCH_NODE_INGEST=true
-
-ELASTICSEARCH_CLUSTER_MODE=false
 # Comma-separated list
 ELASTICSEARCH_DISCOVERY_SEED_HOSTS=elastic-node1
 ELASTICSEARCH_NETWORK_HOST=0.0.0.0
@@ -37,7 +35,9 @@ ELASTICSEARCH_BOOTSTRAP_MEMORY_LOCK=true
 ELASTICSEARCH_HTTP_PORT=9200
 ELASTICSEARCH_HTTP_COMPRESSION=true
 
-ELASTICSEARCH_XPACK_SECURITY_ENABLED=true
+ELASTICSEARCH_XPACK_SECURITY_ENABLED=false
+# If you enable xpack on a production mode cluster, transport ssl is mandatory
+# and need to be configured.
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED=false
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_KEY=node-key.pem
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE=node.pem

diff --git a/overlay/etc/templates/elasticsearch.yml.tmpl b/overlay/etc/templates/elasticsearch.yml.tmpl
@@ -52,21 +52,27 @@ bootstrap:
 http:
   port: {{ getenv "ELASTICSEARCH_HTTP_PORT" "9200" }}
   compression: {{ getenv "ELASTICSEARCH_HTTP_COMPRESSION" "true" | conv.Bool }}
+{{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_ENABLED" "false" | conv.Bool) }}
 
 xpack:
   security:
-    enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_ENABLED" "true" | conv.Bool }}
+    enabled: true
     transport:
       ssl:
         enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED" "false" | conv.Bool }}
+        {{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED" "false" | conv.Bool) }}
         verification_mode: certificate
         client_authentication: required
         key: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_KEY" "node-key.pem" }}
         certificate: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE" "node.pem" }}
         certificate_authorities: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE_AUTHORITIES" "root-ca.pem" }}
+        {{- end }}
     http:
       ssl:
         enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_ENABLED" "false" | conv.Bool }}
+        {{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_ENABLED" "false" | conv.Bool) }}
         key: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_KEY" "node-key.pem" }}
         certificate: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_CERTIFICATE" "node.pem" }}
         certificate_authorities: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_CERTIFICATE_AUTHORITIES" "root-ca.pem" }}
+        {{- end }}
+{{- end }}
diff --git a/overlay/usr/bin/entrypoint b/overlay/usr/bin/entrypoint
@@ -21,5 +21,9 @@ if [ -n "$ELASTICSEARCH_S3_CLIENT_DEFAULT_ACCESS_KEY" ] && [ -n "$ELASTICSEARCH_
     /usr/share/elasticsearch/bin/elasticsearch-keystore upgrade
 fi
 
+if [ "$ELASTICSEARCH_XPACK_SECURITY_ENABLED" != "true" ]; then
+    log_warn "XPACK security is disabled, don't use it in production"
+fi
+
 log_info "Start ElasticSearch ...\n"
 exec env ELASTIC_PASSWORD="$ELASTICSEARCH_PASSWORD" /usr/local/bin/docker-entrypoint.sh