From fb927d7193e010da4628c0276a7b877d0f6f9633 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Tue, 6 Jul 2021 14:11:12 +0200
Subject: [PATCH] refactor: rewrite xpack config handling

---
 README.md                                    | 6 +++---
 overlay/etc/templates/elasticsearch.yml.tmpl | 8 +++++++-
 overlay/usr/bin/entrypoint                   | 4 ++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index d374dd4..6099b4a 100644
--- a/README.md
+++ b/README.md
@@ -27,8 +27,6 @@ ELASTICSEARCH_NODE_NAME=elastic-node1
 ELASTICSEARCH_NODE_MASTER=true
 ELASTICSEARCH_NODE_DATA=true
 ELASTICSEARCH_NODE_INGEST=true
-
-ELASTICSEARCH_CLUSTER_MODE=false
 # Comma-separated list
 ELASTICSEARCH_DISCOVERY_SEED_HOSTS=elastic-node1
 ELASTICSEARCH_NETWORK_HOST=0.0.0.0
@@ -37,7 +35,9 @@ ELASTICSEARCH_BOOTSTRAP_MEMORY_LOCK=true
 ELASTICSEARCH_HTTP_PORT=9200
 ELASTICSEARCH_HTTP_COMPRESSION=true
 
-ELASTICSEARCH_XPACK_SECURITY_ENABLED=true
+ELASTICSEARCH_XPACK_SECURITY_ENABLED=false
+# If you enable xpack on a production mode cluster, transport ssl is mandatory
+# and need to be configured.
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED=false
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_KEY=node-key.pem
 ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE=node.pem
diff --git a/overlay/etc/templates/elasticsearch.yml.tmpl b/overlay/etc/templates/elasticsearch.yml.tmpl
index 8bb982f..5a6cfe7 100644
--- a/overlay/etc/templates/elasticsearch.yml.tmpl
+++ b/overlay/etc/templates/elasticsearch.yml.tmpl
@@ -52,21 +52,27 @@ bootstrap:
 http:
   port: {{ getenv "ELASTICSEARCH_HTTP_PORT" "9200" }}
   compression: {{ getenv "ELASTICSEARCH_HTTP_COMPRESSION" "true" | conv.Bool }}
+{{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_ENABLED" "false" | conv.Bool) }}
 
 xpack:
   security:
-    enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_ENABLED" "true" | conv.Bool }}
+    enabled: true
     transport:
       ssl:
         enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED" "false" | conv.Bool }}
+        {{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_ENABLED" "false" | conv.Bool) }}
         verification_mode: certificate
         client_authentication: required
         key: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_KEY" "node-key.pem" }}
         certificate: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE" "node.pem" }}
         certificate_authorities: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_TRANSPORT_SSL_CERTIFICATE_AUTHORITIES" "root-ca.pem" }}
+        {{- end }}
     http:
       ssl:
         enabled: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_ENABLED" "false" | conv.Bool }}
+        {{- if (getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_ENABLED" "false" | conv.Bool) }}
         key: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_KEY" "node-key.pem" }}
         certificate: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_CERTIFICATE" "node.pem" }}
         certificate_authorities: {{ getenv "ELASTICSEARCH_XPACK_SECURITY_HTTP_SSL_CERTIFICATE_AUTHORITIES" "root-ca.pem" }}
+        {{- end }}
+{{- end }}
diff --git a/overlay/usr/bin/entrypoint b/overlay/usr/bin/entrypoint
index 4f68fd2..d2cefde 100755
--- a/overlay/usr/bin/entrypoint
+++ b/overlay/usr/bin/entrypoint
@@ -21,5 +21,9 @@ if [ -n "$ELASTICSEARCH_S3_CLIENT_DEFAULT_ACCESS_KEY" ] && [ -n "$ELASTICSEARCH_
     /usr/share/elasticsearch/bin/elasticsearch-keystore upgrade
 fi
 
+if [ "$ELASTICSEARCH_XPACK_SECURITY_ENABLED" != "true" ]; then
+    log_warn "XPACK security is disabled, don't use it in production"
+fi
+
 log_info "Start ElasticSearch ...\n"
 exec env ELASTIC_PASSWORD="$ELASTICSEARCH_PASSWORD" /usr/local/bin/docker-entrypoint.sh