From cd88fc44fc59acf5b1789e3250bfa4e4b1148f07 Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Tue, 14 Aug 2018 09:57:17 -0500
Subject: [PATCH] Elasticsearch: Add ingress, remove node ports

This adds an ingress to the Elasticsearch chart, allowing for the
exposure of the Elasticsearch cluster externally if required.

This also removes the node ports from the data and discovery
services, as these ports should not be used beyond service
discovery by the elasticsearch nodes. It moves the node port for
the client service under the network.elasticsearch key to match
the network tree for the other services

Change-Id: Ia989eff87b8c9f112c697ae309bbb971dc699aa5
---
 .../templates/ingress-elasticsearch.yaml      | 20 +++++++++++++
 elasticsearch/templates/service-data.yaml     |  6 ----
 .../templates/service-discovery.yaml          |  6 ----
 .../service-ingress-elasticsearch.yaml        | 20 +++++++++++++
 elasticsearch/templates/service-logging.yaml  |  6 ++--
 elasticsearch/values.yaml                     | 30 +++++++++++++------
 6 files changed, 64 insertions(+), 24 deletions(-)
 create mode 100644 elasticsearch/templates/ingress-elasticsearch.yaml
 create mode 100644 elasticsearch/templates/service-ingress-elasticsearch.yaml

diff --git a/elasticsearch/templates/ingress-elasticsearch.yaml b/elasticsearch/templates/ingress-elasticsearch.yaml
new file mode 100644
index 000000000..209fbfcf5
--- /dev/null
+++ b/elasticsearch/templates/ingress-elasticsearch.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress .Values.network.elasticsearch.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "elasticsearch" "backendServiceType" "elasticsearch" "backendPort" "http" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}
diff --git a/elasticsearch/templates/service-data.yaml b/elasticsearch/templates/service-data.yaml
index 0dc7e544b..6ebd632ac 100644
--- a/elasticsearch/templates/service-data.yaml
+++ b/elasticsearch/templates/service-data.yaml
@@ -25,12 +25,6 @@ spec:
   ports:
   - name: transport
     port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{- if .Values.network.data.node_port.enabled }}
-    nodePort: {{ .Values.network.data.node_port.port }}
-    {{- end }}
   selector:
 {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  {{- if .Values.network.data.node_port.enabled }}
-  type: NodePort
-  {{- end }}
 {{- end }}
diff --git a/elasticsearch/templates/service-discovery.yaml b/elasticsearch/templates/service-discovery.yaml
index efe2f0c2b..8d30c2719 100644
--- a/elasticsearch/templates/service-discovery.yaml
+++ b/elasticsearch/templates/service-discovery.yaml
@@ -25,12 +25,6 @@ spec:
   ports:
   - name: transport
     port: {{ tuple "elasticsearch" "internal" "discovery" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{- if .Values.network.discovery.node_port.enabled }}
-    nodePort: {{ .Values.network.discovery.node_port.port }}
-    {{- end }}
   selector:
 {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  {{- if .Values.network.discovery.node_port.enabled }}
-  type: NodePort
-  {{- end }}
 {{- end }}
diff --git a/elasticsearch/templates/service-ingress-elasticsearch.yaml b/elasticsearch/templates/service-ingress-elasticsearch.yaml
new file mode 100644
index 000000000..1f4ec1eff
--- /dev/null
+++ b/elasticsearch/templates/service-ingress-elasticsearch.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.elasticsearch.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "elasticsearch" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}
diff --git a/elasticsearch/templates/service-logging.yaml b/elasticsearch/templates/service-logging.yaml
index a096617c8..1a31533f7 100644
--- a/elasticsearch/templates/service-logging.yaml
+++ b/elasticsearch/templates/service-logging.yaml
@@ -25,12 +25,12 @@ spec:
   ports:
   - name: http
     port: {{ tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{- if .Values.network.client.node_port.enabled }}
-    nodePort: {{ .Values.network.client.node_port.port }}
+    {{- if .Values.network.elasticsearch.node_port.enabled }}
+    nodePort: {{ .Values.network.elasticsearch.node_port.port }}
     {{- end }}
   selector:
 {{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
-  {{- if .Values.network.client.node_port.enabled }}
+  {{- if .Values.network.elasticsearch.node_port.enabled }}
   type: NodePort
   {{- end }}
 {{- end }}
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index f87a69e9b..78ee47f1d 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -174,6 +174,10 @@ pod:
 secrets:
   elasticsearch:
     user: elasticsearch-admin-creds
+  tls:
+    elasticsearch:
+      elasticsearch:
+        public: elasticsearch-tls-public
 
 conf:
   httpd: |
@@ -461,6 +465,13 @@ endpoints:
       public: elasticsearch
     host_fqdn_override:
       default: null
+      # NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -509,18 +520,17 @@ monitoring:
       scrape: true
 
 network:
-  client:
+  elasticsearch:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
     node_port:
       enabled: false
       port: 30920
-  discovery:
-    node_port:
-      enabled: false
-      port: 30930
-  data:
-    node_port:
-      enabled: false
-      port: 30931
 
 storage:
   elasticsearch:
@@ -547,6 +557,7 @@ manifests:
   cron_curator: true
   deployment_client: true
   deployment_master: true
+  ingress: true
   job_image_repo_sync: true
   job_snapshot_repository: false
   helm_tests: true
@@ -560,5 +571,6 @@ manifests:
   pvc_snapshots: true
   service_data: true
   service_discovery: true
+  service_ingress: true
   service_logging: true
   statefulset_data: true