From fd4bf572111b75f1a73396c6d3b714259b53a024 Mon Sep 17 00:00:00 2001 From: "Lo, Chi (cl566n)" Date: Mon, 26 Apr 2021 11:42:04 -0700 Subject: [PATCH] Enable TLS for Elasticsearch The change enables: (1) TLS for the Elasticsearch transport networking layer. The transport networking layer is used for internal communication between nodes in a cluster. (2) TLS path between Elasticsearch and Ceph-rgw host. Change-Id: Ifb6cb5db19bc5db2c8cb914f6a5887cf3d0f9434 --- elasticsearch/Chart.yaml | 2 +- .../templates/bin/_create_s3_buckets.sh.tpl | 2 +- .../templates/bin/_elasticsearch.sh.tpl | 7 ++++++- elasticsearch/templates/deployment-client.yaml | 10 ++++++++++ .../templates/deployment-gateway.yaml | 11 +++++++++++ elasticsearch/templates/job-s3-bucket.yaml | 4 ++++ elasticsearch/templates/statefulset-data.yaml | 6 ++++-- .../templates/statefulset-master.yaml | 13 +++++++++++-- elasticsearch/values_overrides/tls.yaml | 11 +++++++++++ helm-toolkit/Chart.yaml | 2 +- .../manifests/_job-s3-bucket.yaml.tpl | 18 ++++++++++++++++++ releasenotes/notes/elasticsearch.yaml | 1 + releasenotes/notes/helm-toolkit.yaml | 1 + 13 files changed, 80 insertions(+), 8 deletions(-) diff --git a/elasticsearch/Chart.yaml b/elasticsearch/Chart.yaml index 2baf03ce1..8cb3ff4fd 100644 --- a/elasticsearch/Chart.yaml +++ b/elasticsearch/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v7.6.2 description: OpenStack-Helm ElasticSearch name: elasticsearch -version: 0.2.5 +version: 0.2.6 home: https://www.elastic.co/ sources: - https://github.com/elastic/elasticsearch diff --git a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl index 1b09067bd..ed9ed1f07 100644 --- a/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl +++ b/elasticsearch/templates/bin/_create_s3_buckets.sh.tpl @@ -54,7 +54,7 @@ CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST" if [ "$RGW_PROTO" = "http" ]; then CONNECTION_ARGS+=" --no-ssl" else - CONNECTION_ARGS+=" --no-check-certificate" + CONNECTION_ARGS+=" ${TLS_OPTION}" fi USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY" diff --git a/elasticsearch/templates/bin/_elasticsearch.sh.tpl b/elasticsearch/templates/bin/_elasticsearch.sh.tpl index 008e80510..778f27657 100644 --- a/elasticsearch/templates/bin/_elasticsearch.sh.tpl +++ b/elasticsearch/templates/bin/_elasticsearch.sh.tpl @@ -19,7 +19,6 @@ set -e COMMAND="${@:-start}" function initiate_keystore () { - set -ex bin/elasticsearch-keystore create {{- if .Values.conf.elasticsearch.snapshots.enabled }} @@ -30,6 +29,12 @@ function initiate_keystore () { echo ${{$secret_key}} | /usr/share/elasticsearch/bin/elasticsearch-keystore add -xf s3.client.{{ $client }}.secret_key {{- end }} {{- end }} + + {{- if .Values.manifests.certificates }} + {{- $alias := .Values.secrets.tls.elasticsearch.elasticsearch.internal }} + /usr/share/elasticsearch/jdk/bin/keytool -storepasswd -cacerts -new ${ELASTICSEARCH_PASSWORD} -storepass changeit + /usr/share/elasticsearch/jdk/bin/keytool -importcert -alias {{$alias}} -cacerts -trustcacerts -noprompt -file ${JAVA_KEYSTORE_CERT_PATH} -storepass ${ELASTICSEARCH_PASSWORD} + {{- end }} } function start () { diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index a87e8e72e..ed66fd926 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -172,6 +172,15 @@ spec: value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - name: ES_JAVA_OPTS value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}" +{{- if .Values.manifests.certificates }} + - name: JAVA_KEYSTORE_CERT_PATH + value: "/usr/share/elasticsearch/config/ca.crt" + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $esUserSecret }} + key: ELASTICSEARCH_PASSWORD +{{- end }} {{- if .Values.conf.elasticsearch.snapshots.enabled }} {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }} {{- end }} @@ -204,6 +213,7 @@ spec: readOnly: true - name: storage mountPath: {{ .Values.conf.elasticsearch.config.path.data }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp diff --git a/elasticsearch/templates/deployment-gateway.yaml b/elasticsearch/templates/deployment-gateway.yaml index e66a1e2a6..6348509a0 100644 --- a/elasticsearch/templates/deployment-gateway.yaml +++ b/elasticsearch/templates/deployment-gateway.yaml @@ -115,6 +115,15 @@ spec: value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - name: ES_JAVA_OPTS value: "{{ .Values.conf.elasticsearch.env.java_opts.client }}" +{{- if .Values.manifests.certificates }} + - name: JAVA_KEYSTORE_CERT_PATH + value: "/usr/share/elasticsearch/config/ca.crt" + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $esUserSecret }} + key: ELASTICSEARCH_PASSWORD +{{- end }} {{- if .Values.conf.elasticsearch.snapshots.enabled }} {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }} {{- end }} @@ -144,6 +153,7 @@ spec: readOnly: true - name: storage mountPath: {{ .Values.conf.elasticsearch.config.path.data }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -160,5 +170,6 @@ spec: defaultMode: 0444 - name: storage emptyDir: {} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/elasticsearch/templates/job-s3-bucket.yaml b/elasticsearch/templates/job-s3-bucket.yaml index cff2133ca..8ea633d8d 100644 --- a/elasticsearch/templates/job-s3-bucket.yaml +++ b/elasticsearch/templates/job-s3-bucket.yaml @@ -15,5 +15,9 @@ limitations under the License. {{- if and (.Values.manifests.job_s3_bucket) (.Values.conf.elasticsearch.snapshots.enabled) }} {{- $esBucket := .Values.conf.elasticsearch.snapshots.bucket }} {{- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" "s3Bucket" $esBucket -}} +{{- if .Values.manifests.certificates }} +{{- $_ := set $s3BucketJob "tlsCertificateSecret" .Values.secrets.tls.elasticsearch.elasticsearch.internal -}} +{{- $_ := set $s3BucketJob "tlsCertificatePath" "/etc/elasticsearch/certs/ca.crt" -}} +{{- end }} {{ $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }} {{- end -}} diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 2b7bc32a5..b6befc0ac 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -117,7 +117,9 @@ spec: value: {{ printf "%s://%s" (tuple "elasticsearch" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup") (tuple "elasticsearch" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup") }} {{- if .Values.manifests.certificates }} - name: CACERT_OPTION - value: "--cacert /etc/elasticsearch/certs/ca.crt" + value: "--cacert /usr/share/elasticsearch/config/ca.crt" + - name: JAVA_KEYSTORE_CERT_PATH + value: "/usr/share/elasticsearch/config/ca.crt" {{- end }} - name: NODE_MASTER value: "false" @@ -162,7 +164,7 @@ spec: readOnly: true - name: storage mountPath: {{ .Values.conf.elasticsearch.config.path.data }} -{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/etc/elasticsearch/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp diff --git a/elasticsearch/templates/statefulset-master.yaml b/elasticsearch/templates/statefulset-master.yaml index e9f7e541e..fe41e48c2 100644 --- a/elasticsearch/templates/statefulset-master.yaml +++ b/elasticsearch/templates/statefulset-master.yaml @@ -15,8 +15,6 @@ limitations under the License. {{- if .Values.manifests.statefulset_master }} {{- $envAll := . }} -{{- $s3UserSecret := .Values.secrets.rgw.elasticsearch }} - {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} {{- $serviceAccountName := "elasticsearch-master" }} @@ -122,6 +120,15 @@ spec: value: {{ tuple "elasticsearch" "discovery" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} - name: ES_JAVA_OPTS value: "{{ .Values.conf.elasticsearch.env.java_opts.master }}" +{{- if .Values.manifests.certificates }} + - name: JAVA_KEYSTORE_CERT_PATH + value: "/usr/share/elasticsearch/config/ca.crt" + - name: ELASTICSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.elasticsearch.user }} + key: ELASTICSEARCH_PASSWORD +{{- end }} {{- if .Values.conf.elasticsearch.snapshots.enabled }} {{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" . | indent 12 }} {{- end }} @@ -151,6 +158,7 @@ spec: readOnly: true - name: storage mountPath: {{ .Values.conf.elasticsearch.config.path.data }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/usr/share/elasticsearch/config" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{ if $mounts_elasticsearch.volumeMounts }}{{ toYaml $mounts_elasticsearch.volumeMounts | indent 12 }}{{ end }} volumes: - name: pod-tmp @@ -165,6 +173,7 @@ spec: secret: secretName: elasticsearch-etc defaultMode: 0444 +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{ if $mounts_elasticsearch.volumes }}{{ toYaml $mounts_elasticsearch.volumes | indent 8 }}{{ end }} {{- if not .Values.storage.master.enabled }} - name: storage diff --git a/elasticsearch/values_overrides/tls.yaml b/elasticsearch/values_overrides/tls.yaml index 85b99bf01..50f4f5b97 100644 --- a/elasticsearch/values_overrides/tls.yaml +++ b/elasticsearch/values_overrides/tls.yaml @@ -133,6 +133,17 @@ conf: SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on + elasticsearch: + config: + xpack: + security: + transport: + ssl: + enabled: true + verification_mode: certificate + key: /usr/share/elasticsearch/config/tls.key + certificate: /usr/share/elasticsearch/config/tls.crt + certificate_authorities: ["/usr/share/elasticsearch/config/ca.crt"] manifests: certificates: true ... diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml index db0e735ae..f9fe2138b 100644 --- a/helm-toolkit/Chart.yaml +++ b/helm-toolkit/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Helm-Toolkit name: helm-toolkit -version: 0.2.12 +version: 0.2.13 home: https://docs.openstack.org/openstack-helm icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png sources: diff --git a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl index a70c6c1b4..b26bdb4f2 100644 --- a/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-s3-bucket.yaml.tpl @@ -31,6 +31,8 @@ limitations under the License. {{- $serviceNamePretty := $serviceName | replace "_" "-" -}} {{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}} {{- $s3Bucket := index . "s3Bucket" | default $serviceName }} +{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}} +{{- $tlsCertificatePath := index . "tlsCertificatePath" -}} {{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }} {{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} @@ -73,6 +75,10 @@ spec: - -c - /tmp/create-s3-bucket.sh env: +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: TLS_OPTION + value: {{ printf "--ca-certs=%s" $tlsCertificatePath | quote }} +{{- end }} {{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }} {{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }} {{- end }} @@ -96,6 +102,12 @@ spec: subPath: key readOnly: true {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + mountPath: {{ $tlsCertificatePath }} + subPath: ca.crt + readOnly: true +{{- end }} volumes: - name: pod-tmp emptyDir: {} @@ -120,4 +132,10 @@ spec: secret: secretName: pvc-ceph-client-key {{ end }} +{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }} + - name: {{ $tlsCertificateSecret }} + secret: + secretName: {{ $tlsCertificateSecret }} + defaultMode: 292 +{{- end }} {{- end -}} diff --git a/releasenotes/notes/elasticsearch.yaml b/releasenotes/notes/elasticsearch.yaml index daadf34f6..3fd8df180 100644 --- a/releasenotes/notes/elasticsearch.yaml +++ b/releasenotes/notes/elasticsearch.yaml @@ -15,4 +15,5 @@ elasticsearch: - 0.2.3 Add configurable backoffLimit to templates job - 0.2.4 Update helm-test script - 0.2.5 Enable TLS with Kibana + - 0.2.6 Enable TLS path between nodes in cluster and TLS path between ceph-rgw ... diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml index ab03ff5b8..7e270fcf5 100644 --- a/releasenotes/notes/helm-toolkit.yaml +++ b/releasenotes/notes/helm-toolkit.yaml @@ -19,4 +19,5 @@ helm-toolkit: - 0.2.10 Add more S3 configuration options - 0.2.11 Revert S3 User & Bucket job scripts to v0.2.9 - 0.2.12 Remove hook-delete-policy + - 0.2.13 Modify connection args for s3 bucket creation when TLS is enabled ...