updated elasticsearch

egovernments · Apr 18, 2024 · 8fbe905 · 8fbe905
1 parent 4a7294d
commit 8fbe905
Show file tree

Hide file tree

Showing 43 changed files with 1,996 additions and 818 deletions.
diff --git a/config-as-code/helm/charts/backbone-services/elasticsearch-data/Chart.yaml b/config-as-code/helm/charts/backbone-services/elasticsearch-data/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Confluent Kafka on Kubernetes
+name: elasticsearch-data
+version: 0.1.0
diff --git a/...ices/elasticsearch/templates/_helpers.tpl → ...elasticsearch-data/templates/_helpers.tpl b/...ices/elasticsearch/templates/_helpers.tpl → ...elasticsearch-data/templates/_helpers.tpl
@@ -8,6 +8,46 @@
 {{- end }}
 {{- end }}
 
+{{- define "elasticsearch.roles" -}}
+{{- range $.Values.roles -}}
+{{ . }},
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate certificates when the secret doesn't exist
+*/}}
+{{- define "elasticsearch.gen-certs" -}}
+{{- $certs := lookup "v1" "Secret" "es-cluster-v8" ( printf "%s-certs" (include "name" . ) ) -}}
+{{- if $certs -}}
+tls.crt: {{ index $certs.data "tls.crt" }}
+tls.key: {{ index $certs.data "tls.key" }}
+ca.crt: {{ index $certs.data "ca.crt" }}
+{{- else -}}
+{{- $altNames := list ( include "elasticsearch.masterService" . ) ( printf "%s.es-cluster-v8" (include "elasticsearch.masterService" .) ) ( printf "%s.es-cluster-v8.svc" (include "elasticsearch.masterService" .) ) -}}
+{{- $ca := genCA "elasticsearch-ca" 365 -}}
+{{- $cert := genSignedCert ( include "elasticsearch.masterService" . ) nil $altNames 365 $ca -}}
+tls.crt: {{ $cert.Cert | toString | b64enc }}
+tls.key: {{ $cert.Key | toString | b64enc }}
+ca.crt: {{ $ca.Cert | toString | b64enc }}
+{{- end -}}
+{{- end -}}
+
+{{- define "elasticsearch.masterService" -}}
+{{- if empty .Values.masterService -}}
+{{- if empty .Values.fullnameOverride -}}
+{{- if empty .Values.nameOverride -}}
+{{ .Values.clusterName }}-master
+{{- else -}}
+{{ .Values.nameOverride }}-master
+{{- end -}}
+{{- else -}}
+{{ .Values.fullnameOverride }}
+{{- end -}}
+{{- else -}}
+{{ .Values.masterService }}
+{{- end -}}
+{{- end -}}
 
 {{- define "elasticsearch.endpoints" -}}
 {{- $replicas := int (toString (.Values.replicas)) }}
@@ -25,7 +65,7 @@
  {{- if and (contains "docker.elastic.co/elasticsearch/elasticsearch" .Values.image.repository) (not (eq $version 0)) -}}
 {{ $version }}
  {{- else -}}
-7
+8
  {{- end -}}
 {{- end -}}
 {{- end -}}

diff --git a/...ticsearch/templates/headless-service.yaml → ...arch-data/templates/headless-service.yaml b/...ticsearch/templates/headless-service.yaml → ...arch-data/templates/headless-service.yaml
diff --git a/...search/templates/poddisruptionbudget.yaml → ...h-data/templates/poddisruptionbudget.yaml b/...search/templates/poddisruptionbudget.yaml → ...h-data/templates/poddisruptionbudget.yaml
diff --git a/config-as-code/helm/charts/backbone-services/elasticsearch-data/templates/secret-cert.yaml b/config-as-code/helm/charts/backbone-services/elasticsearch-data/templates/secret-cert.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.createCert }}
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+ name: {{ template "name" . }}-certs
+ namespace: {{ .Values.namespace }}
+ labels:
+ app: "{{ template "name" . }}"
+ {{- range $key, $value := .Values.labels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+data:
+{{ ( include "elasticsearch.gen-certs" . ) | indent 2 }}
+{{- end }}
diff --git a/config-as-code/helm/charts/backbone-services/elasticsearch-data/templates/secret.yaml b/config-as-code/helm/charts/backbone-services/elasticsearch-data/templates/secret.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.secret.enabled -}}
+{{- $passwordValue := (randAlphaNum 24) | b64enc | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "name" . }}-credentials
+ namespace: {{ .Values.namespace }}
+ labels:
+ app: "{{ template "name" . }}"
+ {{- range $key, $value := .Values.labels }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+type: Opaque
+data:
+ username: {{ "elastic" | b64enc }}
+ {{- if .Values.secret.password }}
+ password: {{ .Values.secret.password | b64enc }}
+ {{- else }}
+ password: {{ $passwordValue }}
+ {{- end }}
+{{- end }}
diff --git a/...ices/elasticsearch/templates/service.yaml → ...elasticsearch-data/templates/service.yaml b/...ices/elasticsearch/templates/service.yaml → ...elasticsearch-data/templates/service.yaml
diff --git a/.../elasticsearch/templates/statefulset.yaml → ...ticsearch-data/templates/statefulset.yaml b/.../elasticsearch/templates/statefulset.yaml → ...ticsearch-data/templates/statefulset.yaml
@@ -114,6 +114,11 @@ spec:
  configMap:
  name: {{ template "name" . }}-config
  {{- end }}
+ {{- if .Values.createCert }}
+ - name: elasticsearch-certs
+ secret:
+ secretName: {{ template "name" . }}-certs
+ {{- end }}
 {{- if .Values.keystore }}
  - name: keystore
  emptyDir: {}
@@ -150,6 +155,8 @@ spec:
  {{- end }}
 {{ if .Values.keystore }}
  - name: keystore
+ securityContext:
+{{ toYaml .Values.securityContext | indent 10 }}
  image: {{ template "common.image" (dict "Values" .Values "repository" .Values.image.repository "tag" .Values.image.tag) }}
  imagePullPolicy: "{{ .Values.image.pullPolicy }}"
  command:
@@ -195,8 +202,6 @@ spec:
 {{ toYaml .Values.extraInitContainers | indent 6 }}
  {{- end }}
  {{- end }}
- imagePullSecrets:
- - name: docker-registry-secret
  containers:
  - name: "elasticsearch"
  securityContext:
@@ -206,26 +211,45 @@ spec:
  readinessProbe:
  exec:
  command:
- - sh
+ - bash
  - -c
  - |
- #!/usr/bin/env bash -e
- # If the node is starting up wait for the cluster to be ready (request params: '{{ .Values.clusterHealthCheckParams }}' )
+ set -e
+
+ # Exit if ELASTIC_PASSWORD in unset
+ if [ -z "${ELASTIC_PASSWORD}" ]; then
+ echo "ELASTIC_PASSWORD variable is missing, exiting"
+ exit 1
+ fi
+
+ # If the node is starting up wait for the cluster to be ready (request params: "{{ .Values.clusterHealthCheckParams }}" )
  # Once it has started only check that the node itself is responding
  START_FILE=/tmp/.es_start_file
 
- if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
- BASIC_AUTH="-u ${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
- else
- BASIC_AUTH=''
- fi
+ # Disable nss cache to avoid filling dentry cache when calling curl
+ # This is required with Elasticsearch Docker using nss < 3.52
+ export NSS_SDB_USE_CACHE=no
+
+ http () {
+ local path="${1}"
+ local args="${2}"
+ set -- -XGET -s
+
+ if [ "$args" != "" ]; then
+ set -- "$@" $args
+ fi
+
+ set -- "$@" -u "elastic:${ELASTIC_PASSWORD}"
+
+ curl --output /dev/null -k "$@" "{{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}${path}"
+ }
 
  if [ -f "${START_FILE}" ]; then
  echo 'Elasticsearch is already running, lets check the node is healthy'
- HTTP_CODE=$(curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/)
+ HTTP_CODE=$(http "/" "-w %{http_code}")
  RC=$?
  if [[ ${RC} -ne 0 ]]; then
- echo "curl -XGET -s -k \${BASIC_AUTH} -o /dev/null -w '%{http_code}' {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/ failed with RC ${RC}"
+ echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/ failed with RC ${RC}"
  exit ${RC}
  fi
  # ready if HTTP code 200, 503 is tolerable if ES version is 6.x
@@ -234,13 +258,13 @@ spec:
  elif [[ ${HTTP_CODE} == "503" && "{{ include "elasticsearch.esMajorVersion" . }}" == "6" ]]; then
  exit 0
  else
- echo "curl -XGET -s -k \${BASIC_AUTH} -o /dev/null -w '%{http_code}' {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/ failed with HTTP code ${HTTP_CODE}"
+ echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/ failed with HTTP code ${HTTP_CODE}"
  exit 1
  fi
 
  else
  echo 'Waiting for elasticsearch cluster to become ready (request params: "{{ .Values.clusterHealthCheckParams }}" )'
- if curl -XGET -s -k --fail ${BASIC_AUTH} {{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}/_cluster/health?{{ .Values.clusterHealthCheckParams }} ; then
+ if http "/_cluster/health?{{ .Values.clusterHealthCheckParams }}" "--fail" ; then
  touch ${START_FILE}
  exit 0
  else
@@ -261,31 +285,57 @@ spec:
  valueFrom:
  fieldRef:
  fieldPath: metadata.name
- {{- if eq .Values.roles.master "true" }}
- {{- if ge (int (include "elasticsearch.esMajorVersion" .)) 7 }}
+ {{- if has "master" .Values.roles }}
  - name: cluster.initial_master_nodes
  value: "{{ template "elasticsearch.endpoints" . }}"
- {{- else }}
- - name: discovery.zen.minimum_master_nodes
- value: "{{ .Values.minimumMasterNodes }}"
  {{- end }}
+ {{- if gt (len (include "elasticsearch.roles" .)) 0 }}
+ - name: node.roles
+ value: "{{ template "elasticsearch.roles" . }}"
  {{- end }}
  {{- if lt (int (include "elasticsearch.esMajorVersion" .)) 7 }}
  - name: discovery.zen.ping.unicast.hosts
- value: {{ .Values.masterService | quote }}
+ value: "{{ template "elasticsearch.masterService" . }}-headless"
  {{- else }}
  - name: discovery.seed_hosts
- value: {{ .Values.masterService | quote }}
+ value: "{{ template "elasticsearch.masterService" . }}-headless"
  {{- end }}
  - name: cluster.name
  value: {{ .Values.clusterName | quote }}
  - name: network.host
- value: {{ .Values.networkHost | quote }} 
+ value: {{ .Values.networkHost | quote }}
+ {{- if .Values.secret.enabled }}
+ - name: ELASTIC_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "name" . }}-credentials
+ key: password
+ {{- end }}
  - name: ES_JAVA_OPTS
  value: {{ .Values.esJavaOpts | quote }}
- {{- range $role, $enabled := .Values.roles }}
- - name: node.{{ $role }}
- value: {{ $enabled | quote }}
+ {{- if .Values.createCert }}
+ - name: xpack.security.enabled
+ value: "true"
+ - name: xpack.security.transport.ssl.enabled
+ value: "true"
+ - name: xpack.security.enrollment.enabled
+ value: "true"
+ - name: xpack.security.http.ssl.enabled
+ value: "true"
+ - name: xpack.security.transport.ssl.verification_mode
+ value: "certificate"
+ - name: xpack.security.transport.ssl.key
+ value: "/usr/share/elasticsearch/config/certs/tls.key"
+ - name: xpack.security.transport.ssl.certificate
+ value: "/usr/share/elasticsearch/config/certs/tls.crt"
+ - name: xpack.security.transport.ssl.certificate_authorities
+ value: "/usr/share/elasticsearch/config/certs/ca.crt"
+ - name: xpack.security.http.ssl.key
+ value: "/usr/share/elasticsearch/config/certs/tls.key"
+ - name: xpack.security.http.ssl.certificate
+ value: "/usr/share/elasticsearch/config/certs/tls.crt"
+ - name: xpack.security.http.ssl.certificate_authorities
+ value: "/usr/share/elasticsearch/config/certs/ca.crt"
  {{- end }}
 {{- if .Values.extraEnvs }}
 {{ toYaml .Values.extraEnvs | indent 10 }}
@@ -299,6 +349,11 @@ spec:
  - name: "es-storage"
  mountPath: /usr/share/elasticsearch/data
  {{- end }}
+ {{- if .Values.createCert }}
+ - name: elasticsearch-certs
+ mountPath: /usr/share/elasticsearch/config/certs
+ readOnly: true
+ {{- end }}
 {{ if .Values.keystore }}
  - name: keystore
  mountPath: /usr/share/elasticsearch/config/elasticsearch.keystore
@@ -327,7 +382,7 @@ spec:
  {{- end }}
  {{- end }}
  {{- if .Values.masterTerminationFix }}
- {{- if eq .Values.roles.master "true" }}
+ {{- if has "master" .Values.roles }}
  # This sidecar will prevent slow master re-election
  # https://github.com/elastic/helm-charts/issues/63
  - name: elasticsearch-master-graceful-termination-handler