From 5df97616b98efa125591dce58e682ea2386bd24d Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Tue, 8 Sep 2020 10:10:23 +0200 Subject: [PATCH 1/5] Support new auth config format starting EnterpriseSearch 8.x --- pkg/controller/enterprisesearch/config.go | 32 ++++++++++++++++++----- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/pkg/controller/enterprisesearch/config.go b/pkg/controller/enterprisesearch/config.go index 9e242dfb11..9481e3f068 100644 --- a/pkg/controller/enterprisesearch/config.go +++ b/pkg/controller/enterprisesearch/config.go @@ -9,6 +9,11 @@ import ( "net" "path/filepath" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + commonv1 "github.com/elastic/cloud-on-k8s/pkg/apis/common/v1" entv1beta1 "github.com/elastic/cloud-on-k8s/pkg/apis/enterprisesearch/v1beta1" "github.com/elastic/cloud-on-k8s/pkg/controller/association" @@ -17,14 +22,11 @@ import ( "github.com/elastic/cloud-on-k8s/pkg/controller/common/driver" "github.com/elastic/cloud-on-k8s/pkg/controller/common/reconciler" "github.com/elastic/cloud-on-k8s/pkg/controller/common/settings" + "github.com/elastic/cloud-on-k8s/pkg/controller/common/version" "github.com/elastic/cloud-on-k8s/pkg/controller/common/volume" "github.com/elastic/cloud-on-k8s/pkg/controller/enterprisesearch/name" "github.com/elastic/cloud-on-k8s/pkg/utils/k8s" netutil "github.com/elastic/cloud-on-k8s/pkg/utils/net" - corev1 "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" ) const ( @@ -251,16 +253,32 @@ func associationConfig(c k8s.Client, ent entv1beta1.EnterpriseSearch) (*settings return settings.NewCanonicalConfig(), nil } + // origin of authenticated ent users setting changed starting 8.x + cfg := settings.MustCanonicalConfig(map[string]string{ + "ent_search.auth.source": "elasticsearch-native", + }) + ver, err := version.Parse(ent.Spec.Version) + if err != nil { + return nil, err + } + if ver.IsSameOrAfter(version.From(8, 0, 0)) { + cfg = settings.MustCanonicalConfig(map[string]string{ + "ent_search.auth.native1.source": "elasticsearch-native", + "ent_search.auth.native1.order": "-100", + }) + } + username, password, err := association.ElasticsearchAuthSettings(c, &ent) if err != nil { return nil, err } - cfg := settings.MustCanonicalConfig(map[string]string{ - "ent_search.auth.source": "elasticsearch-native", + if err := cfg.MergeWith(settings.MustCanonicalConfig(map[string]string{ "elasticsearch.host": ent.AssociationConf().URL, "elasticsearch.username": username, "elasticsearch.password": password, - }) + })); err != nil { + return nil, err + } if ent.AssociationConf().CAIsConfigured() { if err := cfg.MergeWith(settings.MustCanonicalConfig(map[string]interface{}{ From a1a9717b815f95c88462ec2a70707e6135f9efa4 Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Tue, 8 Sep 2020 11:41:20 +0200 Subject: [PATCH 2/5] Move comment --- pkg/controller/enterprisesearch/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/enterprisesearch/config.go b/pkg/controller/enterprisesearch/config.go index 9481e3f068..d693dd966a 100644 --- a/pkg/controller/enterprisesearch/config.go +++ b/pkg/controller/enterprisesearch/config.go @@ -253,7 +253,6 @@ func associationConfig(c k8s.Client, ent entv1beta1.EnterpriseSearch) (*settings return settings.NewCanonicalConfig(), nil } - // origin of authenticated ent users setting changed starting 8.x cfg := settings.MustCanonicalConfig(map[string]string{ "ent_search.auth.source": "elasticsearch-native", }) @@ -261,6 +260,7 @@ func associationConfig(c k8s.Client, ent entv1beta1.EnterpriseSearch) (*settings if err != nil { return nil, err } + // origin of authenticated ent users setting changed starting 8.x if ver.IsSameOrAfter(version.From(8, 0, 0)) { cfg = settings.MustCanonicalConfig(map[string]string{ "ent_search.auth.native1.source": "elasticsearch-native", From 01308400ea7294afd77cfd31675c1260385a974e Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Tue, 8 Sep 2020 11:41:36 +0200 Subject: [PATCH 3/5] Update map type --- pkg/controller/enterprisesearch/config.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/controller/enterprisesearch/config.go b/pkg/controller/enterprisesearch/config.go index d693dd966a..89413f1950 100644 --- a/pkg/controller/enterprisesearch/config.go +++ b/pkg/controller/enterprisesearch/config.go @@ -262,9 +262,9 @@ func associationConfig(c k8s.Client, ent entv1beta1.EnterpriseSearch) (*settings } // origin of authenticated ent users setting changed starting 8.x if ver.IsSameOrAfter(version.From(8, 0, 0)) { - cfg = settings.MustCanonicalConfig(map[string]string{ + cfg = settings.MustCanonicalConfig(map[string]interface{}{ "ent_search.auth.native1.source": "elasticsearch-native", - "ent_search.auth.native1.order": "-100", + "ent_search.auth.native1.order": -100, }) } From 7bda4a3447ca1a67a5d10ff71691ccdc177c7865 Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Tue, 8 Sep 2020 11:45:46 +0200 Subject: [PATCH 4/5] Unit test --- .../enterprisesearch/config_test.go | 81 ++++++++++++++++++- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/pkg/controller/enterprisesearch/config_test.go b/pkg/controller/enterprisesearch/config_test.go index f0590f06c1..ccbda8b151 100644 --- a/pkg/controller/enterprisesearch/config_test.go +++ b/pkg/controller/enterprisesearch/config_test.go @@ -46,12 +46,15 @@ func secretWithConfig(name string, cfg []byte) *corev1.Secret { } } -func entWithAssociation(name string, associationConf commonv1.AssociationConf) entv1beta1.EnterpriseSearch { +func entWithAssociation(name string, version string, associationConf commonv1.AssociationConf) entv1beta1.EnterpriseSearch { ent := entv1beta1.EnterpriseSearch{ ObjectMeta: metav1.ObjectMeta{ Namespace: "ns", Name: name, }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: version, + }, } ent.SetAssociationConf(&associationConf) return ent @@ -243,6 +246,9 @@ func TestReconcileConfig(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, ipFamily: corev1.IPv4Protocol, wantSecretEntries: []string{ @@ -272,6 +278,9 @@ func TestReconcileConfig(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, ipFamily: corev1.IPv6Protocol, wantSecretEntries: []string{ @@ -314,6 +323,9 @@ func TestReconcileConfig(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, wantSecretEntries: []string{ "allow_es_settings_modification: true", @@ -336,7 +348,56 @@ func TestReconcileConfig(t *testing.T) { }, { name: "with Elasticsearch association", - ent: entWithAssociation("sample", commonv1.AssociationConf{ + ent: entWithAssociation("sample", "7.9.1", commonv1.AssociationConf{ + AuthSecretName: "sample-ent-user", + AuthSecretKey: "ns-sample-ent-user", + CACertProvided: true, + CASecretName: "sample-ent-es-ca", + URL: "https://elasticsearch-sample-es-http.default.svc:9200", + }), + runtimeObjs: []runtime.Object{ + &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "sample-ent-user", + }, + Data: map[string][]byte{ + "ns-sample-ent-user": []byte("mypassword"), + }, + }, + }, + ipFamily: corev1.IPv4Protocol, + wantSecretEntries: []string{ + "allow_es_settings_modification: true", + "elasticsearch:", + "host: https://elasticsearch-sample-es-http.default.svc:9200", + "password: mypassword", + "ssl:", + "certificate_authority: /mnt/elastic-internal/es-certs/tls.crt", + "enabled: true", + "username: ns-sample-ent-user", + "ent_search:", + "auth:", + "source: elasticsearch-native", + "external_url: https://localhost:3002", + "filebeat_log_directory: /var/log/enterprise-search", + "listen_host: 0.0.0.0", + "log_directory: /var/log/enterprise-search", + "ssl:", + "certificate: /mnt/elastic-internal/http-certs/tls.crt", + "certificate_authorities:", + "- /mnt/elastic-internal/http-certs/ca.crt", + "enabled: true", + "key: /mnt/elastic-internal/http-certs/tls.key", + "secret_management:", + "encryption_keys:", + "-", // don't check the actual encryption key + "secret_session_key:", // don't check the actual secret session key + }, + }, + { + name: "with Elasticsearch association, support new auth config starting 8x", + ent: entWithAssociation("sample", "8.0.0", commonv1.AssociationConf{ AuthSecretName: "sample-ent-user", AuthSecretKey: "ns-sample-ent-user", CACertProvided: true, @@ -366,7 +427,9 @@ func TestReconcileConfig(t *testing.T) { "username: ns-sample-ent-user", "ent_search:", "auth:", + "native1:", "source: elasticsearch-native", + "order: -100", "external_url: https://localhost:3002", "filebeat_log_directory: /var/log/enterprise-search", "listen_host: 0.0.0.0", @@ -392,6 +455,7 @@ func TestReconcileConfig(t *testing.T) { Name: "sample", }, Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", Config: &commonv1.Config{Data: map[string]interface{}{ "foo": "bar", // new setting "ent_search.external_url": "https://my.own.dns.com", // override existing setting @@ -438,6 +502,7 @@ func TestReconcileConfig(t *testing.T) { Name: "sample", }, Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", Config: &commonv1.Config{Data: map[string]interface{}{ "foo": "bar", // new setting "ent_search.external_url": "https://my.own.dns.com", // override existing setting @@ -520,6 +585,9 @@ func TestReconcileConfig_ReadinessProbe(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, ipFamily: corev1.IPv4Protocol, wantCmd: `curl -g -o /dev/null -w "%{http_code}" https://127.0.0.1:3002/api/ent/v1/internal/health -k -s --max-time ${READINESS_PROBE_TIMEOUT}`, // no ES basic auth @@ -532,6 +600,9 @@ func TestReconcileConfig_ReadinessProbe(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, ipFamily: corev1.IPv6Protocol, wantCmd: `curl -g -o /dev/null -w "%{http_code}" https://[::1]:3002/api/ent/v1/internal/health -k -s --max-time ${READINESS_PROBE_TIMEOUT}`, // no ES basic auth @@ -554,13 +625,16 @@ func TestReconcileConfig_ReadinessProbe(t *testing.T) { Namespace: "ns", Name: "sample", }, + Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.1", + }, }, ipFamily: corev1.IPv4Protocol, wantCmd: `curl -g -o /dev/null -w "%{http_code}" https://127.0.0.1:3002/api/ent/v1/internal/health -k -s --max-time ${READINESS_PROBE_TIMEOUT}`, // no ES basic auth }, { name: "with ES association: use ES user credentials", - ent: entWithAssociation("sample", commonv1.AssociationConf{ + ent: entWithAssociation("sample", "7.9.1", commonv1.AssociationConf{ AuthSecretName: "sample-ent-user", AuthSecretKey: "ns-sample-ent-user", CACertProvided: true, @@ -600,6 +674,7 @@ func TestReconcileConfig_ReadinessProbe(t *testing.T) { Name: "sample", }, Spec: entv1beta1.EnterpriseSearchSpec{ + Version: "7.9.0", ConfigRef: &commonv1.ConfigSource{ SecretRef: commonv1.SecretRef{SecretName: "my-config"}, }, From 9d375761bf23662af1086c48ba55964a8aee6a07 Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Tue, 8 Sep 2020 11:51:05 +0200 Subject: [PATCH 5/5] go fmt --- pkg/controller/enterprisesearch/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controller/enterprisesearch/config.go b/pkg/controller/enterprisesearch/config.go index 89413f1950..c82cd03d41 100644 --- a/pkg/controller/enterprisesearch/config.go +++ b/pkg/controller/enterprisesearch/config.go @@ -264,7 +264,7 @@ func associationConfig(c k8s.Client, ent entv1beta1.EnterpriseSearch) (*settings if ver.IsSameOrAfter(version.From(8, 0, 0)) { cfg = settings.MustCanonicalConfig(map[string]interface{}{ "ent_search.auth.native1.source": "elasticsearch-native", - "ent_search.auth.native1.order": -100, + "ent_search.auth.native1.order": -100, }) }