From 830df06628e4257ddc656a8869f3705e7b148f49 Mon Sep 17 00:00:00 2001 From: "Lo, Chi (cl566n)" Date: Thu, 5 Aug 2021 14:39:09 -0700 Subject: [PATCH] Enable TLS path between Prometheus-elasticsearch-exporter and Elasticsearch Elasticsearch is TLS enabled. Prometheus-elasticsearch-exporter needs to be configured to use cacert when communicating with Elasticsearch. Change-Id: I4a87226fed541777df78733f3650363859ff01b8 --- elasticsearch/Chart.yaml | 2 +- .../prometheus/exporter-deployment.yaml | 15 +++++---------- elasticsearch/values.yaml | 4 ---- releasenotes/notes/elasticsearch.yaml | 1 + 4 files changed, 7 insertions(+), 15 deletions(-) diff --git a/elasticsearch/Chart.yaml b/elasticsearch/Chart.yaml index 0037e239d..cf6ac267b 100644 --- a/elasticsearch/Chart.yaml +++ b/elasticsearch/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v7.6.2 description: OpenStack-Helm ElasticSearch name: elasticsearch -version: 0.2.9 +version: 0.2.10 home: https://www.elastic.co/ sources: - https://github.com/elastic/elasticsearch diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml index ba5673933..ec8e4db24 100644 --- a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml @@ -73,18 +73,11 @@ spec: {{- if .Values.conf.prometheus_elasticsearch_exporter.es.snapshots }} - '--es.snapshots' {{- end }} - {{- if .Values.conf.prometheus_elasticsearch_exporter.es.ssl_skip_verify }} + {{- if .Values.manifests.certificates }} + - '--es.ca=/tmp/elasticsearch/certs/ca.crt' + {{- else }} - '--es.ssl-skip-verify' {{- end }} - {{- if .Values.conf.prometheus_elasticsearch_exporter.es.ca }} - - '--es.ca={{ .Values.conf.prometheus_elasticsearch_exporter.es.ca }}' - {{- end }} - {{- if .Values.conf.prometheus_elasticsearch_exporter.es.client_private_key }} - - '--es.client-private-key={{ .Values.conf.prometheus_elasticsearch_exporter.es.client_private_key }}' - {{- end }} - {{- if .Values.conf.prometheus_elasticsearch_exporter.es.client_cert }} - - '--es.client-cert={{ .Values.conf.prometheus_elasticsearch_exporter.es.client_cert }}' - {{- end }} env: - name: ELASTICSEARCH_URI valueFrom: @@ -102,7 +95,9 @@ spec: volumeMounts: - name: pod-tmp mountPath: /tmp +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal "path" "/tmp/elasticsearch/certs" "certs" tuple "ca.crt" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} volumes: - name: pod-tmp emptyDir: {} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.elasticsearch.elasticsearch.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- end }} diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 1684f10d0..18bf1533d 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -743,10 +743,6 @@ conf: indices_settings: true shards: true snapshots: true - ssl_skip_verify: true - ca: null - client_private_key: null - client_cert: null api_objects: {} # Fill this map with API objects to create once Elasticsearch is deployed diff --git a/releasenotes/notes/elasticsearch.yaml b/releasenotes/notes/elasticsearch.yaml index 3b7306555..718531aa1 100644 --- a/releasenotes/notes/elasticsearch.yaml +++ b/releasenotes/notes/elasticsearch.yaml @@ -19,4 +19,5 @@ elasticsearch: - 0.2.7 Get connection option from values.yaml - 0.2.8 Use full image ref for docker official images - 0.2.9 Removed repo verification check from helm-test + - 0.2.10 Enable TLS path between Prometheus-elasticsearch-exporter and Elasticsearch ...