WPB-6717 brig: Support connecting to Elasticsearch over TLS (#3989)

Co-authored-by: Leif Battermann <[email protected]>
wireapp · Apr 25, 2024 · f5ffe5e · f5ffe5e
1 parent 6a21f27
commit f5ffe5e
Show file tree

Hide file tree

Showing 50 changed files with 1,107 additions and 356 deletions.
diff --git a/Makefile b/Makefile
@@ -273,9 +273,17 @@ db-reset: c
 	./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 --reset
 	./dist/spar-schema --keyspace spar_test2 --replication-factor 1 --reset
 	./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 --reset
-	./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./dist/brig-index reset \
+		--elasticsearch-index-prefix directory \
+		--elasticsearch-server https://localhost:9200 \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./dist/brig-index reset \
+		--elasticsearch-index-prefix directory2 \
+		--elasticsearch-server https://localhost:9200 \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./integration/scripts/integration-dynamic-backends-brig-index.sh \
+		--elasticsearch-server https://localhost:9200 \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
 
 
 
@@ -291,9 +299,20 @@ db-migrate: c
 	./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 > /dev/null
 	./dist/spar-schema --keyspace spar_test2 --replication-factor 1 > /dev/null
 	./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 > /dev/null
-	./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
-	./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./dist/brig-index reset \
+		--elasticsearch-index-prefix directory \
+		--elasticsearch-server https://localhost:9200 \
+	  --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./dist/brig-index reset \
+		--elasticsearch-index-prefix directory2 \
+		--elasticsearch-server https://localhost:9200 \
+	  --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
+	./integration/scripts/integration-dynamic-backends-brig-index.sh \
+		--elasticsearch-server https://localhost:9200 \
+	  --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \
+		--elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null
 
 #################################
 ## dependencies

diff --git a/changelog.d/2-features/es-tls b/changelog.d/2-features/es-tls
@@ -0,0 +1,32 @@
+Support connecting to Elasticsearch over TLS
+
+It can be enabled by setting these options on the wire-server helm chart:
+
+```yaml
+brig:
+  config:
+    elasticsearch:
+      scheme: https
+
+      # When custom CAs are required, one of these must be set:
+      tlsCa: <PEM encoded CA certificates>
+      tlsCaSecretRef:
+        name: <Name of the secret>
+        key: <Key in the secret containing pem encoded CA Cert>
+
+      # When TLS needs to be used without verification:
+      insecureSkipVerifyTls: true
+
+elasticsearch-index:
+  elasticsearch:
+    scheme: https
+
+    # When custom CAs are required, one of these must be set:
+    tlsCa: <PEM encoded CA certificates>
+    tlsCaSecretRef:
+      name: <Name of the secret>
+      key: <Key in the secret containing pem encoded CA Cert>
+
+    # When TLS needs to be used without verification:
+    insecureSkipVerifyTls: true
+```
diff --git a/charts/brig/templates/_helpers.tpl b/charts/brig/templates/_helpers.tpl
@@ -23,3 +23,44 @@ created one (in case the CA is provided as PEM string.)
 {{- dict "name" "brig-cassandra" "key" "ca.pem" | toYaml -}}
 {{- end -}}
 {{- end -}}
+
+
+{{- define "configureElasticSearchCa" -}}
+{{ or (hasKey .elasticsearch "tlsCa") (hasKey .elasticsearch "tlsCaSecretRef") }}
+{{- end -}}
+
+{{- define "elasticsearchTlsSecretName" -}}
+{{- if .elasticsearch.tlsCaSecretRef -}}
+{{ .elasticsearch.tlsCaSecretRef.name }}
+{{- else }}
+{{- print "brig-elasticsearch-ca" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "elasticsearchTlsSecretKey" -}}
+{{- if .elasticsearch.tlsCaSecretRef -}}
+{{ .elasticsearch.tlsCaSecretRef.key }}
+{{- else }}
+{{- print "ca.pem" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "configureAdditionalElasticSearchCa" -}}
+{{ or (hasKey .elasticsearch "additionalTlsCa") (hasKey .elasticsearch "additionalTlsCaSecretRef") }}
+{{- end -}}
+
+{{- define "additionalElasticsearchTlsSecretName" -}}
+{{- if .elasticsearch.additionalTlsCaSecretRef -}}
+{{ .elasticsearch.additionalTlsCaSecretRef.name }}
+{{- else }}
+{{- print "brig-additional-elasticsearch-ca" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "additionalElasticsearchTlsSecretKey" -}}
+{{- if .elasticsearch.additionalTlsCaSecretRef -}}
+{{ .elasticsearch.additionalTlsCaSecretRef.key }}
+{{- else }}
+{{- print "ca.pem" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
@@ -33,17 +33,28 @@ data:
       {{- end }}
 
     elasticsearch:
-      url: http://{{ .elasticsearch.host }}:{{ .elasticsearch.port }}
+      url: {{ .elasticsearch.scheme }}://{{ .elasticsearch.host }}:{{ .elasticsearch.port }}
       index: {{ .elasticsearch.index }}
+      {{- if .elasticsearch.additionalWriteHost }}
+      additionalWriteIndexUrl: {{ .elasticsearch.additionalWriteScheme }}://{{ .elasticsearch.additionalWriteHost }}:{{ .elasticsearch.additionalWritePort }}
+      {{- end }}
       {{- if .elasticsearch.additionalWriteIndex }}
       additionalWriteIndex: {{ .elasticsearch.additionalWriteIndex }}
       {{- end }}
       {{- if $.Values.secrets.elasticsearch }}
       credentials: /etc/wire/brig/secrets/elasticsearch-credentials.yaml
       {{- end }}
+      {{- if (include "configureElasticSearchCa" .) }}
+      caCert: /etc/wire/brig/elasticsearch-ca/{{ include "elasticsearchTlsSecretKey" .}}
+      {{- end }}
+      {{- if (include "configureAdditionalElasticSearchCa" .) }}
+      additionalCaCert: /etc/wire/brig/additional-elasticsearch-ca/{{ include "additionalElasticsearchTlsSecretKey" .}}
+      {{- end }}
       {{- if $.Values.secrets.elasticsearchAdditional }}
       additionalCredentials: /etc/wire/brig/secrets/elasticsearch-additional-credentials.yaml
       {{- end }}
+      insecureSkipVerifyTls: {{ .elasticsearch.insecureSkipVerifyTls }}
+      additionalInsecureSkipVerifyTls: {{ .elasticsearch.additionalInsecureSkipVerifyTls }}
 
     cargohold:
       host: cargohold

diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml
@@ -34,19 +34,30 @@ spec:
         - name: "brig-config"
           configMap:
             name: "brig"
+        - name: "brig-secrets"
+          secret:
+            secretName: "brig"
         {{- if eq $.Values.turn.serversSource "files" }}
         - name: "turn-servers"
           configMap:
             name: "turn"
         {{- end }}
-        - name: "brig-secrets"
-          secret:
-            secretName: "brig"
         {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
         - name: "brig-cassandra"
           secret:
             secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }}
         {{- end}}
+        {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }}
+        - name: "elasticsearch-ca"
+          secret:
+            secretName: {{ include "elasticsearchTlsSecretName" .Values.config }}
+        {{- end }}
+        {{- if eq (include "configureAdditionalElasticSearchCa" .Values.config) "true" }}
+        - name: "additional-elasticsearch-ca"
+          secret:
+            secretName: {{ include "additionalElasticsearchTlsSecretName" .Values.config }}
+        {{- end }}
+
       containers:
         - name: brig
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -68,6 +79,14 @@ spec:
           - name: "brig-cassandra"
             mountPath: "/etc/wire/brig/cassandra"
           {{- end }}
+          {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }}
+          - name: "elasticsearch-ca"
+            mountPath: "/etc/wire/brig/elasticsearch-ca/"
+          {{- end }}
+          {{- if eq (include "configureAdditionalElasticSearchCa" .Values.config) "true" }}
+          - name: "additional-elasticsearch-ca"
+            mountPath: "/etc/wire/brig/additional-elasticsearch-ca/"
+          {{- end }}
           env:
           - name: LOG_LEVEL
             value: {{ .Values.config.logLevel }}

diff --git a/charts/brig/templates/elasticsearch-ca-secret.yaml b/charts/brig/templates/elasticsearch-ca-secret.yaml
@@ -0,0 +1,30 @@
+---
+{{- if not (empty .Values.config.elasticsearch.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "brig-elasticsearch-ca"
+  labels:
+    app: brig
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.elasticsearch.tlsCa | b64enc | quote }}
+{{- end }}
+---
+{{- if not (empty .Values.config.elasticsearch.additionalTlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "brig-additional-elasticsearch-ca"
+  labels:
+    app: brig
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.elasticsearch.additionalTlsCa | b64enc | quote }}
+{{- end }}
diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml
@@ -44,6 +44,11 @@ spec:
     - name: "brig-integration-secrets"
       secret:
         secretName: "brig-integration"
+    {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }}
+    - name: elasticsearch-ca
+      secret:
+        secretName: {{ include "elasticsearchTlsSecretName" .Values.config }}
+    {{- end}}
     {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
     - name: "brig-cassandra"
       secret:
@@ -106,6 +111,10 @@ spec:
       #       non-default locations
       #       (see corresp. TODO in galley.)
       mountPath: "/etc/wire/integration-secrets"
+    {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }}
+    - name: elasticsearch-ca
+      mountPath: "/etc/wire/brig/elasticsearch-ca"
+    {{- end}}
     {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
     - name: "brig-cassandra"
       mountPath: "/etc/wire/brig/cassandra"

diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml
@@ -29,9 +29,30 @@ config:
 #     key: <ca-attribute>
 
   elasticsearch:
+    scheme: http
     host: elasticsearch-client
     port: 9200
     index: directory
+    insecureSkipVerifyTls: false
+#   To configure custom TLS CA, please provide one of these:
+#   tlsCa: <CA in PEM format (can be self-signed)>
+#
+#   Or refer to an existing secret (containing the CA):
+#   tlsCaSecretRef:
+#     name: <secret-name>
+#     key: <ca-attribute>
+    additionalWriteScheme: http
+    # additionalWriteHost: <host>
+    additionalWritePort: 9200
+    # additionalWriteIndex: <index>
+    additionalInsecureSkipVerifyTls: false
+#   To configure custom TLS CA, please provide one of these:
+#   additionalTlsCa: <CA in PEM format (can be self-signed)>
+#
+#   Or refer to an existing secret (containing the CA):
+#   additionalTlsCaSecretRef:
+#     name: <secret-name>
+#     key: <ca-attribute>
   aws:
     region: "eu-west-1"
     sesEndpoint: https://email.eu-west-1.amazonaws.com

diff --git a/charts/elasticsearch-ephemeral/templates/_helpers.tpl b/charts/elasticsearch-ephemeral/templates/_helpers.tpl
@@ -14,4 +14,3 @@ We truncate at 53 chars (63 - len("-discovery")) because some Kubernetes name fi
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s" $name | trunc 53 | trimSuffix "-" -}}
 {{- end -}}
-
diff --git a/charts/elasticsearch-ephemeral/templates/cert.yaml b/charts/elasticsearch-ephemeral/templates/cert.yaml
@@ -0,0 +1,30 @@
+
+{{- if .Values.tls.enabled -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  issuerRef: {{ required "Please specify .Values.tls.issuerRef when .Values.tls.enabled is true" .Values.tls.issuerRef | toJson }}
+  usages:
+    - server auth
+  duration: 2160h     # 90d
+  renewBefore: 360h   # 15d
+  isCA: false
+  secretName: {{ template "fullname" . }}-certificate
+
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+    encoding: PKCS1
+    rotationPolicy: Always
+
+  dnsNames:
+  - {{ template "fullname" . }}
+  - {{ template "fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+{{- end -}}
diff --git a/charts/elasticsearch-ephemeral/templates/es.yaml b/charts/elasticsearch-ephemeral/templates/es.yaml
@@ -36,6 +36,14 @@ spec:
           value: "true"
         - name: "ELASTIC_PASSWORD"
           value: {{ .Values.secrets.password }}
+        {{- if .Values.tls.enabled }}
+        - name: "xpack.security.http.ssl.enabled"
+          value: "true"
+        - name: "xpack.security.http.ssl.certificate"
+          value: "certs/tls.crt"
+        - name: "xpack.security.http.ssl.key"
+          value: "certs/tls.key"
+        {{- end }}
         ports:
         - containerPort: 9200
           name: http
@@ -46,9 +54,18 @@ spec:
         volumeMounts:
         - name: storage
           mountPath: /data
+        {{- if .Values.tls.enabled }}
+        - name: certificate
+          mountPath: /usr/share/elasticsearch/config/certs
+        {{- end }}
         resources:
 {{ toYaml .Values.resources | indent 12 }}
       volumes:
         - emptyDir:
             medium: ""
           name: "storage"
+        {{- if .Values.tls.enabled }}
+        - name: certificate
+          secret:
+            secretName: {{ template "fullname" . }}-certificate
+        {{- end }}
diff --git a/charts/elasticsearch-ephemeral/values.yaml b/charts/elasticsearch-ephemeral/values.yaml
@@ -15,5 +15,9 @@ resources:
     cpu: "250m"
     memory: "500Mi"
 
+tls:
+  enabled: false
+  # issuerRef: ..
+
 secrets:
   password: "changeme"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,4 +14,3 @@ We truncate at 53 chars (63 - len("-discovery")) because some Kubernetes name fi
		{{- $name := default .Chart.Name .Values.nameOverride -}}
		{{- printf "%s" $name \| trunc 53 \| trimSuffix "-" -}}
		{{- end -}}