diff --git a/Makefile b/Makefile index 598fc6355a1..3d83ba04244 100644 --- a/Makefile +++ b/Makefile @@ -273,9 +273,17 @@ db-reset: c ./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 --reset ./dist/spar-schema --keyspace spar_test2 --replication-factor 1 --reset ./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 --reset - ./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null - ./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null - ./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./dist/brig-index reset \ + --elasticsearch-index-prefix directory \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./dist/brig-index reset \ + --elasticsearch-index-prefix directory2 \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./integration/scripts/integration-dynamic-backends-brig-index.sh \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null @@ -291,9 +299,20 @@ db-migrate: c ./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 > /dev/null ./dist/spar-schema --keyspace spar_test2 --replication-factor 1 > /dev/null ./integration/scripts/integration-dynamic-backends-db-schemas.sh --replication-factor 1 > /dev/null - ./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null - ./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null - ./integration/scripts/integration-dynamic-backends-brig-index.sh --elasticsearch-server http://localhost:9200 --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./dist/brig-index reset \ + --elasticsearch-index-prefix directory \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./dist/brig-index reset \ + --elasticsearch-index-prefix directory2 \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null + ./integration/scripts/integration-dynamic-backends-brig-index.sh \ + --elasticsearch-server https://localhost:9200 \ + --elasticsearch-ca-cert ./services/brig/test/resources/elasticsearch-ca.pem \ + --elasticsearch-credentials ./services/brig/test/resources/elasticsearch-credentials.yaml > /dev/null ################################# ## dependencies diff --git a/changelog.d/2-features/es-tls b/changelog.d/2-features/es-tls new file mode 100644 index 00000000000..326a2be53e6 --- /dev/null +++ b/changelog.d/2-features/es-tls @@ -0,0 +1,32 @@ +Support connecting to Elasticsearch over TLS + +It can be enabled by setting these options on the wire-server helm chart: + +```yaml +brig: + config: + elasticsearch: + scheme: https + + # When custom CAs are required, one of these must be set: + tlsCa: + tlsCaSecretRef: + name: + key: + + # When TLS needs to be used without verification: + insecureSkipVerifyTls: true + +elasticsearch-index: + elasticsearch: + scheme: https + + # When custom CAs are required, one of these must be set: + tlsCa: + tlsCaSecretRef: + name: + key: + + # When TLS needs to be used without verification: + insecureSkipVerifyTls: true +``` diff --git a/charts/brig/templates/_helpers.tpl b/charts/brig/templates/_helpers.tpl index 857c0203de8..2c3b801d674 100644 --- a/charts/brig/templates/_helpers.tpl +++ b/charts/brig/templates/_helpers.tpl @@ -23,3 +23,44 @@ created one (in case the CA is provided as PEM string.) {{- dict "name" "brig-cassandra" "key" "ca.pem" | toYaml -}} {{- end -}} {{- end -}} + + +{{- define "configureElasticSearchCa" -}} +{{ or (hasKey .elasticsearch "tlsCa") (hasKey .elasticsearch "tlsCaSecretRef") }} +{{- end -}} + +{{- define "elasticsearchTlsSecretName" -}} +{{- if .elasticsearch.tlsCaSecretRef -}} +{{ .elasticsearch.tlsCaSecretRef.name }} +{{- else }} +{{- print "brig-elasticsearch-ca" -}} +{{- end -}} +{{- end -}} + +{{- define "elasticsearchTlsSecretKey" -}} +{{- if .elasticsearch.tlsCaSecretRef -}} +{{ .elasticsearch.tlsCaSecretRef.key }} +{{- else }} +{{- print "ca.pem" -}} +{{- end -}} +{{- end -}} + +{{- define "configureAdditionalElasticSearchCa" -}} +{{ or (hasKey .elasticsearch "additionalTlsCa") (hasKey .elasticsearch "additionalTlsCaSecretRef") }} +{{- end -}} + +{{- define "additionalElasticsearchTlsSecretName" -}} +{{- if .elasticsearch.additionalTlsCaSecretRef -}} +{{ .elasticsearch.additionalTlsCaSecretRef.name }} +{{- else }} +{{- print "brig-additional-elasticsearch-ca" -}} +{{- end -}} +{{- end -}} + +{{- define "additionalElasticsearchTlsSecretKey" -}} +{{- if .elasticsearch.additionalTlsCaSecretRef -}} +{{ .elasticsearch.additionalTlsCaSecretRef.key }} +{{- else }} +{{- print "ca.pem" -}} +{{- end -}} +{{- end -}} diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml index 839b7d6cbf5..7bcc86a1901 100644 --- a/charts/brig/templates/configmap.yaml +++ b/charts/brig/templates/configmap.yaml @@ -33,17 +33,28 @@ data: {{- end }} elasticsearch: - url: http://{{ .elasticsearch.host }}:{{ .elasticsearch.port }} + url: {{ .elasticsearch.scheme }}://{{ .elasticsearch.host }}:{{ .elasticsearch.port }} index: {{ .elasticsearch.index }} + {{- if .elasticsearch.additionalWriteHost }} + additionalWriteIndexUrl: {{ .elasticsearch.additionalWriteScheme }}://{{ .elasticsearch.additionalWriteHost }}:{{ .elasticsearch.additionalWritePort }} + {{- end }} {{- if .elasticsearch.additionalWriteIndex }} additionalWriteIndex: {{ .elasticsearch.additionalWriteIndex }} {{- end }} {{- if $.Values.secrets.elasticsearch }} credentials: /etc/wire/brig/secrets/elasticsearch-credentials.yaml {{- end }} + {{- if (include "configureElasticSearchCa" .) }} + caCert: /etc/wire/brig/elasticsearch-ca/{{ include "elasticsearchTlsSecretKey" .}} + {{- end }} + {{- if (include "configureAdditionalElasticSearchCa" .) }} + additionalCaCert: /etc/wire/brig/additional-elasticsearch-ca/{{ include "additionalElasticsearchTlsSecretKey" .}} + {{- end }} {{- if $.Values.secrets.elasticsearchAdditional }} additionalCredentials: /etc/wire/brig/secrets/elasticsearch-additional-credentials.yaml {{- end }} + insecureSkipVerifyTls: {{ .elasticsearch.insecureSkipVerifyTls }} + additionalInsecureSkipVerifyTls: {{ .elasticsearch.additionalInsecureSkipVerifyTls }} cargohold: host: cargohold diff --git a/charts/brig/templates/deployment.yaml b/charts/brig/templates/deployment.yaml index e37c4142af6..dea3c0dacba 100644 --- a/charts/brig/templates/deployment.yaml +++ b/charts/brig/templates/deployment.yaml @@ -34,19 +34,30 @@ spec: - name: "brig-config" configMap: name: "brig" + - name: "brig-secrets" + secret: + secretName: "brig" {{- if eq $.Values.turn.serversSource "files" }} - name: "turn-servers" configMap: name: "turn" {{- end }} - - name: "brig-secrets" - secret: - secretName: "brig" {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "brig-cassandra" secret: secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} {{- end}} + {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }} + - name: "elasticsearch-ca" + secret: + secretName: {{ include "elasticsearchTlsSecretName" .Values.config }} + {{- end }} + {{- if eq (include "configureAdditionalElasticSearchCa" .Values.config) "true" }} + - name: "additional-elasticsearch-ca" + secret: + secretName: {{ include "additionalElasticsearchTlsSecretName" .Values.config }} + {{- end }} + containers: - name: brig image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -68,6 +79,14 @@ spec: - name: "brig-cassandra" mountPath: "/etc/wire/brig/cassandra" {{- end }} + {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }} + - name: "elasticsearch-ca" + mountPath: "/etc/wire/brig/elasticsearch-ca/" + {{- end }} + {{- if eq (include "configureAdditionalElasticSearchCa" .Values.config) "true" }} + - name: "additional-elasticsearch-ca" + mountPath: "/etc/wire/brig/additional-elasticsearch-ca/" + {{- end }} env: - name: LOG_LEVEL value: {{ .Values.config.logLevel }} diff --git a/charts/brig/templates/elasticsearch-ca-secret.yaml b/charts/brig/templates/elasticsearch-ca-secret.yaml new file mode 100644 index 00000000000..3c64b0e92d8 --- /dev/null +++ b/charts/brig/templates/elasticsearch-ca-secret.yaml @@ -0,0 +1,30 @@ +--- +{{- if not (empty .Values.config.elasticsearch.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: "brig-elasticsearch-ca" + labels: + app: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.elasticsearch.tlsCa | b64enc | quote }} +{{- end }} +--- +{{- if not (empty .Values.config.elasticsearch.additionalTlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: "brig-additional-elasticsearch-ca" + labels: + app: brig + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.elasticsearch.additionalTlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml index aff0f6d525a..62bea731895 100644 --- a/charts/brig/templates/tests/brig-integration.yaml +++ b/charts/brig/templates/tests/brig-integration.yaml @@ -44,6 +44,11 @@ spec: - name: "brig-integration-secrets" secret: secretName: "brig-integration" + {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }} + - name: elasticsearch-ca + secret: + secretName: {{ include "elasticsearchTlsSecretName" .Values.config }} + {{- end}} {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "brig-cassandra" secret: @@ -106,6 +111,10 @@ spec: # non-default locations # (see corresp. TODO in galley.) mountPath: "/etc/wire/integration-secrets" + {{- if eq (include "configureElasticSearchCa" .Values.config) "true" }} + - name: elasticsearch-ca + mountPath: "/etc/wire/brig/elasticsearch-ca" + {{- end}} {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "brig-cassandra" mountPath: "/etc/wire/brig/cassandra" diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml index a500b9e9cc7..e11aa931a5a 100644 --- a/charts/brig/values.yaml +++ b/charts/brig/values.yaml @@ -29,9 +29,30 @@ config: # key: elasticsearch: + scheme: http host: elasticsearch-client port: 9200 index: directory + insecureSkipVerifyTls: false +# To configure custom TLS CA, please provide one of these: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: + additionalWriteScheme: http + # additionalWriteHost: + additionalWritePort: 9200 + # additionalWriteIndex: + additionalInsecureSkipVerifyTls: false +# To configure custom TLS CA, please provide one of these: +# additionalTlsCa: +# +# Or refer to an existing secret (containing the CA): +# additionalTlsCaSecretRef: +# name: +# key: aws: region: "eu-west-1" sesEndpoint: https://email.eu-west-1.amazonaws.com diff --git a/charts/elasticsearch-ephemeral/templates/_helpers.tpl b/charts/elasticsearch-ephemeral/templates/_helpers.tpl index 2aa4295dc81..6ecbd30d5a9 100644 --- a/charts/elasticsearch-ephemeral/templates/_helpers.tpl +++ b/charts/elasticsearch-ephemeral/templates/_helpers.tpl @@ -14,4 +14,3 @@ We truncate at 53 chars (63 - len("-discovery")) because some Kubernetes name fi {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s" $name | trunc 53 | trimSuffix "-" -}} {{- end -}} - diff --git a/charts/elasticsearch-ephemeral/templates/cert.yaml b/charts/elasticsearch-ephemeral/templates/cert.yaml new file mode 100644 index 00000000000..bae69529d25 --- /dev/null +++ b/charts/elasticsearch-ephemeral/templates/cert.yaml @@ -0,0 +1,30 @@ + +{{- if .Values.tls.enabled -}} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + issuerRef: {{ required "Please specify .Values.tls.issuerRef when .Values.tls.enabled is true" .Values.tls.issuerRef | toJson }} + usages: + - server auth + duration: 2160h # 90d + renewBefore: 360h # 15d + isCA: false + secretName: {{ template "fullname" . }}-certificate + + privateKey: + algorithm: ECDSA + size: 384 + encoding: PKCS1 + rotationPolicy: Always + + dnsNames: + - {{ template "fullname" . }} + - {{ template "fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local +{{- end -}} diff --git a/charts/elasticsearch-ephemeral/templates/es.yaml b/charts/elasticsearch-ephemeral/templates/es.yaml index 873b50b1693..81832c6783b 100644 --- a/charts/elasticsearch-ephemeral/templates/es.yaml +++ b/charts/elasticsearch-ephemeral/templates/es.yaml @@ -36,6 +36,14 @@ spec: value: "true" - name: "ELASTIC_PASSWORD" value: {{ .Values.secrets.password }} + {{- if .Values.tls.enabled }} + - name: "xpack.security.http.ssl.enabled" + value: "true" + - name: "xpack.security.http.ssl.certificate" + value: "certs/tls.crt" + - name: "xpack.security.http.ssl.key" + value: "certs/tls.key" + {{- end }} ports: - containerPort: 9200 name: http @@ -46,9 +54,18 @@ spec: volumeMounts: - name: storage mountPath: /data + {{- if .Values.tls.enabled }} + - name: certificate + mountPath: /usr/share/elasticsearch/config/certs + {{- end }} resources: {{ toYaml .Values.resources | indent 12 }} volumes: - emptyDir: medium: "" name: "storage" + {{- if .Values.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "fullname" . }}-certificate + {{- end }} diff --git a/charts/elasticsearch-ephemeral/values.yaml b/charts/elasticsearch-ephemeral/values.yaml index a09d05caeb4..1543bd897fa 100644 --- a/charts/elasticsearch-ephemeral/values.yaml +++ b/charts/elasticsearch-ephemeral/values.yaml @@ -15,5 +15,9 @@ resources: cpu: "250m" memory: "500Mi" +tls: + enabled: false + # issuerRef: .. + secrets: password: "changeme" diff --git a/charts/elasticsearch-index/templates/_helpers.tpl b/charts/elasticsearch-index/templates/_helpers.tpl index 47bf703112c..a3581b09d50 100644 --- a/charts/elasticsearch-index/templates/_helpers.tpl +++ b/charts/elasticsearch-index/templates/_helpers.tpl @@ -16,10 +16,39 @@ This is used to switch between provided secret (e.g. by cert-manager) and created one (in case the CA is provided as PEM string.) */}} -{{- define "tlsSecretRef" -}} + +{{- define "cassandraTlsSecretName" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef.name }} +{{- else }} +{{- print "elasticsearch-index-migrate-cassandra-client-ca" -}} +{{- end -}} +{{- end -}} + +{{- define "cassandraTlsSecretKey" -}} {{- if .cassandra.tlsCaSecretRef -}} -{{ .cassandra.tlsCaSecretRef | toYaml }} +{{ .cassandra.tlsCaSecretRef.key }} +{{- else }} +{{- print "ca.pem" -}} +{{- end -}} +{{- end -}} + +{{- define "configureElasticsearchCa" -}} +{{ or (hasKey .elasticsearch "tlsCa") (hasKey .elasticsearch "tlsCaSecretRef") }} +{{- end -}} + +{{- define "elasticsearchTlsSecretName" -}} +{{- if .elasticsearch.tlsCaSecretRef -}} +{{ .elasticsearch.tlsCaSecretRef.name }} +{{- else }} +{{- printf "%s-ca" (include "fullname" .) -}} +{{- end -}} +{{- end -}} + +{{- define "elasticsearchTlsSecretKey" -}} +{{- if .elasticsearch.tlsCaSecretRef -}} +{{ .elasticsearch.tlsCaSecretRef.key }} {{- else }} -{{- dict "name" "elasticsearch-index-migrate-cassandra-client-ca" "key" "ca.pem" | toYaml -}} +{{- print "ca.pem" -}} {{- end -}} {{- end -}} diff --git a/charts/elasticsearch-index/templates/create-index.yaml b/charts/elasticsearch-index/templates/create-index.yaml index 19ddd6854e0..225ecf82c9b 100644 --- a/charts/elasticsearch-index/templates/create-index.yaml +++ b/charts/elasticsearch-index/templates/create-index.yaml @@ -21,21 +21,35 @@ spec: chart: "{{.Chart.Name}}-{{.Chart.Version}}" spec: restartPolicy: OnFailure - {{- if hasKey .Values.secrets "elasticsearch" }} + {{- if or (eq (include "configureElasticsearchCa" .Values) "true") (hasKey .Values.secrets "elasticsearch") }} volumes: + {{- if hasKey .Values.secrets "elasticsearch" }} - name: elasticsearch-index-secrets secret: secretName: elasticsearch-index + {{- end }} + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - name: elasticsearch-ca + secret: + secretName: {{ include "elasticsearchTlsSecretName" .Values }} + {{- end }} {{- end }} initContainers: # Creates index in elasticsearch only when it doesn't exist. # Does nothing if the index exists. - name: brig-index-create image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - {{- if hasKey .Values.secrets "elasticsearch" }} + {{- if or (eq (include "configureElasticsearchCa" .Values) "true") (hasKey .Values.secrets "elasticsearch") }} volumeMounts: + {{- if hasKey .Values.secrets "elasticsearch" }} - name: "elasticsearch-index-secrets" mountPath: "/etc/wire/elasticsearch-index/secrets" + {{- end }} + + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - name: elasticsearch-ca + mountPath: "/certs/elasticsearch" + {{- end }} {{- end }} {{- if eq (include "includeSecurityContext" .) "true" }} securityContext: @@ -44,7 +58,7 @@ spec: args: - create - --elasticsearch-server - - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" + - "{{ .Values.elasticsearch.scheme }}://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" {{- if hasKey .Values.secrets "elasticsearch" }} - --elasticsearch-credentials - "/etc/wire/elasticsearch-index/secrets/elasticsearch-credentials.yaml" @@ -57,15 +71,29 @@ spec: {{- if .Values.elasticsearch.delete_template }} - --delete-template - "{{ .Values.elasticsearch.delete_template }}" - {{- end}} + {{- end }} + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - --elasticsearch-ca-cert + - /certs/elasticsearch/{{- include "elasticsearchTlsSecretKey" .Values}} + {{- end }} + {{- if .Values.elasticsearch.insecureSkipTlsVerify }} + - --elasticsearch-insecure-skip-tls-verify + {{- end }} containers: - name: brig-index-update-mapping image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }} - {{- if hasKey .Values.secrets "elasticsearch" }} + {{- if or (eq (include "configureElasticsearchCa" .Values) "true") (hasKey .Values.secrets "elasticsearch") }} volumeMounts: + {{- if hasKey .Values.secrets "elasticsearch" }} - name: "elasticsearch-index-secrets" mountPath: "/etc/wire/elasticsearch-index/secrets" + {{- end }} + + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - name: elasticsearch-ca + mountPath: "/certs/elasticsearch" + {{- end }} {{- end }} {{- if eq (include "includeSecurityContext" .) "true" }} securityContext: @@ -74,10 +102,17 @@ spec: args: - update-mapping - --elasticsearch-server - - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" + - "{{ .Values.elasticsearch.scheme }}://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" {{- if hasKey .Values.secrets "elasticsearch" }} - --elasticsearch-credentials - "/etc/wire/elasticsearch-index/secrets/elasticsearch-credentials.yaml" {{- end }} - --elasticsearch-index - "{{ or (.Values.elasticsearch.additionalWriteIndex) (.Values.elasticsearch.index) }}" + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - --elasticsearch-ca-cert + - /certs/elasticsearch/{{- include "elasticsearchTlsSecretKey" .Values}} + {{- end }} + {{- if .Values.elasticsearch.insecureSkipTlsVerify }} + - --elasticsearch-insecure-skip-tls-verify + {{- end }} diff --git a/charts/elasticsearch-index/templates/elasticsearch-ca-secret.yaml b/charts/elasticsearch-index/templates/elasticsearch-ca-secret.yaml new file mode 100644 index 00000000000..060d84e56a1 --- /dev/null +++ b/charts/elasticsearch-index/templates/elasticsearch-ca-secret.yaml @@ -0,0 +1,14 @@ +{{- if not (empty .Values.elasticsearch.tlsCa) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "fullname" .}}-ca" + labels: + app: elasticsearch-index + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + ca.pem: {{ .Values.elasticsearch.tlsCa | b64enc | quote }} +{{- end }} diff --git a/charts/elasticsearch-index/templates/migrate-data.yaml b/charts/elasticsearch-index/templates/migrate-data.yaml index b92a9721142..3bf41e02a61 100644 --- a/charts/elasticsearch-index/templates/migrate-data.yaml +++ b/charts/elasticsearch-index/templates/migrate-data.yaml @@ -29,7 +29,7 @@ spec: args: - migrate-data - --elasticsearch-server - - "http://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" + - "{{ .Values.elasticsearch.scheme }}://{{ required "missing elasticsearch-index.elasticsearch.host!" .Values.elasticsearch.host }}:{{ .Values.elasticsearch.port }}" {{- if hasKey .Values.secrets "elasticsearch" }} - --elasticsearch-credentials - "/etc/wire/elasticsearch-index/secrets/elasticsearch-credentials.yaml" @@ -47,8 +47,15 @@ spec: - --galley-port - "{{ required "missing elasticsearch-index.galley.port!" .Values.galley.port }}" {{- if eq (include "useCassandraTLS" .Values) "true" }} - - --tls-ca-certificate-file - - /certs/{{- (include "tlsSecretRef" .Values | fromYaml).key }} + - --cassandra-ca-cert + - /certs/cassandra/{{- include "cassandraTlsSecretKey" .Values }} + {{- end }} + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - --elasticsearch-ca-cert + - /certs/elasticsearch/{{- include "elasticsearchTlsSecretKey" .Values}} + {{- end }} + {{- if .Values.elasticsearch.insecureSkipTlsVerify }} + - --elasticsearch-insecure-skip-tls-verify {{- end }} volumeMounts: {{- if hasKey .Values.secrets "elasticsearch" }} @@ -57,7 +64,11 @@ spec: {{- end }} {{- if eq (include "useCassandraTLS" .Values) "true" }} - name: elasticsearch-index-migrate-cassandra-client-ca - mountPath: "/certs" + mountPath: "/certs/cassandra" + {{- end }} + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - name: elasticsearch-ca + mountPath: "/certs/elasticsearch" {{- end }} volumes: {{- if hasKey .Values.secrets "elasticsearch" }} @@ -68,5 +79,10 @@ spec: {{- if eq (include "useCassandraTLS" .Values) "true" }} - name: elasticsearch-index-migrate-cassandra-client-ca secret: - secretName: {{ (include "tlsSecretRef" .Values | fromYaml).name }} - {{- end}} + secretName: {{ include "cassandraTlsSecretName" .Values }} + {{- end }} + {{- if eq (include "configureElasticsearchCa" .Values) "true" }} + - name: elasticsearch-ca + secret: + secretName: {{ include "elasticsearchTlsSecretName" .Values }} + {{- end }} diff --git a/charts/elasticsearch-index/values.yaml b/charts/elasticsearch-index/values.yaml index 876edd92e4a..a7c136f233f 100644 --- a/charts/elasticsearch-index/values.yaml +++ b/charts/elasticsearch-index/values.yaml @@ -1,9 +1,18 @@ # Default values for elasticsearch-index elasticsearch: + scheme: http #host: # elasticsearch-client|elasticsearch-ephemeral port: 9200 index: directory delete_template: directory +# To enable TLS verification with a custom CA: +# tlsCa: +# +# Or refer to an existing secret (containing the CA): +# tlsCaSecretRef: +# name: +# key: + insecureSkipTlsVerify: false cassandra: # host: port: 9042 diff --git a/charts/integration/templates/_helpers.tpl b/charts/integration/templates/_helpers.tpl index e278f287d1f..68e9c251380 100644 --- a/charts/integration/templates/_helpers.tpl +++ b/charts/integration/templates/_helpers.tpl @@ -42,14 +42,18 @@ {{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }} {{- end -}} -{{/* Return a Dict of TLS CA secret name and key -This is used to switch between provided secret (e.g. by cert-manager) and -created one (in case the CA is provided as PEM string.) -*/}} -{{- define "tlsSecretRef" -}} +{{- define "cassandraTlsSecretName" -}} {{- if .cassandra.tlsCaSecretRef -}} -{{ .cassandra.tlsCaSecretRef | toYaml }} +{{ .cassandra.tlsCaSecretRef.name }} {{- else }} -{{- dict "name" "integration-cassandra" "key" "ca.pem" | toYaml -}} +{{- print "integration-cassandra" -}} +{{- end -}} +{{- end -}} + +{{- define "cassandraTlsSecretKey" -}} +{{- if .cassandra.tlsCaSecretRef -}} +{{ .cassandra.tlsCaSecretRef.key }} +{{- else }} +{{- print "ca.pem" -}} {{- end -}} {{- end -}} diff --git a/charts/integration/templates/integration-integration.yaml b/charts/integration/templates/integration-integration.yaml index e0d72e62a87..fa5e32bb604 100644 --- a/charts/integration/templates/integration-integration.yaml +++ b/charts/integration/templates/integration-integration.yaml @@ -75,10 +75,15 @@ spec: - name: "nginz-secrets" secret: secretName: "nginz" + + - name: elasticsearch-ca + secret: + secretName: {{ .Values.config.elasticsearch.tlsCaSecretRef.name }} + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: integration-cassandra secret: - secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }} + secretName: {{ include "cassandraTlsSecretName" .Values.config }} {{- end }} restartPolicy: Never @@ -90,9 +95,11 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 6 }} {{- end }} volumeMounts: + - name: elasticsearch-ca + mountPath: "/certs/elasticsearch" {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "integration-cassandra" - mountPath: "/certs" + mountPath: "/certs/cassandra" {{- end }} env: - name: INTEGRATION_DYNAMIC_BACKENDS_POOLSIZE @@ -124,10 +131,12 @@ spec: --port {{ .Values.config.cassandra.port }} \ --replication-factor {{ .Values.config.cassandra.replicationFactor }} \ {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - --tls-ca-certificate-file /certs/{{- (include "tlsSecretRef" .Values.config | fromYaml).key }} + --tls-ca-certificate-file /certs/cassandra/{{- include "cassandraTlsSecretKey" .Values.config }} {{ end }} - integration-dynamic-backends-brig-index.sh --elasticsearch-server http://elastic:changeme@{{ .Values.config.elasticsearch.host }}:9200 + integration-dynamic-backends-brig-index.sh \ + --elasticsearch-server https://elastic:changeme@{{ .Values.config.elasticsearch.host }}:9200 \ + --elasticsearch-ca-cert /certs/elasticsearch/{{ .Values.config.elasticsearch.tlsCaSecretRef.key }} integration-dynamic-backends-ses.sh {{ .Values.config.sesEndpointUrl }} integration-dynamic-backends-s3.sh {{ .Values.config.s3EndpointUrl }} {{- range $name, $dynamicBackend := .Values.config.dynamicBackends }} @@ -227,6 +236,9 @@ spec: - name: nginz-secrets mountPath: /etc/wire/nginz/secrets + - name: elasticsearch-ca + mountPath: /etc/wire/brig/elasticsearch-ca + {{- if eq (include "useCassandraTLS" .Values.config) "true" }} - name: "integration-cassandra" mountPath: "/certs" diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index d49e141dfb1..b44ad1932d0 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -187,9 +187,15 @@ services: environment: - "xpack.ml.enabled=false" - "xpack.security.enabled=true" + - "xpack.security.http.ssl.enabled=true" + - "xpack.ssl.certificate=certs/elasticsearch-cert.pem" + - "xpack.ssl.key=certs/elasticsearch-key.pem" - "bootstrap.system_call_filter=false" - "JVM_OPTIONS_ES=-Xmx512m -Xms512m" - "discovery.type=single-node" + volumes: + - ./docker/elasticsearch-cert.pem:/usr/share/elasticsearch/config/certs/elasticsearch-cert.pem + - ./docker/elasticsearch-key.pem:/usr/share/elasticsearch/config/certs/elasticsearch-key.pem networks: - demo_wire diff --git a/deploy/dockerephemeral/docker/elasticsearch-ca.pem b/deploy/dockerephemeral/docker/elasticsearch-ca.pem new file mode 100644 index 00000000000..d4ef94d4d2a --- /dev/null +++ b/deploy/dockerephemeral/docker/elasticsearch-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIUXd/KjPrGXSmRyZ4Q/9O3LPGB70owDQYJKoZIhvcNAQEL +BQAwJzElMCMGA1UEAxMcZWxhc3RpY3NlYXJjaC5jYS5leGFtcGxlLmNvbTAeFw0y +NDA0MjIxMjA0MDBaFw0yOTA0MjExMjA0MDBaMCcxJTAjBgNVBAMTHGVsYXN0aWNz +ZWFyY2guY2EuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC0R+Ptk46Hd8SrR+S/dM7nGvhYA2ErWUFhpyUDWi7VpUpTgtlyTzmNgxAl +h9QWn8GuqvwqCFBnbiLL+OV6EsT1/fKt/3iYVv+myg5gBTPHt/QNaHZ5E7wMdwDR +HRuAKQI9kCdZZZ7/prVPTQDx0E12yxMWbE+NgvYfNmkJXSG3Y5S5ihE8RO+JZYec +AWfc3iwEZeD7d9WnVsb0sM+iJwMOOTlxKSI8Cw+ukcXdTh9pmxyQNZVd1tSGX/NH +281EKroIPLqIAxgy1d2cUqiCKIf4pGEbijb8m/OkoFez+7vjmD57A8uSuwyXz7+x +E2uRJFAisug5zdb8KWAJBlEkggWbAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ1/LWQ/Ckxpc7HdBp6mNBfZNQssDAN +BgkqhkiG9w0BAQsFAAOCAQEAfGo1ONgSfTwRtT/ZsZgAnseqZSQCuvUQ4nrg2dDe +cFZtC05EczfmPx7G7Q2VeF9ZU56m/Ep57gE4W2wwVIwoG3Zam0kG4HirkgLNPagf +j3RkDrCvrjeESYFj7qwdnmgFNxotlC0KjHkGrfdT7gTDSWoNE3tobxyFaT1YQyBB +L6oRVlKa6O0ivgADUw/VMIARqFgCni/PhaHd4UlR9bgLVQ4MEVb463MMpGAdK4ZZ +l1bYVRf0pTeYnEiUG2HXt/1JFzSowFoZD8wVOXa0kcxy9SK/UCX8PVzMx06G4Ion +NNkzz9uSme9hAQlVsW6gxzl0NhwOtClpPIlvEqHwgF54KQ== +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/docker/elasticsearch-cert.pem b/deploy/dockerephemeral/docker/elasticsearch-cert.pem new file mode 100755 index 00000000000..5de2ffadd23 --- /dev/null +++ b/deploy/dockerephemeral/docker/elasticsearch-cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTzCCAjegAwIBAgIUZg82eQUqHA61XD0suiu4Gp5C0rswDQYJKoZIhvcNAQEL +BQAwJzElMCMGA1UEAxMcZWxhc3RpY3NlYXJjaC5jYS5leGFtcGxlLmNvbTAeFw0y +NDA0MjIxMjA0MDBaFw0yNTA0MjIxMjA0MDBaMAAwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC4I8zWkyQGetTaVB7GuDi8dDqEabCHis6TVaA8hORbCSs/ +swlPM5e8gJuyuQIOiyC07Ai4sl/C5lyjbMK4eaBz+jB3tGA1YEgZzruZiKJV0JlN +kzTWFly5960quj7XuD2vlJ+0+ozT3GDsykh675mBx6LRF+/eWd9VFcexxqXvj0GC +M+01ffT8Ue0CvhxtGhg89m1NY4Lo3n/22PCPHnSqMJGbTx7gVpUs1eDQ6rgMIoES +kstFLgq5JiTr4ojLq1q2iGjAbxR+DCle/6abUMCcegBHBN6n5hAPO4X++T/moOta +3FIjwJN68SGRG3V4BNOE1x1nunKxQjKzsOqU0SvbAgMBAAGjgZkwgZYwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMB0GA1UdDgQWBBTsbRvngQ1YdeLmiHuDEHTWlTufXjAfBgNVHSMEGDAW +gBQ1/LWQ/Ckxpc7HdBp6mNBfZNQssDAXBgNVHREBAf8EDTALgglsb2NhbGhvc3Qw +DQYJKoZIhvcNAQELBQADggEBAElA1AylS20xyMtFlFda/f3neLapwRf9beVLbzR3 +4N+VaN6ZeUeO62E5t1nFWayguapPkAPW5YkQtW72KlthcIKKwu+WOMUxUJmiVfJJ +hNtBSx5RpEoiJ7qi0gQCUshYoU/B5tlRTgy+vstXCbP9ME/B2Oqn2RN5PsrRmiYU +/hJ6WqQiRaX7ysrn1cCyDMjCpBv2s4QZVBD/08l8sZfeOpxxgWj6cy4ucHn3Vbvi +4MQvwWPuAGpJy7w77v1na8DRjEnMlYoMyoDVjKAFBwwTo+8rWfLsnDSWtAHDQJsI +eluO9vR0JNNEp3f/mV4lqeFwdgN6cJzYDfePdWpqGrTSL4U= +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/docker/elasticsearch-key.pem b/deploy/dockerephemeral/docker/elasticsearch-key.pem new file mode 100755 index 00000000000..ee573176b4d --- /dev/null +++ b/deploy/dockerephemeral/docker/elasticsearch-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAuCPM1pMkBnrU2lQexrg4vHQ6hGmwh4rOk1WgPITkWwkrP7MJ +TzOXvICbsrkCDosgtOwIuLJfwuZco2zCuHmgc/owd7RgNWBIGc67mYiiVdCZTZM0 +1hZcufetKro+17g9r5SftPqM09xg7MpIeu+Zgcei0Rfv3lnfVRXHscal749BgjPt +NX30/FHtAr4cbRoYPPZtTWOC6N5/9tjwjx50qjCRm08e4FaVLNXg0Oq4DCKBEpLL +RS4KuSYk6+KIy6tatohowG8UfgwpXv+mm1DAnHoARwTep+YQDzuF/vk/5qDrWtxS +I8CTevEhkRt1eATThNcdZ7pysUIys7DqlNEr2wIDAQABAoIBABR7lvt/XpCB9U9b +8Bh2wYjk/OVhxEsve48UBUD2H1ipCnCJf82ZlZVYUPlubvYjL74wS0AQR2qsqT1c +icRvcxOzjtSh8dm+HgcQ4flQI46cJ5FjgIsX7bSaAl8wXHEug14WkDVXcXbXmsh8 +L9fM8yxmgovzt7DqGleilpYF3Mtq2bNYMm7q74SKSaiz/FplgYpFJJ+jWG4ExELN +mzmMFjQQ77n0ORsnyXAzIHy4XE5loj2oHlLene5XUbNv02Bi4kY5GRADVaxEphKK +YD6m2ktLHJXzfqpsdmzup3nKi7j+m0sOcMr3SC+JBqjwwG6cyhENmPxi6fKK4XhS +bPo2JyECgYEA3ovs9f5jUMV0uZ/4jGI9rNGXgQo1DPpY2zz8UvYBN/erk8+PLxK1 +mNns5Lt5UFeduRwwbNSIUR817dLLeRnNClxOjS3aaT6jCciHVGiXkWFzCbnaV9Xl +Ozv4V+s9Duwu7sqAnZrW47ykjU9G9UrsmlidoLDKXHwAshwDXkN7wiMCgYEA09Hm +ZyC4ypR94yUMmgCKq57T5mfYJEXZoe6KlQ8zTJCOjOZesl767vrjV4hijML9I25U +dqLCxf+7ifJWhgfBJNbXfHAVEPWVkazJ1ZF/6UXvKIUoHfcL9/aNQv2uX1kto7sR +wUSSxIDxaNqtnRB3gYS67PKju0ZvFU3d0qtDPukCgYAeLK7Gc+WXcA5xlMUok7F1 +Gz4FmxKyXcdqgoxb20szAXvcIMpzQYAp53J9WQYL5LVYAgB24SJSjX7MbkZ0dxEc +FIP6FHuGxZ1pmCzxPvU+Gw50BSUbv77DF1CG6zhuK4v5iK+Drxjv7AYLuvIOFEic +bOOChDYL8CxP+ghi4ZeILQKBgQCfeFt6MMxu17SfGfmOx/Gem4j04iF7zYq3uxti +dXstnXd05MtOhutsmD4oXGm1h+eEkT/NwWPaJVpP1L8HUTc8QPMioE974Sil7+xU +eaJPQXN4kidNx/yexmQ7lzl8V2tg5SnM04+bmWgmhNxIb2lJfWAtm89g4vomk+T5 +Ai8yYQKBgQDAEtH13565FJnd0qxYI+o1ooNbAhVQx/bR6tWaMF3/h4fQi5vTn1/6 +Z6f9Y8koJSoxNxkN1hpg0h2SqzAFtvUfpSyRMaYunm4VXNRsGOJALzgOwGlZ/3C9 +v6tnxXBASSfwOeFr3ToYlTTJg6b612cTHb6w4VyDA+Sy96YLbnd9Cg== +-----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-ca.pem b/deploy/dockerephemeral/federation-v0/integration-ca.pem index 2315c7c7404..10a906c111b 100644 --- a/deploy/dockerephemeral/federation-v0/integration-ca.pem +++ b/deploy/dockerephemeral/federation-v0/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN -MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF -7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su -9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 -gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 -bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP -ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 -JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O -JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb -lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp -x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA -qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be -z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH -+R0lNAyw +MIIDAjCCAeqgAwIBAgIUdsGG4S0KMPKYzS6UNoDuNpvkRFcwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjQwNDIyMTIwNDAwWhcN +MjkwNDIxMTIwNDAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJatmwqb8Fabb7JQ916v7QI5ufMEBxhK +VUsnn5frxkAA99LpFRYqs4ycPWQk20tbaNpO2E7pGm0ALuKR5YR5OP69iR6+6JZl +H+c48iryVAXpBZe/PGV1vZRDsOce5YAS0mCNtLEh21FV+6QtnQdgEGbdebBhdQ5l +VN/f8hdkSCPdm56j2K/LUuwOibJYRy5zwJwjmhwuFSurTFN2Y4f6f7AYCgam2q1w +D5dk3JF8RRByvJdJQ8lNmuZbStGLgMTr+Il8Cu+huFUCcGxdDQjM4wKLwS3DgOwV +UXfMsFYxac0I4Z/oMsgE3WVDpTqTFyBGux5nOUzAeCo4iWMKHIypeukCAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDnH +CL3yIYkqK51ynDHRQcc6Xc/rMA0GCSqGSIb3DQEBCwUAA4IBAQCUzI4edToGsBTp +qnV2MtXwhoBFnmAa4O8RMsbRZqE+DCzBhPSIl9UMaeIEMoIvXL2KOO+rEw2M1uQc +D4r+dAdUhLbIFEyMNIA5EZfJfimEE0qaLGJqI5X1FFVeCvlvI1UDoSj0KQD9GEsg +VidDnhzg712cGdBY2K4U/BmpLMn8+WZ7+TSVIX8fGylzDCRtCQ36vrD5pkQzblqU +sjO8Apwej/t+BI/Y+T1MFvZhstbJ3mSQpHhnmARXLOrwjcOmLzWVlQa1IJxtxaf9 +gRxVchzH7fQxNlR6/zWtd2av07pFR9k2o9WUn/A5lpoUcVrokvCsOooqqG3UwALU +fZm6IO1I -----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem index 8ed90523cd3..1a45ba1ea46 100644 --- a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem +++ b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk -+RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y -uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J -4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR -qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa -27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI -sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 -2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 -UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY -/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz -SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt -Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl -yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ -wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv -UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg -PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 -lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB -TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e -tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT -7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF -ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 -DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 -Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 -90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 -xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== +MIIEowIBAAKCAQEAukRPdjUjKs7P2TgP4VDpb77Rb7KjMMBtcRP525qEnUQzFHPk +Va4cqh6xacgh2NJCyFyDEWDI9pQ03i0HISIldoBngDVvM6kwvbs+kjZ+/t/Jx3aH +zC9dmsLqmCqU+OmofpD1pt8hZWwOtYj58pfqdhrP+M6qQ92/tgmkk9njLFwsAjxY +gMXZCo0IiSIE9BE9NGvR9bp6hvEekCqREPdHi44iFca/5V4A8fSZwBlTHod5Z83r +MpHLnR1ReVVOQgzbIBGcLdmtH8IA9ZgUHy1/HOmf9e0MYOYOKbKvH3cry7WSscPL +47x+JQyFLimidfsJQCY+022rdPg9CdrCWFGxgQIDAQABAoIBAGjeBqK1fewe7XQN +FRu0cwh/tOge+bN70uHj7jrN/rWP7PYp3TbDxM2eZCH7E9s/XWvycbQ5+kqg3Dbt +wOLNl6vk1OCgtM+wBIn9PlgRKGSUV8Tdncy+KgP0kyFCcAbHfh5rvHHLk8DHGmzo +BlinYNBHfilFKST2VnXFbgvzkuuorS1BRAzlVpyJnaen04emBJ+KPIwNyguPQrlv +5duBIO1bzlEjFVufrLkI0IumWqBAPOvHcRy1geSz/MG7LssB9r25k5LA5OEDxqwx +ykSzuniaLL6BGMSCAMpTM3/hF1ijrkTd74cI4cp7k2ufcYT74ZU2lyDKEjBukG/p +H0/1Q8ECgYEAwL7VWIpySGtrJEPZH1FxtpJYg8SE0F4lUxIbIQcc6rzLJfLOLQO5 +ruTVONPTlue6PHrRO8pQTbW9AnjZvHMIiwxidY/RwUVKFuxzfrYZ9ZbKXyVOh48a +WXe5OnpuVodPEHQrKzkl93YWMgMCXNPri1h0jr0fMGXy9jZzoKK5f1kCgYEA92Uw +P4WyBL2hm/5BNUoxCiLyd1dDdQt1h6VByxYM7OXDhXq1iHnhX+NbjMT0QfOFyXBP +uQQCB9IQElmMmWsoEv6uEQCeuCvOxq+Evoz+3fP2te89HjZ1C5SXUMfG7qKfFzbt +WP6e/CqAeQPnnqI89ghw/IerQkeVMoVvHbSXZmkCgYBZPgJ6JGAVt+a7u85j+cm0 +xr3FBNCZyX1uoQt+l1SEOzW0NF/R58+pcrpmvW1SiahpKFSIYnwb/vGsm1f1MS3b +c7iCxjxQSEytoH05Rgdu9ops01Ew4slIc26H7Pf5iFzLOX5jXOp/UWWlck89u8Fr +m2EcVeSC/DEqXrvavH02wQKBgBzVKDhfBo5S44DgswzY5ro9tHCANRZxDXOPqQlY +Oo1pgc4OrRWIzuF0B/lyAt2k2hTOCBySAQKUUtcwpJhEytjb4cGNhvID+Qdi8V+b +4yBPDJPLnB3nTuDYooIBpoetYEk+V48lrbXJ5ks0T0xHsD8kYLatwSHqYdMPhhG6 +OGLxAoGBALZQSuO4fHew4ksMcBy891ZSOFUV9xAtR490EdEQdOiPrQj5vmnSpxEx +QsSVbn+49OYwzjBP+sHtpiTMF4ZlafHvjcNZ5dFIImqyuEugEdnD5UnFd92AQ9Gv +ufa7BMs99BRdkkolCXBZC+Dq4t4Z/+MDSMtjO5mh9V0boDakdJPb -----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf.pem b/deploy/dockerephemeral/federation-v0/integration-leaf.pem index d8e7ee0955c..2247758aafd 100644 --- a/deploy/dockerephemeral/federation-v0/integration-leaf.pem +++ b/deploy/dockerephemeral/federation-v0/integration-leaf.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN -MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk -iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE -0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX -lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux -Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ -+J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUK9Dix5VZpBYOby63cdmjtfg6RpwwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjQwNDIyMTIwNDAwWhcN +MjUwNDIyMTIwNDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +ukRPdjUjKs7P2TgP4VDpb77Rb7KjMMBtcRP525qEnUQzFHPkVa4cqh6xacgh2NJC +yFyDEWDI9pQ03i0HISIldoBngDVvM6kwvbs+kjZ+/t/Jx3aHzC9dmsLqmCqU+Omo +fpD1pt8hZWwOtYj58pfqdhrP+M6qQ92/tgmkk9njLFwsAjxYgMXZCo0IiSIE9BE9 +NGvR9bp6hvEekCqREPdHi44iFca/5V4A8fSZwBlTHod5Z83rMpHLnR1ReVVOQgzb +IBGcLdmtH8IA9ZgUHy1/HOmf9e0MYOYOKbKvH3cry7WSscPL47x+JQyFLimidfsJ +QCY+022rdPg9CdrCWFGxgQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b -fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +FgQUaJdzHC5JsdIEKTYxqAWoSHvFCNgwHwYDVR0jBBgwFoAUOccIvfIhiSornXKc +MdFBxzpdz+swSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF -AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n -7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR -AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF -bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB -fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK -7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== +AAOCAQEAcoUcdwgoAiFJcoS/t1IU2axEJeWncctYyVHt/ZfoZ8y/23XDA+kIfgSt +DZEqteGyVDSBbI/B45IzrKQuJzdT8B+9iDcOzLrA2R1432ASlMhHC5l3STBru0jl +oL9M8fJU6BwciCqY0Y2wFcCfVthN1rC8vNNSpwSwF74q87MMLZ/65Mi3hAB4177s +uNL6MXGta9fBK9MQxM3S/Kr7fmxOTQBlQtcA2Ha3Yog2+dkMXosoapjoMwWj36DS +j9v25/dFmS3dnCfhRHBSh9iUSnbOVZ/M+5Bv5hBPYbeSw24DXD1w9soEYL941D+c +enXV719UPw5bpBxhXjl9Hu0TQ2uoIw== -----END CERTIFICATE----- diff --git a/docs/src/developer/reference/config-options.md b/docs/src/developer/reference/config-options.md index 7b910b21e15..e6536ad8a81 100644 --- a/docs/src/developer/reference/config-options.md +++ b/docs/src/developer/reference/config-options.md @@ -863,7 +863,8 @@ client), a **C**ertificate **A**uthority in PEM format needs to be configured. The ways differ regarding the kind of program: - *Services* expect a `cassandra.tlsCa: ` attribute in their config file. -- *CLI commands* (e.g. migrations) accept a `--tls-ca-certificate-file ` parameter. +- *\*-schema CLI commands* accept a `--tls-ca-certificate-file ` parameter. +- *brig-index migrate-data* accepts a `--cassandra-ca-cert ` parameter. When a CA PEM file is configured, all Cassandra connections are opened with TLS encryption i.e. there is no fallback to unencrypted connections. This ensures @@ -923,6 +924,81 @@ brig: password: changeme ``` +## Configure TLS for Elasticsearch + +If the elasticsearch instance requires TLS, it can be configured like this: + +```yaml +brig: + config: + elasticsearch: + scheme: https + +elasticsearch-index: + elasticsearch: + scheme: https +``` + +In case a custom CA certificate is required it can be provided like this: + +```yaml +brig: + config: + elasticsearch: + tlsCa: +elasticsearch-index: + elasticsearch: + tlsCa: +``` + +There is another way to provide this, in case there already exists a kubernetes +secret containing the CA certificate(s): + +```yaml +brig: + config: + elasticsearch: + tlsCaSecretRef: + name: + key: +elasticsearch-index: + elasticsearch: + tlsCaSecretRef: + name: + key: +``` + +For configuring `addtionalWriteIndex` in brig (this is required during a +migration from one index to another or one ES instance to another), the settings +need to be like this: + +```yaml +brig: + config: + elasticsearch: + additionalWriteScheme: https + # One or none of these: + # addtionalTlsCa: + # addtionalTlsCaSecretRef: +``` + + +**WARNING:** Please do this only if you know what you're doing. + +In case it is not possible to verify TLS certificate of the elasticsearch +server, it can be turned off without tuning off TLS like this: + +```yaml +brig: + config: + elasticsearch: + insecureSkipVerifyTls: true + addtionalInsecureSkipVerifyTls: true # only required when addtional index is being used. +elasticsearch-index: + elasticsearch: + insecureSkipVerifyTls: true +``` + ## Configure Redis authentication If the redis used needs authentication with either username and password or just diff --git a/hack/bin/integration-setup-federation.sh b/hack/bin/integration-setup-federation.sh index b0abffc8184..939f1d4f56d 100755 --- a/hack/bin/integration-setup-federation.sh +++ b/hack/bin/integration-setup-federation.sh @@ -50,6 +50,9 @@ export FEDERATION_CA_CERTIFICATE echo "Installing charts..." set +e +# This exists because we need to run `helmfile` with `--skip-deps`, without that it doesn't work. +helm repo add bedag https://bedag.github.io/helm-charts/ + helmfile --environment "$HELMFILE_ENV" --file "${TOP_LEVEL}/hack/helmfile.yaml" sync --skip-deps --concurrency 0 EXIT_CODE=$? diff --git a/hack/bin/selfsigned.sh b/hack/bin/selfsigned.sh index a7107c436ad..73e507358fc 100755 --- a/hack/bin/selfsigned.sh +++ b/hack/bin/selfsigned.sh @@ -9,10 +9,15 @@ set -euo pipefail SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) ROOT_DIR=$(cd -- "$SCRIPT_DIR/../../" &> /dev/null && pwd) -TEMP=$(mktemp -d wire-server-self-signed-XXXXXX) -CSR="$TEMP/csr.json" -OUTPUTNAME_CA="$TEMP/integration-ca" -OUTPUTNAME_LEAF_CERT="$TEMP/integration-leaf" +TEMP=$(mktemp -d wire-server-self-signed-XXXXXX --tmpdir) +CSR_FEDERATION="$TEMP/csr-federation.json" +CSR_FEDERATION_CA="$TEMP/csr-federation-ca.json" +CSR_ELASTICSEARCH="$TEMP/csr-elasitcsearch.json" +CSR_ELASTICSEARCH_CA="$TEMP/csr-elasticsearch-ca.json" +FEDERATION_CA="$TEMP/integration-ca" +FEDERATION_LEAF_CERT="$TEMP/integration-leaf" +ELASTICSEARCH_CA="$TEMP/elasticsearch-ca" +ELASTICSEARCH_LEAF_CERT="$TEMP/elasticsearch-leaf" command -v cfssl >/dev/null 2>&1 || { echo >&2 "cfssl is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } command -v cfssljson >/dev/null 2>&1 || { echo >&2 "cfssljson is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } @@ -23,28 +28,66 @@ echo '{ "algo": "rsa", "size": 2048 } -}' > "$CSR" +}' > "$CSR_FEDERATION_CA" # generate CA key and cert -cfssl gencert -initca "$CSR" | cfssljson -bare "$OUTPUTNAME_CA" +cfssl gencert -initca "$CSR_FEDERATION_CA" | cfssljson -bare "$FEDERATION_CA" echo '{ "key": { "algo": "rsa", "size": 2048 } -}' > "$CSR" +}' > "$CSR_FEDERATION" # generate cert and key based on CA given comma-separated hostnames as SANs -cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,host.docker.internal,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" +cfssl gencert \ + -ca "$FEDERATION_CA.pem" \ + -ca-key "$FEDERATION_CA-key.pem" \ + -hostname=*.integration.example.com,host.docker.internal,localhost \ + "$CSR_FEDERATION" \ + | cfssljson -bare "$FEDERATION_LEAF_CERT" -cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" -cp "$OUTPUTNAME_CA-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" -cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" -cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$FEDERATION_CA.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$FEDERATION_CA-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$FEDERATION_LEAF_CERT.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$FEDERATION_LEAF_CERT-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" -cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" -cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" -cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$FEDERATION_CA.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$FEDERATION_LEAF_CERT.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$FEDERATION_LEAF_CERT-key.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" + +echo '{ + "CN": "elasticsearch.ca.example.com", + "key": { + "algo": "rsa", + "size": 2048 + } +}' > "$CSR_ELASTICSEARCH_CA" + +# generate CA key and cert +cfssl gencert -initca "$CSR_ELASTICSEARCH_CA" | cfssljson -bare "$ELASTICSEARCH_CA" + +echo '{ + "key": { + "algo": "rsa", + "size": 2048 + } +}' > "$CSR_ELASTICSEARCH" + +# generate cert and key based on CA given comma-separated hostnames as SANs +cfssl gencert \ + -ca "$ELASTICSEARCH_CA.pem" \ + -ca-key "$ELASTICSEARCH_CA-key.pem" \ + -hostname=localhost \ + "$CSR_ELASTICSEARCH" \ + | cfssljson -bare "$ELASTICSEARCH_LEAF_CERT" + +cp "$ELASTICSEARCH_CA.pem" "$ROOT_DIR/deploy/dockerephemeral/docker/elasticsearch-ca.pem" +cp "$ELASTICSEARCH_LEAF_CERT.pem" "$ROOT_DIR/deploy/dockerephemeral/docker/elasticsearch-cert.pem" +cp "$ELASTICSEARCH_LEAF_CERT-key.pem" "$ROOT_DIR/deploy/dockerephemeral/docker/elasticsearch-key.pem" + +cp "$ELASTICSEARCH_CA.pem" "$ROOT_DIR/hack/helm_vars/elasticsearch-certs/elasticsearch-ca.pem" +cp "$ELASTICSEARCH_CA-key.pem" "$ROOT_DIR/hack/helm_vars/elasticsearch-certs/elasticsearch-ca-key.pem" rm -rf "$TEMP" diff --git a/hack/helm_vars/elasticsearch-certs/elasticsearch-ca-key.pem b/hack/helm_vars/elasticsearch-certs/elasticsearch-ca-key.pem new file mode 100644 index 00000000000..0b9246b7ecb --- /dev/null +++ b/hack/helm_vars/elasticsearch-certs/elasticsearch-ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtEfj7ZOOh3fEq0fkv3TO5xr4WANhK1lBYaclA1ou1aVKU4LZ +ck85jYMQJYfUFp/Brqr8KghQZ24iy/jlehLE9f3yrf94mFb/psoOYAUzx7f0DWh2 +eRO8DHcA0R0bgCkCPZAnWWWe/6a1T00A8dBNdssTFmxPjYL2HzZpCV0ht2OUuYoR +PETviWWHnAFn3N4sBGXg+3fVp1bG9LDPoicDDjk5cSkiPAsPrpHF3U4faZsckDWV +XdbUhl/zR9vNRCq6CDy6iAMYMtXdnFKogiiH+KRhG4o2/JvzpKBXs/u745g+ewPL +krsMl8+/sRNrkSRQIrLoOc3W/ClgCQZRJIIFmwIDAQABAoIBAQCtn7L/IqYZB5rs +ToAad5ewcYQN16tkgUB7mOsHsHn8noTXquRat7w48qnBS3BSHaf93YSfwoQVKLfw +c5QmHh98vgdT1f/Bz7/FVUHE7h2xUhOEOkAnWX85Df9GZd8Pbe9PdR7AdSNNGbPy +XLn1KWUBbJDEfqmbIy6AXvmH4B7Rq0K/8nRdTJsZiGBwR3TZINWkVv43b4LMlqdn +QavTm2cO7wylN6QWtWbutFs2YrbG7LCdn1qOyMQgNAwzHbzatQjWl8M7K9xoNaec +pjIS7/Oobs4OVlMxLn/QWF2wCWt+r3i+USqoAw7qgPXMQ1b6h4vaKHJw8UCTeI42 +Xi5vvfC5AoGBAOIfQ8kNHFI+7/5aPa7SQC0tqwBT+HkAZY4DZsFeCe7aKIrvqwCj +/6ioGrfLhtjQTUnxN5D9DyJnbNAKSGwbuylVcJiARPv5NxXS9ES3QmgK/mqz+Ds3 +8SVM48tI4jAfeSuDW/qztVOXpzZYJmnjVO1Qu0pNnmTMAB3WE2vqZlRvAoGBAMwa +AxkI4O2CUeaOug+eG/+ztlpX79lU+DDLYtM8CH8MVBfqQtLg5UxUGE7eVkSZyOYN +STz6eKIh5tvPc91l9xSrL5wwGmSl48f3xxycJVF2UfD7LmlcvRHthLCQPWHcCAne +6RWinCiS4ATPU6p9DzR6XYyALB0vODr84qTb9a+VAoGASPP9UqhAMujLVSyYKgb7 +XZgWS4zL5X4TRbYjOM+2NLF90xVv/kzq9ucFd7baUqkhxnFklAqRD3B+0r/+jaKE +x9kg8pKvrvvAofHljSXy7s5dNt/JfpGV44rjE3r4Pr5owXkn+8JvBgEvmYDnI9KM +W+RoCJjyOWL3xqiCq5Z8XVECgYB3vD7a/fFuhIhlmI+gv+GvFY/B2lrUBdwATCDy +yQI2/lWLHhwLuHHsYF1OT3MOlaVdCKhRhKMmgnr7su1HEh1sW6z3lOS27Pb/BeYi +a5wc+SvDEqg8mXI1xUCVkFjiQwHYQJQ+5AF2cAvJ5pMvrmQwJiUhWsQGbwAu4tJX +Ys70LQKBgQC3jOZpW5MrBdyGRJwkGYrJ3oGvgM5HGqD/9088b42i7EoDroh43e1r +rX+6mkocXd1LU2+zRaCqxA58dNuqXvU1dESW0gLgUoe3ubIlfoaD9MBwlE0trBDw +iO3tSUQ3zzYh+Uu7xBywvDEGnRhJTBs1AuwdxsdSte2WrQ7KLHwncQ== +-----END RSA PRIVATE KEY----- diff --git a/hack/helm_vars/elasticsearch-certs/elasticsearch-ca.pem b/hack/helm_vars/elasticsearch-certs/elasticsearch-ca.pem new file mode 100644 index 00000000000..d4ef94d4d2a --- /dev/null +++ b/hack/helm_vars/elasticsearch-certs/elasticsearch-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIUXd/KjPrGXSmRyZ4Q/9O3LPGB70owDQYJKoZIhvcNAQEL +BQAwJzElMCMGA1UEAxMcZWxhc3RpY3NlYXJjaC5jYS5leGFtcGxlLmNvbTAeFw0y +NDA0MjIxMjA0MDBaFw0yOTA0MjExMjA0MDBaMCcxJTAjBgNVBAMTHGVsYXN0aWNz +ZWFyY2guY2EuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC0R+Ptk46Hd8SrR+S/dM7nGvhYA2ErWUFhpyUDWi7VpUpTgtlyTzmNgxAl +h9QWn8GuqvwqCFBnbiLL+OV6EsT1/fKt/3iYVv+myg5gBTPHt/QNaHZ5E7wMdwDR +HRuAKQI9kCdZZZ7/prVPTQDx0E12yxMWbE+NgvYfNmkJXSG3Y5S5ihE8RO+JZYec +AWfc3iwEZeD7d9WnVsb0sM+iJwMOOTlxKSI8Cw+ukcXdTh9pmxyQNZVd1tSGX/NH +281EKroIPLqIAxgy1d2cUqiCKIf4pGEbijb8m/OkoFez+7vjmD57A8uSuwyXz7+x +E2uRJFAisug5zdb8KWAJBlEkggWbAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ1/LWQ/Ckxpc7HdBp6mNBfZNQssDAN +BgkqhkiG9w0BAQsFAAOCAQEAfGo1ONgSfTwRtT/ZsZgAnseqZSQCuvUQ4nrg2dDe +cFZtC05EczfmPx7G7Q2VeF9ZU56m/Ep57gE4W2wwVIwoG3Zam0kG4HirkgLNPagf +j3RkDrCvrjeESYFj7qwdnmgFNxotlC0KjHkGrfdT7gTDSWoNE3tobxyFaT1YQyBB +L6oRVlKa6O0ivgADUw/VMIARqFgCni/PhaHd4UlR9bgLVQ4MEVb463MMpGAdK4ZZ +l1bYVRf0pTeYnEiUG2HXt/1JFzSowFoZD8wVOXa0kcxy9SK/UCX8PVzMx06G4Ion +NNkzz9uSme9hAQlVsW6gxzl0NhwOtClpPIlvEqHwgF54KQ== +-----END CERTIFICATE----- diff --git a/hack/helm_vars/elasticsearch-certs/es-cert-issuer.yaml.gotmpl b/hack/helm_vars/elasticsearch-certs/es-cert-issuer.yaml.gotmpl new file mode 100644 index 00000000000..a9ef90fd0e8 --- /dev/null +++ b/hack/helm_vars/elasticsearch-certs/es-cert-issuer.yaml.gotmpl @@ -0,0 +1,17 @@ +resources: + - apiVersion: v1 + kind: Secret + metadata: + name: elasticsearch-ca + namespace: '{{ .Release.Namespace }}' + data: + tls.crt: {{ readFile "./elasticsearch-ca.pem" | b64enc | quote }} + tls.key: {{ readFile "./elasticsearch-ca-key.pem" | b64enc | quote }} + - apiVersion: cert-manager.io/v1 + kind: Issuer + metadata: + name: elasticsearch + namespace: '{{ .Release.Namespace }}' + spec: + ca: + secretName: elasticsearch-ca diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl index 9030d83b678..614b83441be 100644 --- a/hack/helm_vars/wire-server/values.yaml.gotmpl +++ b/hack/helm_vars/wire-server/values.yaml.gotmpl @@ -27,8 +27,12 @@ cassandra-migrations: elasticsearch-index: imagePullPolicy: {{ .Values.imagePullPolicy }} elasticsearch: + scheme: https host: elasticsearch-ephemeral index: directory_test + tlsCaSecretRef: + name: "elasticsearch-ephemeral-certificate" + key: "ca.crt" cassandra: host: {{ .Values.cassandraHost }} {{- if .Values.useK8ssandraSSL.enabled }} @@ -62,8 +66,15 @@ brig: key: "ca.crt" {{- end }} elasticsearch: + scheme: https host: elasticsearch-ephemeral index: directory_test + tlsCaSecretRef: + name: "elasticsearch-ephemeral-certificate" + key: "ca.crt" + additionalTlsCaSecretRef: + name: "elasticsearch-ephemeral-certificate" + key: "ca.crt" authSettings: userTokenTimeout: 120 sessionTokenTimeout: 20 @@ -475,6 +486,10 @@ integration: name: cassandra-jks-keystore key: ca.crt {{- end }} + elasticsearch: + tlsCaSecretRef: + name: "elasticsearch-ephemeral-certificate" + key: "ca.crt" {{- if .Values.uploadXml }} uploadXml: baseUrl: {{ .Values.uploadXml.baseUrl }} diff --git a/hack/helmfile.yaml b/hack/helmfile.yaml index 0d34c252954..c8a9824ec8b 100644 --- a/hack/helmfile.yaml +++ b/hack/helmfile.yaml @@ -55,6 +55,9 @@ repositories: - name: ingress url: 'https://kubernetes.github.io/ingress-nginx' + - name: bedag + url: 'https://bedag.github.io/helm-charts/' + releases: - name: 'fake-aws' namespace: '{{ .Values.namespace1 }}' @@ -68,6 +71,12 @@ releases: values: - './helm_vars/fake-aws/values.yaml' + - name: 'elasticsearch-certs' + namespace: '{{ .Values.namespace1 }}' + chart: bedag/raw + values: + - './helm_vars/elasticsearch-certs/es-cert-issuer.yaml.gotmpl' + - name: 'databases-ephemeral' namespace: '{{ .Values.namespace1 }}' chart: '../.local/charts/databases-ephemeral' @@ -76,6 +85,14 @@ releases: redis-ephemeral: usePassword: true password: very-secure-redis-master-password + elasticsearch-ephemeral: + tls: + enabled: true + issuerRef: + name: elasticsearch + kind: Issuer + needs: + - elasticsearch-certs # Required for testing redis migration - name: 'redis-ephemeral-2' @@ -87,6 +104,12 @@ releases: usePassword: true password: very-secure-redis-master-password-2 + - name: 'elasticsearch-certs' + namespace: '{{ .Values.namespace2 }}' + chart: bedag/raw + values: + - './helm_vars/elasticsearch-certs/es-cert-issuer.yaml.gotmpl' + - name: 'databases-ephemeral' namespace: '{{ .Values.namespace2 }}' chart: '../.local/charts/databases-ephemeral' @@ -95,6 +118,14 @@ releases: redis-ephemeral: usePassword: true password: very-secure-redis-master-password + elasticsearch-ephemeral: + tls: + enabled: true + issuerRef: + name: elasticsearch + kind: Issuer + needs: + - elasticsearch-certs - name: k8ssandra-test-cluster chart: '../.local/charts/k8ssandra-test-cluster' diff --git a/services/brig/brig.integration.yaml b/services/brig/brig.integration.yaml index 451e753ccac..38f0208b31c 100644 --- a/services/brig/brig.integration.yaml +++ b/services/brig/brig.integration.yaml @@ -10,10 +10,14 @@ cassandra: # filterNodesByDatacentre: datacenter1 elasticsearch: - url: http://127.0.0.1:9200 + url: https://localhost:9200 index: directory_test credentials: test/resources/elasticsearch-credentials.yaml + caCert: test/resources/elasticsearch-ca.pem + insecureSkipVerifyTls: false additionalCredentials: test/resources/elasticsearch-credentials.yaml + additionalCaCert: test/resources/elasticsearch-ca.pem + additionalInsecureSkipVerifyTls: false rabbitmq: host: 127.0.0.1 diff --git a/services/brig/src/Brig/App.hs b/services/brig/src/Brig/App.hs index 195f69f2d12..4a25928751a 100644 --- a/services/brig/src/Brig/App.hs +++ b/services/brig/src/Brig/App.hs @@ -67,6 +67,7 @@ module Brig.App fsWatcher, disabledVersions, enableSFTFederation, + mkIndexEnv, -- * App Monad AppT (..), @@ -74,9 +75,7 @@ module Brig.App qualifyLocal, qualifyLocal', - -- * Crutches that should be removed once Brig has been completely - - -- * transitioned to Polysemy + -- * Crutches that should be removed once Brig has been completely transitioned to Polysemy wrapClient, wrapClientE, wrapClientM, @@ -88,6 +87,7 @@ module Brig.App liftSem, lowerAppT, temporaryGetEnv, + initHttpManagerWithTLSConfig, ) where @@ -97,7 +97,7 @@ import Bilge.IO import Bilge.RPC (HasRequestId (..)) import Brig.AWS qualified as AWS import Brig.Calling qualified as Calling -import Brig.Options (Opts, Settings (..)) +import Brig.Options (ElasticSearchOpts, Opts, Settings (..)) import Brig.Options qualified as Opt import Brig.Provider.Template import Brig.Queue.Stomp qualified as Stomp @@ -261,9 +261,7 @@ newEnv o = do kpLock <- newMVar () rabbitChan <- traverse (Q.mkRabbitMqChannelMVar lgr) o.rabbitmq let allDisabledVersions = foldMap expandVersionExp (Opt.setDisabledAPIVersions sett) - mEsCreds <- for (Opt.credentials (Opt.elasticsearch o)) initCredentials - mEsAddCreds <- for (Opt.additionalCredentials (Opt.elasticsearch o)) initCredentials - + idxEnv <- mkIndexEnv o.elasticsearch lgr mtr (Opt.galley o) mgr pure $! Env { _cargohold = mkEndpoint $ Opt.cargohold o, @@ -298,7 +296,7 @@ newEnv o = do _zauthEnv = zau, _digestMD5 = md5, _digestSHA256 = sha256, - _indexEnv = mkIndexEnv o lgr mgr mtr mEsCreds mEsAddCreds (Opt.galley o), + _indexEnv = idxEnv, _randomPrekeyLocalLock = prekeyLocalLock, _keyPackageLocalLock = kpLock, _rabbitmqChannel = rabbitChan, @@ -318,16 +316,33 @@ newEnv o = do pure (Nothing, Just smtp) mkEndpoint service = RPC.host (encodeUtf8 (service ^. host)) . RPC.port (service ^. port) $ RPC.empty -mkIndexEnv :: Opts -> Logger -> Manager -> Metrics -> Maybe Credentials -> Maybe Credentials -> Endpoint -> IndexEnv -mkIndexEnv o lgr mgr mtr mCreds mAddCreds galleyEp = - let mkBhe url mcs = - let bhe = ES.mkBHEnv (ES.Server url) mgr - in maybe bhe (\creds -> bhe {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername creds.username) (ES.EsPassword creds.password)}) mcs - lgr' = Log.clone (Just "index.brig") lgr - mainIndex = ES.IndexName $ Opt.index (Opt.elasticsearch o) - additionalIndex = ES.IndexName <$> Opt.additionalWriteIndex (Opt.elasticsearch o) - additionalBhe = flip mkBhe mAddCreds <$> Opt.additionalWriteIndexUrl (Opt.elasticsearch o) - in IndexEnv mtr lgr' (mkBhe (Opt.url (Opt.elasticsearch o)) mCreds) Nothing mainIndex additionalIndex additionalBhe galleyEp mgr mCreds +mkIndexEnv :: ElasticSearchOpts -> Logger -> Metrics -> Endpoint -> Manager -> IO IndexEnv +mkIndexEnv esOpts logger metricsStorage galleyEp rpcHttpManager = do + mEsCreds :: Maybe Credentials <- for esOpts.credentials initCredentials + mEsAddCreds :: Maybe Credentials <- for esOpts.additionalCredentials initCredentials + + let mkBhEnv skipVerifyTls mCustomCa mCreds url = do + mgr <- initHttpManagerWithTLSConfig skipVerifyTls mCustomCa + let bhe = ES.mkBHEnv url mgr + pure $ maybe bhe (\creds -> bhe {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername creds.username) (ES.EsPassword creds.password)}) mCreds + esLogger = Log.clone (Just "index.brig") logger + bhEnv <- mkBhEnv esOpts.insecureSkipVerifyTls esOpts.caCert mEsCreds esOpts.url + additionalBhEnv <- + for esOpts.additionalWriteIndexUrl $ + mkBhEnv esOpts.additionalInsecureSkipVerifyTls esOpts.additionalCaCert mEsAddCreds + pure $ + IndexEnv + { idxMetrics = metricsStorage, + idxLogger = esLogger, + idxElastic = bhEnv, + idxRequest = Nothing, + idxName = esOpts.index, + idxAdditionalName = esOpts.additionalWriteIndex, + idxAdditionalElastic = additionalBhEnv, + idxGalley = galleyEp, + idxRpcHttpManager = rpcHttpManager, + idxCredentials = mEsCreds + } initZAuth :: Opts -> IO ZAuth.Env initZAuth o = do @@ -343,14 +358,25 @@ initZAuth o = do initHttpManager :: IO Manager initHttpManager = do + initHttpManagerWithTLSConfig False Nothing + +initHttpManagerWithTLSConfig :: Bool -> Maybe FilePath -> IO Manager +initHttpManagerWithTLSConfig skipTlsVerify mCustomCa = do -- See Note [SSL context] ctx <- SSL.context SSL.contextAddOption ctx SSL_OP_NO_SSLv2 SSL.contextAddOption ctx SSL_OP_NO_SSLv3 SSL.contextSetCiphers ctx "HIGH" - SSL.contextSetVerificationMode ctx $ - SSL.VerifyPeer True True Nothing - SSL.contextSetDefaultVerifyPaths ctx + if skipTlsVerify + then SSL.contextSetVerificationMode ctx SSL.VerifyNone + else + SSL.contextSetVerificationMode ctx $ + SSL.VerifyPeer True True Nothing + case mCustomCa of + Nothing -> SSL.contextSetDefaultVerifyPaths ctx + Just customCa -> do + filePath <- canonicalizePath customCa + SSL.contextSetCAFile ctx filePath -- Unfortunately, there are quite some AWS services we talk to -- (e.g. SES, Dynamo) that still only support TLSv1. -- Ideally: SSL.contextAddOption ctx SSL_OP_NO_TLSv1 diff --git a/services/brig/src/Brig/Index/Eval.hs b/services/brig/src/Brig/Index/Eval.hs index 4d8f163dfdb..05c5e688882 100644 --- a/services/brig/src/Brig/Index/Eval.hs +++ b/services/brig/src/Brig/Index/Eval.hs @@ -22,10 +22,13 @@ module Brig.Index.Eval ) where +import Brig.App (initHttpManagerWithTLSConfig, mkIndexEnv) import Brig.Index.Migrations import Brig.Index.Options +import Brig.Options import Brig.User.Search.Index import Cassandra qualified as C +import Cassandra.Options import Cassandra.Util (defInitCassandra) import Control.Lens import Control.Monad.Catch @@ -37,7 +40,6 @@ import Data.Credentials (Credentials (..)) import Data.Metrics qualified as Metrics import Database.Bloodhound qualified as ES import Imports -import Network.HTTP.Client as HTTP import System.Logger qualified as Log import System.Logger.Class (Logger, MonadLogger (..)) import Util.Options (initCredentials) @@ -45,36 +47,33 @@ import Util.Options (initCredentials) runCommand :: Logger -> Command -> IO () runCommand l = \case Create es galley -> do - mCreds <- for (es ^. esCredentials) initCredentials - e <- initIndex es mCreds galley + e <- initIndex (es ^. esConnection) galley runIndexIO e $ createIndexIfNotPresent (mkCreateIndexSettings es) Reset es galley -> do - mCreds <- for (es ^. esCredentials) initCredentials - e <- initIndex es mCreds galley + e <- initIndex (es ^. esConnection) galley runIndexIO e $ resetIndex (mkCreateIndexSettings es) Reindex es cas galley -> do - mCreds <- for (es ^. esCredentials) initCredentials - e <- initIndex es mCreds galley + e <- initIndex (es ^. esConnection) galley c <- initDb cas runReindexIO e c reindexAll ReindexSameOrNewer es cas galley -> do - mCreds <- for (es ^. esCredentials) initCredentials - e <- initIndex es mCreds galley + e <- initIndex (es ^. esConnection) galley c <- initDb cas runReindexIO e c reindexAllIfSameOrNewer - UpdateMapping esURI indexName mSecretPath galley -> do - mCreds <- for mSecretPath initCredentials - e <- initIndex' esURI indexName mCreds galley + UpdateMapping esConn galley -> do + e <- initIndex esConn galley runIndexIO e updateMapping Migrate es cas galley -> do - mCreds <- for (es ^. esCredentials) initCredentials - migrate l mCreds es cas galley + migrate l es cas galley ReindexFromAnotherIndex reindexSettings -> do - mgr <- newManager defaultManagerSettings - mCreds <- for (view reindexCredentials reindexSettings) initCredentials - let bhEnv = initES (view reindexEsServer reindexSettings) mgr mCreds + mgr <- + initHttpManagerWithTLSConfig + (reindexSettings ^. reindexEsConnection . to esInsecureSkipVerifyTls) + (reindexSettings ^. reindexEsConnection . to esCaCert) + mCreds <- for (reindexSettings ^. reindexEsConnection . to esCredentials) initCredentials + let bhEnv = initES (reindexSettings ^. reindexEsConnection . to esServer) mgr mCreds ES.runBH bhEnv $ do - let src = view reindexSrcIndex reindexSettings + let src = reindexSettings ^. reindexEsConnection . to esIndex dest = view reindexDestIndex reindexSettings timeoutSeconds = view reindexTimeoutSeconds reindexSettings @@ -95,22 +94,25 @@ runCommand l = \case waitForTaskToComplete @ES.ReindexResponse timeoutSeconds taskNodeId Log.info l $ Log.msg ("Finished reindexing" :: ByteString) where - initIndex es mCreds gly = - initIndex' (es ^. esServer) (es ^. esIndex) mCreds gly - - initIndex' esURI indexName mCreds galleyEndpoint = do - mgr <- newManager defaultManagerSettings - IndexEnv - <$> Metrics.metrics - <*> pure l - <*> pure (initES esURI mgr mCreds) - <*> pure Nothing - <*> pure indexName - <*> pure Nothing - <*> pure Nothing - <*> pure galleyEndpoint - <*> pure mgr - <*> pure mCreds + initIndex :: ESConnectionSettings -> Endpoint -> IO IndexEnv + initIndex esConn gly = do + mgr <- initHttpManagerWithTLSConfig esConn.esInsecureSkipVerifyTls esConn.esCaCert + let esOpts = + ElasticSearchOpts + { url = toESServer esConn.esServer, + index = esConn.esIndex, + credentials = esConn.esCredentials, + insecureSkipVerifyTls = esConn.esInsecureSkipVerifyTls, + caCert = esConn.esCaCert, + additionalWriteIndex = Nothing, + additionalWriteIndexUrl = Nothing, + additionalCredentials = Nothing, + additionalInsecureSkipVerifyTls = False, + additionalCaCert = Nothing + } + + metricsStorage <- Metrics.metrics + mkIndexEnv esOpts l metricsStorage gly mgr initES esURI mgr mCreds = let env = ES.mkBHEnv (toESServer esURI) mgr diff --git a/services/brig/src/Brig/Index/Migrations.hs b/services/brig/src/Brig/Index/Migrations.hs index 0a8aacb1b60..f743f62c157 100644 --- a/services/brig/src/Brig/Index/Migrations.hs +++ b/services/brig/src/Brig/Index/Migrations.hs @@ -20,11 +20,12 @@ module Brig.Index.Migrations ) where +import Brig.App (initHttpManagerWithTLSConfig) import Brig.Index.Migrations.Types import Brig.Index.Options qualified as Opts import Brig.User.Search.Index qualified as Search import Cassandra.Util (defInitCassandra) -import Control.Lens (view, (^.)) +import Control.Lens (to, view, (^.)) import Control.Monad.Catch (MonadThrow, catchAll, finally, throwM) import Data.Aeson (Value, object, (.=)) import Data.Credentials (Credentials (..)) @@ -38,15 +39,15 @@ import System.Logger.Class qualified as Log import System.Logger.Extended (runWithLogger) import Util.Options qualified as Options -migrate :: Logger -> Maybe Credentials -> Opts.ElasticSettings -> Opts.CassandraSettings -> Options.Endpoint -> IO () -migrate l mCreds es cas galleyEndpoint = do - env <- mkEnv l mCreds es cas galleyEndpoint +migrate :: Logger -> Opts.ElasticSettings -> Opts.CassandraSettings -> Options.Endpoint -> IO () +migrate l es cas galleyEndpoint = do + env <- mkEnv l es cas galleyEndpoint finally (go env `catchAll` logAndThrowAgain) (cleanup env) where go :: Env -> IO () go env = runMigrationAction env $ do - failIfIndexAbsent (es ^. Opts.esIndex) + failIfIndexAbsent (es ^. Opts.esConnection . to Opts.esIndex) createMigrationsIndexIfNotPresent runMigration expectedMigrationVersion @@ -75,18 +76,21 @@ indexMapping = ["migration_version" .= object ["index" .= True, "type" .= ("integer" :: Text)]] ] -mkEnv :: Logger -> Maybe Credentials -> Opts.ElasticSettings -> Opts.CassandraSettings -> Options.Endpoint -> IO Env -mkEnv l mCreds es cas galleyEndpoint = do - mgr <- HTTP.newManager HTTP.defaultManagerSettings - let env = ES.mkBHEnv (Opts.toESServer (es ^. Opts.esServer)) mgr +mkEnv :: Logger -> Opts.ElasticSettings -> Opts.CassandraSettings -> Options.Endpoint -> IO Env +mkEnv l es cas galleyEndpoint = do + env <- do + esMgr <- initHttpManagerWithTLSConfig (es ^. Opts.esConnection . to Opts.esInsecureSkipVerifyTls) (es ^. Opts.esConnection . to Opts.esCaCert) + pure $ ES.mkBHEnv (Opts.toESServer (es ^. Opts.esConnection . to Opts.esServer)) esMgr + mCreds <- for (es ^. Opts.esConnection . to Opts.esCredentials) Options.initCredentials let envWithAuth = maybe env (\(creds :: Credentials) -> env {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername creds.username) (ES.EsPassword creds.password)}) mCreds + rpcMgr <- HTTP.newManager HTTP.defaultManagerSettings Env envWithAuth <$> initCassandra <*> initLogger <*> Metrics.metrics - <*> pure (view Opts.esIndex es) + <*> pure (view (Opts.esConnection . to Opts.esIndex) es) <*> pure mCreds - <*> pure mgr + <*> pure rpcMgr <*> pure galleyEndpoint where initCassandra = defInitCassandra (Opts.toCassandraOpts cas) l diff --git a/services/brig/src/Brig/Index/Options.hs b/services/brig/src/Brig/Index/Options.hs index c40dbb571a5..c0fe469f0ff 100644 --- a/services/brig/src/Brig/Index/Options.hs +++ b/services/brig/src/Brig/Index/Options.hs @@ -22,13 +22,12 @@ module Brig.Index.Options ( Command (..), ElasticSettings, - esServer, - esIndex, + ESConnectionSettings (..), + esConnection, esIndexShardCount, esIndexReplicas, esIndexRefreshInterval, esDeleteTemplate, - esCredentials, CassandraSettings, toCassandraOpts, cHost, @@ -42,10 +41,8 @@ module Brig.Index.Options toESServer, ReindexFromAnotherIndexSettings, reindexDestIndex, - reindexSrcIndex, - reindexEsServer, reindexTimeoutSeconds, - reindexCredentials, + reindexEsConnection, ) where @@ -69,19 +66,26 @@ data Command | Reindex ElasticSettings CassandraSettings Endpoint | ReindexSameOrNewer ElasticSettings CassandraSettings Endpoint | -- | 'ElasticSettings' has shards and other settings that are not needed here. - UpdateMapping (URIRef Absolute) ES.IndexName (Maybe FilePathSecrets) Endpoint + UpdateMapping ESConnectionSettings Endpoint | Migrate ElasticSettings CassandraSettings Endpoint | ReindexFromAnotherIndex ReindexFromAnotherIndexSettings deriving (Show) +data ESConnectionSettings = ESConnectionSettings + { esServer :: URIRef Absolute, + esIndex :: ES.IndexName, + esCaCert :: Maybe FilePath, + esInsecureSkipVerifyTls :: Bool, + esCredentials :: Maybe FilePathSecrets + } + deriving (Show) + data ElasticSettings = ElasticSettings - { _esServer :: URIRef Absolute, - _esIndex :: ES.IndexName, + { _esConnection :: ESConnectionSettings, _esIndexShardCount :: Int, _esIndexReplicas :: ES.ReplicaCount, _esIndexRefreshInterval :: NominalDiffTime, - _esDeleteTemplate :: Maybe ES.TemplateName, - _esCredentials :: Maybe FilePathSecrets + _esDeleteTemplate :: Maybe ES.TemplateName } deriving (Show) @@ -94,11 +98,9 @@ data CassandraSettings = CassandraSettings deriving (Show) data ReindexFromAnotherIndexSettings = ReindexFromAnotherIndexSettings - { _reindexEsServer :: URIRef Absolute, - _reindexSrcIndex :: ES.IndexName, + { _reindexEsConnection :: ESConnectionSettings, _reindexDestIndex :: ES.IndexName, - _reindexTimeoutSeconds :: Int, - _reindexCredentials :: Maybe FilePathSecrets + _reindexTimeoutSeconds :: Int } deriving (Show) @@ -129,13 +131,18 @@ mkCreateIndexSettings es = localElasticSettings :: ElasticSettings localElasticSettings = ElasticSettings - { _esServer = [uri|http://localhost:9200|], - _esIndex = ES.IndexName "directory_test", + { _esConnection = + ESConnectionSettings + { esServer = [uri|https://localhost:9200|], + esIndex = ES.IndexName "directory_test", + esCaCert = Just "test/resources/elasticsearch-ca.pem", + esInsecureSkipVerifyTls = False, + esCredentials = Just "test/resources/elasticsearch-credentials.yaml" + }, _esIndexShardCount = 1, _esIndexReplicas = ES.ReplicaCount 1, _esIndexRefreshInterval = 1, - _esDeleteTemplate = Nothing, - _esCredentials = Nothing + _esDeleteTemplate = Nothing } localCassandraSettings :: CassandraSettings @@ -154,7 +161,7 @@ elasticServerParser = ( long "elasticsearch-server" <> metavar "URL" <> help "Base URL of the Elasticsearch Server." - <> value (view esServer localElasticSettings) + <> value localElasticSettings._esConnection.esServer <> showDefaultWith (view unpackedChars . serializeURIRef') ) where @@ -174,11 +181,19 @@ restrictedElasticSettingsParser = do <> showDefault ) mCreds <- credentialsPathParser + mCaCert <- caCertParser + verifyCa <- verifyCaParser pure $ localElasticSettings - & esServer .~ server - & esIndex .~ ES.IndexName (prefix <> "_test") - & esCredentials .~ mCreds + { _esConnection = + localElasticSettings._esConnection + { esServer = server, + esIndex = ES.IndexName (prefix <> "_test"), + esCredentials = mCreds, + esCaCert = mCaCert, + esInsecureSkipVerifyTls = verifyCa + } + } indexNameParser :: Parser ES.IndexName indexNameParser = @@ -187,20 +202,47 @@ indexNameParser = ( long "elasticsearch-index" <> metavar "STRING" <> help "Elasticsearch Index Name." - <> value (view (esIndex . _IndexName . unpacked) localElasticSettings) + <> value (view (_IndexName . unpacked) localElasticSettings._esConnection.esIndex) <> showDefault ) +connectionSettingsParser :: Parser ESConnectionSettings +connectionSettingsParser = + ESConnectionSettings + <$> elasticServerParser + <*> indexNameParser + <*> caCertParser + <*> verifyCaParser + <*> credentialsPathParser + +caCertParser :: Parser (Maybe FilePath) +caCertParser = + optional + ( option + str + ( long "elasticsearch-ca-cert" + <> metavar "FILE" + <> help "Path to CA Certitificate for TLS validation, system CA bundle is used when unspecified" + ) + ) + +verifyCaParser :: Parser Bool +verifyCaParser = + flag + False -- the default is False + True + ( long "elasticsearch-insecure-skip-tls-verify" + <> help "Skip TLS verification when connecting to Elasticsearch (not recommended)" + ) + elasticSettingsParser :: Parser ElasticSettings elasticSettingsParser = ElasticSettings - <$> elasticServerParser - <*> indexNameParser + <$> connectionSettingsParser <*> indexShardCountParser <*> indexReplicaCountParser <*> indexRefreshIntervalParser <*> templateParser - <*> credentialsPathParser where indexShardCountParser = option @@ -280,7 +322,8 @@ cassandraSettingsParser = ) ) <*> ( (optional . strOption) - ( long "tls-ca-certificate-file" + ( long "cassandra-ca-cert" + <> metavar "FILE" <> help "Location of a PEM encoded list of CA certificates to be used when verifying the Cassandra server's certificate" ) ) @@ -288,14 +331,7 @@ cassandraSettingsParser = reindexToAnotherIndexSettingsParser :: Parser ReindexFromAnotherIndexSettings reindexToAnotherIndexSettingsParser = ReindexFromAnotherIndexSettings - <$> elasticServerParser - <*> ( ES.IndexName . view packed - <$> strOption - ( long "source-index" - <> metavar "STRING" - <> help "Elasticsearch index name to reindex from" - ) - ) + <$> connectionSettingsParser <*> ( ES.IndexName . view packed <$> strOption ( long "destination-index" @@ -311,7 +347,6 @@ reindexToAnotherIndexSettingsParser = <> value 600 <> showDefault ) - <*> credentialsPathParser galleyEndpointParser :: Parser Endpoint galleyEndpointParser = @@ -344,7 +379,7 @@ commandParser = <> command "update-mapping" ( info - (UpdateMapping <$> elasticServerParser <*> indexNameParser <*> credentialsPathParser <*> galleyEndpointParser) + (UpdateMapping <$> connectionSettingsParser <*> galleyEndpointParser) (progDesc "Update mapping of the user index.") ) <> command diff --git a/services/brig/src/Brig/Options.hs b/services/brig/src/Brig/Options.hs index dca9d2b3a18..c27fd4cd821 100644 --- a/services/brig/src/Brig/Options.hs +++ b/services/brig/src/Brig/Options.hs @@ -49,6 +49,7 @@ import Data.Text.Encoding qualified as Text import Data.Time.Clock (DiffTime, NominalDiffTime, secondsToDiffTime) import Data.Yaml (FromJSON (..), ToJSON (..), (.:), (.:?)) import Data.Yaml qualified as Y +import Database.Bloodhound.Types qualified as ES import Galley.Types.Teams (unImplicitLockStatus) import Imports import Network.AMQP.Extended @@ -74,9 +75,9 @@ instance Read Timeout where data ElasticSearchOpts = ElasticSearchOpts { -- | ElasticSearch URL - url :: !Text, + url :: !ES.Server, -- | The name of the ElasticSearch user index - index :: !Text, + index :: !ES.IndexName, -- | An additional index to write user data, useful while migrating to a new -- index. -- There is a bug hidden when using this option. Sometimes a user won't get @@ -85,16 +86,20 @@ data ElasticSearchOpts = ElasticSearchOpts -- tools/db/find-undead which can be used to find the undead users right -- after the migration, if they exist, we can run the reindexing to get data -- in elasticsearch in a consistent state. - additionalWriteIndex :: !(Maybe Text), + additionalWriteIndex :: !(Maybe ES.IndexName), -- | An additional ES URL to write user data, useful while migrating to a - -- new instace of ES. It is necessary to provide 'additionalWriteIndex' for + -- new instance of ES. It is necessary to provide 'additionalWriteIndex' for -- this to be used. If this is 'Nothing' and 'additionalWriteIndex' is -- configured, the 'url' field will be used. - additionalWriteIndexUrl :: !(Maybe Text), + additionalWriteIndexUrl :: !(Maybe ES.Server), -- | Elasticsearch credentials credentials :: !(Maybe FilePathSecrets), -- | Credentials for additional ES index (maily used for migrations) - additionalCredentials :: !(Maybe FilePathSecrets) + additionalCredentials :: !(Maybe FilePathSecrets), + insecureSkipVerifyTls :: Bool, + caCert :: Maybe FilePath, + additionalInsecureSkipVerifyTls :: Bool, + additionalCaCert :: Maybe FilePath } deriving (Show, Generic) @@ -933,8 +938,12 @@ Lens.makeLensesFor Lens.makeLensesFor [ ("url", "urlL"), ("index", "indexL"), + ("caCert", "caCertL"), + ("insecureSkipVerifyTls", "insecureSkipVerifyTlsL"), ("additionalWriteIndex", "additionalWriteIndexL"), - ("additionalWriteIndexUrl", "additionalWriteIndexUrlL") + ("additionalWriteIndexUrl", "additionalWriteIndexUrlL"), + ("additionalCaCert", "additionalCaCertL"), + ("additionalInsecureSkipVerifyTls", "additionalInsecureSkipVerifyTlsL") ] ''ElasticSearchOpts diff --git a/services/brig/src/Brig/User/Search/Index.hs b/services/brig/src/Brig/User/Search/Index.hs index fb0ba23c78a..9df5255ce84 100644 --- a/services/brig/src/Brig/User/Search/Index.hs +++ b/services/brig/src/Brig/User/Search/Index.hs @@ -114,7 +114,8 @@ data IndexEnv = IndexEnv idxAdditionalName :: Maybe ES.IndexName, idxAdditionalElastic :: Maybe ES.BHEnv, idxGalley :: Endpoint, - idxHttpManager :: Manager, + -- | Used to make RPC calls to other wire-server services + idxRpcHttpManager :: Manager, -- credentials for reindexing have to be passed via the env because bulk API requests are not supported by bloodhound idxCredentials :: Maybe Credentials } @@ -154,7 +155,7 @@ instance ES.MonadBH IndexIO where instance MonadHttp IndexIO where handleRequestWithCont req handler = do - manager <- asks idxHttpManager + manager <- asks idxRpcHttpManager liftIO $ withResponse req manager handler withDefaultESUrl :: (MonadIndexIO m) => ES.BH m a -> m a diff --git a/services/brig/test/integration/API/Search.hs b/services/brig/test/integration/API/Search.hs index 43216781b57..6ffe569c113 100644 --- a/services/brig/test/integration/API/Search.hs +++ b/services/brig/test/integration/API/Search.hs @@ -3,6 +3,7 @@ {-# LANGUAGE QuasiQuotes #-} {-# OPTIONS_GHC -Wno-incomplete-uni-patterns #-} {-# OPTIONS_GHC -Wno-partial-type-signatures #-} +{-# OPTIONS_GHC -Wno-redundant-constraints #-} -- This file is part of the Wire Server implementation. -- @@ -31,6 +32,7 @@ import API.Team.Util import API.User.Util import Bilge import Bilge.Assert +import Brig.App (initHttpManagerWithTLSConfig) import Brig.Options qualified as Opt import Brig.Options qualified as Opts import Control.Lens ((.~), (?~), (^.)) @@ -49,7 +51,6 @@ import Data.Text.Encoding qualified as Text import Database.Bloodhound qualified as ES import Federation.Util import Imports -import Network.HTTP.Client qualified as HTTP import Network.HTTP.ReverseProxy (waiProxyTo) import Network.HTTP.ReverseProxy qualified as Wai import Network.HTTP.Types qualified as HTTP @@ -89,7 +90,7 @@ tests opts mgr galley brig = do testWithBothIndices opts mgr "Non ascii names" $ testSearchNonAsciiNames brig, testWithBothIndices opts mgr "user with umlaut" $ testSearchWithUmlaut brig, testWithBothIndices opts mgr "user with japanese name" $ testSearchCJK brig, - test mgr "migration to new index" $ testMigrationToNewIndex mgr opts brig, + test mgr "migration to new index" $ testMigrationToNewIndex opts brig, testGroup "team A: SearchVisibilityStandard (= unrestricted outbound search)" $ [ testGroup "team A: SearchableByOwnTeam (= restricted inbound search)" $ [ testWithBothIndices opts mgr " I. non-team user cannot find team A member by display name" $ testSearchTeamMemberAsNonMemberDisplayName mgr brig galley FeatureStatusDisabled, @@ -607,14 +608,13 @@ testSearchOtherDomain opts brig = do -- cluster. This test spins up a proxy server to pass requests to our only ES -- server. The proxy server ensures that only requests to the 'old' index go -- through. -testMigrationToNewIndex :: (TestConstraints m, MonadUnliftIO m) => Manager -> Opt.Opts -> Brig -> m () -testMigrationToNewIndex mgr opts brig = do - -- (optsOldIndex, ES.IndexName -> oldIndexName) <- optsForOldIndex opts - withOldESProxy opts mgr $ \oldESUrl oldESIndex -> do +testMigrationToNewIndex :: (TestConstraints m, MonadUnliftIO m) => Opt.Opts -> Brig -> m () +testMigrationToNewIndex opts brig = do + withOldESProxy opts $ \oldESUrl oldESIndex -> do let optsOldIndex = opts - & Opt.elasticsearchL . Opt.indexL .~ oldESIndex - & Opt.elasticsearchL . Opt.urlL .~ oldESUrl + & Opt.elasticsearchL . Opt.indexL .~ (ES.IndexName oldESIndex) + & Opt.elasticsearchL . Opt.urlL .~ (ES.Server oldESUrl) -- Phase 1: Using old index only (phase1NonTeamUser, teamOwner, phase1TeamUser1, phase1TeamUser2, tid) <- withSettingsOverrides optsOldIndex $ do nonTeamUser <- randomUser brig @@ -626,6 +626,8 @@ testMigrationToNewIndex mgr opts brig = do optsOldIndex & Opt.elasticsearchL . Opt.additionalWriteIndexL ?~ (opts ^. Opt.elasticsearchL . Opt.indexL) & Opt.elasticsearchL . Opt.additionalWriteIndexUrlL ?~ (opts ^. Opt.elasticsearchL . Opt.urlL) + & Opt.elasticsearchL . Opt.additionalCaCertL .~ (opts ^. Opt.elasticsearchL . Opt.caCertL) + & Opt.elasticsearchL . Opt.additionalInsecureSkipVerifyTlsL .~ (opts ^. Opt.elasticsearchL . Opt.insecureSkipVerifyTlsL) (phase2NonTeamUser, phase2TeamUser) <- withSettingsOverrides phase2OptsWhile $ do phase2NonTeamUser <- randomUser brig phase2TeamUser <- inviteAndRegisterUser teamOwner tid brig @@ -650,7 +652,7 @@ testMigrationToNewIndex mgr opts brig = do assertCanFindByName brig phase1TeamUser1 phase2TeamUser -- Run Migrations - let newIndexName = ES.IndexName $ opts ^. Opt.elasticsearchL . Opt.indexL + let newIndexName = opts ^. Opt.elasticsearchL . Opt.indexL taskNodeId <- assertRight =<< runBH opts (ES.reindexAsync $ ES.mkReindexRequest (ES.IndexName oldESIndex) newIndexName) runBH opts $ waitForTaskToComplete @ES.ReindexResponse taskNodeId @@ -686,10 +688,11 @@ testMigrationToNewIndex mgr opts brig = do assertCanFindByName brig phase1TeamUser1 phase3NonTeamUser assertCanFindByName brig phase1TeamUser1 phase3TeamUser -withOldESProxy :: (TestConstraints m, MonadUnliftIO m) => Opt.Opts -> Manager -> (Text -> Text -> m a) -> m a -withOldESProxy opts mgr f = do +withOldESProxy :: (TestConstraints m, MonadUnliftIO m, HasCallStack) => Opt.Opts -> (Text -> Text -> m a) -> m a +withOldESProxy opts f = do indexName <- randomHandle createIndexWithMapping opts indexName oldMapping + mgr <- liftIO $ initHttpManagerWithTLSConfig opts.elasticsearch.insecureSkipVerifyTls opts.elasticsearch.caCert (proxyPort, sock) <- liftIO Warp.openFreePort bracket (async $ liftIO $ Warp.runSettingsSocket Warp.defaultSettings sock $ indexProxyServer indexName opts mgr) @@ -698,13 +701,14 @@ withOldESProxy opts mgr f = do indexProxyServer :: Text -> Opt.Opts -> Manager -> Wai.Application indexProxyServer idx opts mgr = - let proxyURI = either (error . show) id $ URI.parseURI URI.strictURIParserOptions (Text.encodeUtf8 (Opts.url (Opts.elasticsearch opts))) + let toUri (ES.Server url) = either (error . show) id $ URI.parseURI URI.strictURIParserOptions (Text.encodeUtf8 url) + proxyURI = toUri (Opts.url (Opts.elasticsearch opts)) proxyToHost = URI.hostBS . URI.authorityHost . fromMaybe (error "No Host") . URI.uriAuthority $ proxyURI proxyToPort = URI.portNumber . fromMaybe (URI.Port 9200) . URI.authorityPort . fromMaybe (error "No Host") . URI.uriAuthority $ proxyURI proxyApp req = pure $ if headMay (Wai.pathInfo req) == Just idx - then Wai.WPRProxyDest (Wai.ProxyDest proxyToHost proxyToPort) + then Wai.WPRProxyDestSecure (Wai.ProxyDest proxyToHost proxyToPort) else Wai.WPRResponse (Wai.responseLBS HTTP.status400 [] $ "Refusing to proxy to path=" <> cs (Wai.rawPathInfo req)) in waiProxyTo proxyApp Wai.defaultOnExc mgr @@ -728,7 +732,7 @@ testWithBothIndices opts mgr name f = do test mgr "old-index" $ withOldIndex opts f ] -testWithBothIndicesAndOpts :: Opt.Opts -> Manager -> TestName -> (Opt.Opts -> Http ()) -> TestTree +testWithBothIndicesAndOpts :: Opt.Opts -> Manager -> TestName -> (HasCallStack => Opt.Opts -> Http ()) -> TestTree testWithBothIndicesAndOpts opts mgr name f = testGroup name @@ -738,20 +742,20 @@ testWithBothIndicesAndOpts opts mgr name f = f newOpts <* deleteIndex opts indexName ] -withOldIndex :: MonadIO m => Opt.Opts -> WaiTest.Session a -> m a +withOldIndex :: (MonadIO m, HasCallStack) => Opt.Opts -> WaiTest.Session a -> m a withOldIndex opts f = do indexName <- randomHandle createIndexWithMapping opts indexName oldMapping - let newOpts = opts & Opt.elasticsearchL . Opt.indexL .~ indexName + let newOpts = opts & Opt.elasticsearchL . Opt.indexL .~ (ES.IndexName indexName) withSettingsOverrides newOpts f <* deleteIndex opts indexName -optsForOldIndex :: MonadIO m => Opt.Opts -> m (Opt.Opts, Text) +optsForOldIndex :: (MonadIO m, HasCallStack) => Opt.Opts -> m (Opt.Opts, Text) optsForOldIndex opts = do indexName <- randomHandle createIndexWithMapping opts indexName oldMapping - pure (opts & Opt.elasticsearchL . Opt.indexL .~ indexName, indexName) + pure (opts & Opt.elasticsearchL . Opt.indexL .~ (ES.IndexName indexName), indexName) -createIndexWithMapping :: MonadIO m => Opt.Opts -> Text -> Value -> m () +createIndexWithMapping :: (MonadIO m, HasCallStack) => Opt.Opts -> Text -> Value -> m () createIndexWithMapping opts name val = do let indexName = ES.IndexName name createReply <- runBH opts $ ES.createIndexWith [ES.AnalysisSetting analysisSettings] 1 indexName @@ -762,15 +766,15 @@ createIndexWithMapping opts name val = do liftIO $ assertFailure $ "failed to create mapping: " <> show name -- | This doesn't fail if ES returns error because we don't really want to fail the tests for this -deleteIndex :: MonadIO m => Opt.Opts -> Text -> m () +deleteIndex :: (MonadIO m, HasCallStack) => Opt.Opts -> Text -> m () deleteIndex opts name = do let indexName = ES.IndexName name void $ runBH opts $ ES.deleteIndex indexName -runBH :: MonadIO m => Opt.Opts -> ES.BH m a -> m a +runBH :: (MonadIO m, HasCallStack) => Opt.Opts -> ES.BH m a -> m a runBH opts action = do - let esURL = opts ^. Opt.elasticsearchL . Opt.urlL - mgr <- liftIO $ HTTP.newManager HTTP.defaultManagerSettings + let (ES.Server esURL) = opts ^. Opt.elasticsearchL . Opt.urlL + mgr <- liftIO $ initHttpManagerWithTLSConfig opts.elasticsearch.insecureSkipVerifyTls opts.elasticsearch.caCert let bEnv = mkBHEnv esURL mgr ES.runBH bEnv action diff --git a/services/brig/test/integration/Index/Create.hs b/services/brig/test/integration/Index/Create.hs index 398e2126806..51961e9533d 100644 --- a/services/brig/test/integration/Index/Create.hs +++ b/services/brig/test/integration/Index/Create.hs @@ -18,7 +18,9 @@ module Index.Create where import API.Search.Util (mkBHEnv) +import Brig.App (initHttpManagerWithTLSConfig) import Brig.Index.Eval qualified as IndexEval +import Brig.Index.Options import Brig.Index.Options qualified as IndexOpts import Brig.Options (Opts (galley)) import Brig.Options qualified as BrigOpts @@ -27,7 +29,6 @@ import Data.Text qualified as Text import Data.Text.Encoding qualified as Text import Database.Bloodhound qualified as ES import Imports -import Network.HTTP.Client qualified as HTTP import System.Logger.Class qualified as Log import System.Random as Random import Test.Tasty @@ -48,8 +49,7 @@ spec brigOpts = testCreateIndexWhenNotPresent :: BrigOpts.Opts -> Assertion testCreateIndexWhenNotPresent brigOpts = do - let esURL = brigOpts ^. BrigOpts.elasticsearchL . BrigOpts.urlL - let mCreds = BrigOpts.credentials . BrigOpts.elasticsearch $ brigOpts + let (ES.Server esURL) = brigOpts ^. BrigOpts.elasticsearchL . BrigOpts.urlL case parseURI strictURIParserOptions (Text.encodeUtf8 esURL) of Left e -> fail $ "Invalid ES URL: " <> show esURL <> "\nerror: " <> show e Right esURI -> do @@ -57,17 +57,23 @@ testCreateIndexWhenNotPresent brigOpts = do let replicas = 2 shards = 2 refreshInterval = 5 + let connSettings = + ESConnectionSettings + { esServer = esURI, + esIndex = indexName, + esCaCert = brigOpts.elasticsearch.caCert, + esInsecureSkipVerifyTls = brigOpts.elasticsearch.insecureSkipVerifyTls, + esCredentials = brigOpts.elasticsearch.credentials + } let esSettings = IndexOpts.localElasticSettings - & IndexOpts.esServer .~ esURI - & IndexOpts.esIndex .~ indexName + & IndexOpts.esConnection .~ connSettings & IndexOpts.esIndexReplicas .~ ES.ReplicaCount replicas & IndexOpts.esIndexShardCount .~ shards & IndexOpts.esIndexRefreshInterval .~ refreshInterval - & IndexOpts.esCredentials .~ mCreds devNullLogger <- Log.create (Log.Path "/dev/null") IndexEval.runCommand devNullLogger (IndexOpts.Create esSettings (galley brigOpts)) - mgr <- liftIO $ HTTP.newManager HTTP.defaultManagerSettings + mgr <- liftIO $ initHttpManagerWithTLSConfig connSettings.esInsecureSkipVerifyTls connSettings.esCaCert let bEnv = (mkBHEnv esURL mgr) {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername "elastic") (ES.EsPassword "changeme")} ES.runBH bEnv $ do indexExists <- ES.indexExists indexName @@ -84,30 +90,35 @@ testCreateIndexWhenNotPresent brigOpts = do testCreateIndexWhenPresent :: BrigOpts.Opts -> Assertion testCreateIndexWhenPresent brigOpts = do - let esURL = brigOpts ^. BrigOpts.elasticsearchL . BrigOpts.urlL - let mCreds = BrigOpts.credentials . BrigOpts.elasticsearch $ brigOpts + let (ES.Server esURL) = brigOpts ^. BrigOpts.elasticsearchL . BrigOpts.urlL case parseURI strictURIParserOptions (Text.encodeUtf8 esURL) of Left e -> fail $ "Invalid ES URL: " <> show esURL <> "\nerror: " <> show e Right esURI -> do indexName <- ES.IndexName . Text.pack <$> replicateM 20 (Random.randomRIO ('a', 'z')) - mgr <- liftIO $ HTTP.newManager HTTP.defaultManagerSettings - let bEnv = (mkBHEnv esURL mgr) {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername "elastic") (ES.EsPassword "changeme")} - ES.runBH bEnv $ do - _ <- ES.createIndex (ES.IndexSettings (ES.ShardCount 1) (ES.ReplicaCount 1)) indexName - indexExists <- ES.indexExists indexName - lift $ - assertBool "Index should exist" indexExists let replicas = 2 shards = 2 refreshInterval = 5 - let esSettings = + connSettings = + ESConnectionSettings + { esServer = esURI, + esIndex = indexName, + esCaCert = brigOpts.elasticsearch.caCert, + esInsecureSkipVerifyTls = brigOpts.elasticsearch.insecureSkipVerifyTls, + esCredentials = brigOpts.elasticsearch.credentials + } + esSettings = IndexOpts.localElasticSettings - & IndexOpts.esServer .~ esURI - & IndexOpts.esIndex .~ indexName + & IndexOpts.esConnection .~ connSettings & IndexOpts.esIndexReplicas .~ ES.ReplicaCount replicas & IndexOpts.esIndexShardCount .~ shards & IndexOpts.esIndexRefreshInterval .~ refreshInterval - & IndexOpts.esCredentials .~ mCreds + mgr <- liftIO $ initHttpManagerWithTLSConfig connSettings.esInsecureSkipVerifyTls connSettings.esCaCert + let bEnv = (mkBHEnv esURL mgr) {ES.bhRequestHook = ES.basicAuthHook (ES.EsUsername "elastic") (ES.EsPassword "changeme")} + ES.runBH bEnv $ do + _ <- ES.createIndex (ES.IndexSettings (ES.ShardCount 1) (ES.ReplicaCount 1)) indexName + indexExists <- ES.indexExists indexName + lift $ + assertBool "Index should exist" indexExists devNullLogger <- Log.create (Log.Path "/dev/null") IndexEval.runCommand devNullLogger (IndexOpts.Create esSettings (galley brigOpts)) ES.runBH bEnv $ do diff --git a/services/brig/test/integration/Run.hs b/services/brig/test/integration/Run.hs index ebd91122302..1b3e0cd563d 100644 --- a/services/brig/test/integration/Run.hs +++ b/services/brig/test/integration/Run.hs @@ -36,6 +36,7 @@ import API.UserPendingActivation qualified as UserPendingActivation import Bilge hiding (header, host, port) import Bilge qualified import Brig.AWS qualified as AWS +import Brig.App (initHttpManagerWithTLSConfig) import Brig.Options qualified as Opts import Cassandra.Util (defInitCassandra) import Control.Lens @@ -47,7 +48,6 @@ import Federation.End2end qualified import Imports hiding (local) import Index.Create qualified import Network.HTTP.Client qualified as HTTP -import Network.HTTP.Client.TLS (tlsManagerSettings) import Network.URI (pathSegments) import OpenSSL (withOpenSSL) import Options.Applicative hiding (action) @@ -127,7 +127,7 @@ runTests iConf brigOpts otherArgs = do awsOpts = Opts.aws brigOpts lg <- Logger.new Logger.defSettings -- TODO: use mkLogger'? db <- defInitCassandra (brigOpts.cassandra) lg - mg <- newManager tlsManagerSettings + mg <- initHttpManagerWithTLSConfig False Nothing let fedBrigClient = FedClient @'Brig mg (brig iConf) emailAWSOpts <- parseEmailAWSOpts awsEnv <- AWS.mkEnv lg awsOpts emailAWSOpts mg diff --git a/services/brig/test/integration/Util.hs b/services/brig/test/integration/Util.hs index c75d25fe2c1..e39db21d288 100644 --- a/services/brig/test/integration/Util.hs +++ b/services/brig/test/integration/Util.hs @@ -1080,7 +1080,7 @@ circumventSettingsOverride = runHttpT -- -- Beware: (1) Not all async parts of brig are running in this. (2) other services will -- see the old, unaltered brig. -withSettingsOverrides :: MonadIO m => Opt.Opts -> WaiTest.Session a -> m a +withSettingsOverrides :: (MonadIO m, HasCallStack) => Opt.Opts -> WaiTest.Session a -> m a withSettingsOverrides opts action = liftIO $ do (brigApp, env) <- Run.mkApp opts sftDiscovery <- diff --git a/services/brig/test/resources/elasticsearch-ca.pem b/services/brig/test/resources/elasticsearch-ca.pem new file mode 120000 index 00000000000..ed6d4718bf2 --- /dev/null +++ b/services/brig/test/resources/elasticsearch-ca.pem @@ -0,0 +1 @@ +../../../../deploy/dockerephemeral/docker/elasticsearch-ca.pem \ No newline at end of file diff --git a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem index c92a5f13598..0bd38214cc7 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAxxSgxLUyMcwQHhE3ziEbPgn+m9L8EkXscvsWA6Ma4n5owK2m -Y7aG3n2ZRYlW+3VMBi0StrPh+lmXZWzgyw+bxHkaNYFTpK70xUGTx3lHfyu6EpKB -O0El1SNExnrx8ONUbLyY/LwnjlC5dWOB9l4PNylUf4DUr7eAlFrMIP2v2/FWVz9b -ffm5fWry4fW7iRcLGQRKNYrv/B798dVxEj9xoh2OiW6p8/tuEND6NMkJiGstHTJY -tmhwmF74WAxo7EQHD6iNgpr5errAQwrZheSGYNlbj078lA9mpE7BcPwEdDYgnI4R -Lblp0vcXvI3uw4Ne4+EMCDxJhXX+SvacAtBPMQIDAQABAoIBAQCCfuwPZTLc34Wl -H+YzsRHZbdW+sONY2wruJ9Y7VhwWYYQq4OkTrZ7kkvH4WdlxhWbrGXqN1oYHg9iw -vFjx4m5ZsIRUlEyOw7xg3OaQt9f87V3QNMaPX9n7x12auRaEr480o7+o03EeYZ3f -6/VR2EAjCW2BEqLX9/JJzObHrWMsSPMaXIV60V8K7kou1Ol3gdERG/+vAKhqzjFv -xdGQ0J6UHuYsZ5GP+xc1VLmE4WFQBAxcGbm+KWIHPeR/cq40JSsv5iRY5wBYRERK -szqDtwYAObf6DK4qSe8KKHMCfXP1RjWm5cvSebwyIjIqCnFXXUXpE0UNBkiUTVx6 -9xFpaJSRAoGBANuF2ucn0QwPNlyWdkAy9ItVmtwO+Rq8nlFai8KOt/Dauw5IqNye -xy6I8oEHCVrl7rHU6XRXqo3rJHrskcSJhYbiV+dYwusUnkqB27X/qv+CYJ/MQRC6 -v++ceNu/ybAF4UXxbIkEKR5BYaUAjXIN8kGp6Y1hF/wkUmjHQMQiwJP1AoGBAOgp -MOukoVDUQpu8Izzt9ff++S2531LUL66BCmxPQR3vhdxnYLFqs216uTevDrGTgLRS -mXwddVHLKW+zJiGZ0QssnCHmPzzg+USLQzCqJLUKCOoT9s3sDq/TsJwVuZy6sPcr -qWJ/sC9Ge+ZB6CRDrvZGdMSFvRkGT0cpT/mW4gTNAoGAX8ZxsCJmCV3luNWIeBAD -M3tA2jvKIQkkBZh8m4DK7dFwhRXcXo0Dl+D19KdORJNG5d1fkXviFJL/0oW+P0JE -uImuEmheelP/j8BCTJBkWZ/XakCiLptbvD3HWRC+/QZDt9FSKiFfkyyxXlz0WUuO -Y2mvVRiEb2Slc8NjFW+YF7UCgYAG2Pgtaxyq8qfISiNL78TafLXCyIGywrlpTzsM -eMX16ROsrYvnj7sdFoqR/uLTEAOyzeDjDUdhkzl0pvcP9KZ6yuUMBuuEkyonAGiJ -7erJQDOFG/OinTzNqNPDtsxTuBnyIGKNmjCLJGwRHY6IS0rEzs0w4rTyIQKDmc9X -EEE4XQKBgQDWr+hrUDfMa0JeiiB+mFCebNZptDMe0WN5oh+l1FkNlhSauaIb19Fu -qNtrC/F7ZihJW7i4xzEeakaZLpTEMjhdDLD4aQ+RiqW8iR7qmLKDYKWd8g2sanL1 -Tspko3Sj2Oq00BAU5tlNvVvxIaGraQ+HfNRi7p1HEPm7CeLg4ucmTg== +MIIEogIBAAKCAQEAlq2bCpvwVptvslD3Xq/tAjm58wQHGEpVSyefl+vGQAD30ukV +FiqzjJw9ZCTbS1to2k7YTukabQAu4pHlhHk4/r2JHr7olmUf5zjyKvJUBekFl788 +ZXW9lEOw5x7lgBLSYI20sSHbUVX7pC2dB2AQZt15sGF1DmVU39/yF2RII92bnqPY +r8tS7A6JslhHLnPAnCOaHC4VK6tMU3Zjh/p/sBgKBqbarXAPl2TckXxFEHK8l0lD +yU2a5ltK0YuAxOv4iXwK76G4VQJwbF0NCMzjAovBLcOA7BVRd8ywVjFpzQjhn+gy +yATdZUOlOpMXIEa7Hmc5TMB4KjiJYwocjKl66QIDAQABAoIBAFYPolZU6tkMvqdi +h2eVpBF5VzPuQP8mtcDPSOBE0l8MLoBQkLKwgQz20Dm6s2Y/N4w5LGMl0OohCKZw +Hl+jvWICb6cX81CzQZ2XcPoGnuchSQh7OcvZjAZ7Azd+9iZImdB8H5Bsfg/exHPp +eZ8Ux0l5hl+vymQGjIuyJVwm8u1IbZbW3+yTJ/oFqa/j91Yw7Llsa7VaLs+NiJkY +Ng7AtAd/zz6BN4x93AMCbs6KgLQcKK1WyIkCqoUsZG5orzIKlpmBnmv4EeQwvem9 +/rt3LlKFzHXBPG47BECQsyPYli1Z3Gnp/XTNMteeqDicj4CI9icU1QRxTyUmIMFB +Wd81qAECgYEAxClEt4tteo1kPuiiajHSR1PApPG40Zlc9GovQl/JQnr+MSaexD/M +gMtZlhQYrdThmGYcdzmpWaS5YCKesB82ca3QwaJK3+q3/MclvNt7hoIQoWm53eAK +J4CabtUiyzmG1iaYulEkqFtlg8nK0SwFNr8UEGHyerSHFtTiUXw47mECgYEAxKRy +1Z16pcesupUXzdET6ZdwN70oJT+3D+s98ZBtn2pBW7RQKEe9pvlbTrClTkFxUhXu +jPyNama8KvON57ekgb3nanlyp2sX8AtydEb+BZtRDp3PMF+J6nl828Mt2LHtivul +iacBM4dCM3IsEXMvlJElxm0ILgAUb9LqKl6giYkCgYAbqNoIq39XbYJ6IGFuafIF +nrimSXNPErn5uNNLH6iIWEFpetGeSIS0kHfkYpcMQ90/mP5gjV/kxQZimN8ZZH1P +0DuEYjb+leE1onsewzAKymI/8GGF+KZV5ZthD2qlj0oE/lJAy1pI5wJMb/LKRdPC +YXUZzkXbqYL25DO5W7PHYQKBgFz/9XuHziCnjc50gtyJPGSmhaEm6dysBJUXyaT8 +jIvvgdewMJTMUSquFfviWVvoYYLT8o1lSDCBRA8APyXO2ZOuz8qwg4QghyK1Fz1c +8fiO20gRZJLZLG3jZSS+a2lnxRONLl4qyMuo9atFHQhntKIL/5SXrl2rFf9I/gxp +0n0ZAoGAf3Om0O1td3EfemGzJs3YJOKiwltDZNtwF5G4VG9c9YjlevaLJoNhgBw9 +u16e/mQNU/yr/qqRp+aE6HGcXXBp0ckJcKqKFQ2pUVhMb/T8OfPpT2n7RF1k0Xss +5vrEUSfif9VPCEnjMI7AtZcXQT1yqMQuTW+IhP15dGuofWdDsHQ= -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-ca.pem b/services/nginz/integration-test/conf/nginz/integration-ca.pem index 2315c7c7404..10a906c111b 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN -MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF -7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su -9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 -gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 -bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP -ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 -JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O -JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb -lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp -x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA -qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be -z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH -+R0lNAyw +MIIDAjCCAeqgAwIBAgIUdsGG4S0KMPKYzS6UNoDuNpvkRFcwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjQwNDIyMTIwNDAwWhcN +MjkwNDIxMTIwNDAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJatmwqb8Fabb7JQ916v7QI5ufMEBxhK +VUsnn5frxkAA99LpFRYqs4ycPWQk20tbaNpO2E7pGm0ALuKR5YR5OP69iR6+6JZl +H+c48iryVAXpBZe/PGV1vZRDsOce5YAS0mCNtLEh21FV+6QtnQdgEGbdebBhdQ5l +VN/f8hdkSCPdm56j2K/LUuwOibJYRy5zwJwjmhwuFSurTFN2Y4f6f7AYCgam2q1w +D5dk3JF8RRByvJdJQ8lNmuZbStGLgMTr+Il8Cu+huFUCcGxdDQjM4wKLwS3DgOwV +UXfMsFYxac0I4Z/oMsgE3WVDpTqTFyBGux5nOUzAeCo4iWMKHIypeukCAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDnH +CL3yIYkqK51ynDHRQcc6Xc/rMA0GCSqGSIb3DQEBCwUAA4IBAQCUzI4edToGsBTp +qnV2MtXwhoBFnmAa4O8RMsbRZqE+DCzBhPSIl9UMaeIEMoIvXL2KOO+rEw2M1uQc +D4r+dAdUhLbIFEyMNIA5EZfJfimEE0qaLGJqI5X1FFVeCvlvI1UDoSj0KQD9GEsg +VidDnhzg712cGdBY2K4U/BmpLMn8+WZ7+TSVIX8fGylzDCRtCQ36vrD5pkQzblqU +sjO8Apwej/t+BI/Y+T1MFvZhstbJ3mSQpHhnmARXLOrwjcOmLzWVlQa1IJxtxaf9 +gRxVchzH7fQxNlR6/zWtd2av07pFR9k2o9WUn/A5lpoUcVrokvCsOooqqG3UwALU +fZm6IO1I -----END CERTIFICATE----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem index 8ed90523cd3..1a45ba1ea46 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk -+RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y -uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J -4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR -qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa -27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI -sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 -2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 -UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY -/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz -SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt -Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl -yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ -wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv -UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg -PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 -lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB -TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e -tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT -7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF -ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 -DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 -Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 -90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 -xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== +MIIEowIBAAKCAQEAukRPdjUjKs7P2TgP4VDpb77Rb7KjMMBtcRP525qEnUQzFHPk +Va4cqh6xacgh2NJCyFyDEWDI9pQ03i0HISIldoBngDVvM6kwvbs+kjZ+/t/Jx3aH +zC9dmsLqmCqU+OmofpD1pt8hZWwOtYj58pfqdhrP+M6qQ92/tgmkk9njLFwsAjxY +gMXZCo0IiSIE9BE9NGvR9bp6hvEekCqREPdHi44iFca/5V4A8fSZwBlTHod5Z83r +MpHLnR1ReVVOQgzbIBGcLdmtH8IA9ZgUHy1/HOmf9e0MYOYOKbKvH3cry7WSscPL +47x+JQyFLimidfsJQCY+022rdPg9CdrCWFGxgQIDAQABAoIBAGjeBqK1fewe7XQN +FRu0cwh/tOge+bN70uHj7jrN/rWP7PYp3TbDxM2eZCH7E9s/XWvycbQ5+kqg3Dbt +wOLNl6vk1OCgtM+wBIn9PlgRKGSUV8Tdncy+KgP0kyFCcAbHfh5rvHHLk8DHGmzo +BlinYNBHfilFKST2VnXFbgvzkuuorS1BRAzlVpyJnaen04emBJ+KPIwNyguPQrlv +5duBIO1bzlEjFVufrLkI0IumWqBAPOvHcRy1geSz/MG7LssB9r25k5LA5OEDxqwx +ykSzuniaLL6BGMSCAMpTM3/hF1ijrkTd74cI4cp7k2ufcYT74ZU2lyDKEjBukG/p +H0/1Q8ECgYEAwL7VWIpySGtrJEPZH1FxtpJYg8SE0F4lUxIbIQcc6rzLJfLOLQO5 +ruTVONPTlue6PHrRO8pQTbW9AnjZvHMIiwxidY/RwUVKFuxzfrYZ9ZbKXyVOh48a +WXe5OnpuVodPEHQrKzkl93YWMgMCXNPri1h0jr0fMGXy9jZzoKK5f1kCgYEA92Uw +P4WyBL2hm/5BNUoxCiLyd1dDdQt1h6VByxYM7OXDhXq1iHnhX+NbjMT0QfOFyXBP +uQQCB9IQElmMmWsoEv6uEQCeuCvOxq+Evoz+3fP2te89HjZ1C5SXUMfG7qKfFzbt +WP6e/CqAeQPnnqI89ghw/IerQkeVMoVvHbSXZmkCgYBZPgJ6JGAVt+a7u85j+cm0 +xr3FBNCZyX1uoQt+l1SEOzW0NF/R58+pcrpmvW1SiahpKFSIYnwb/vGsm1f1MS3b +c7iCxjxQSEytoH05Rgdu9ops01Ew4slIc26H7Pf5iFzLOX5jXOp/UWWlck89u8Fr +m2EcVeSC/DEqXrvavH02wQKBgBzVKDhfBo5S44DgswzY5ro9tHCANRZxDXOPqQlY +Oo1pgc4OrRWIzuF0B/lyAt2k2hTOCBySAQKUUtcwpJhEytjb4cGNhvID+Qdi8V+b +4yBPDJPLnB3nTuDYooIBpoetYEk+V48lrbXJ5ks0T0xHsD8kYLatwSHqYdMPhhG6 +OGLxAoGBALZQSuO4fHew4ksMcBy891ZSOFUV9xAtR490EdEQdOiPrQj5vmnSpxEx +QsSVbn+49OYwzjBP+sHtpiTMF4ZlafHvjcNZ5dFIImqyuEugEdnD5UnFd92AQ9Gv +ufa7BMs99BRdkkolCXBZC+Dq4t4Z/+MDSMtjO5mh9V0boDakdJPb -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf.pem b/services/nginz/integration-test/conf/nginz/integration-leaf.pem index d8e7ee0955c..2247758aafd 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN -MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk -iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE -0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX -lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux -Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ -+J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUK9Dix5VZpBYOby63cdmjtfg6RpwwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjQwNDIyMTIwNDAwWhcN +MjUwNDIyMTIwNDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +ukRPdjUjKs7P2TgP4VDpb77Rb7KjMMBtcRP525qEnUQzFHPkVa4cqh6xacgh2NJC +yFyDEWDI9pQ03i0HISIldoBngDVvM6kwvbs+kjZ+/t/Jx3aHzC9dmsLqmCqU+Omo +fpD1pt8hZWwOtYj58pfqdhrP+M6qQ92/tgmkk9njLFwsAjxYgMXZCo0IiSIE9BE9 +NGvR9bp6hvEekCqREPdHi44iFca/5V4A8fSZwBlTHod5Z83rMpHLnR1ReVVOQgzb +IBGcLdmtH8IA9ZgUHy1/HOmf9e0MYOYOKbKvH3cry7WSscPL47x+JQyFLimidfsJ +QCY+022rdPg9CdrCWFGxgQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b -fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +FgQUaJdzHC5JsdIEKTYxqAWoSHvFCNgwHwYDVR0jBBgwFoAUOccIvfIhiSornXKc +MdFBxzpdz+swSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF -AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n -7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR -AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF -bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB -fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK -7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== +AAOCAQEAcoUcdwgoAiFJcoS/t1IU2axEJeWncctYyVHt/ZfoZ8y/23XDA+kIfgSt +DZEqteGyVDSBbI/B45IzrKQuJzdT8B+9iDcOzLrA2R1432ASlMhHC5l3STBru0jl +oL9M8fJU6BwciCqY0Y2wFcCfVthN1rC8vNNSpwSwF74q87MMLZ/65Mi3hAB4177s +uNL6MXGta9fBK9MQxM3S/Kr7fmxOTQBlQtcA2Ha3Yog2+dkMXosoapjoMwWj36DS +j9v25/dFmS3dnCfhRHBSh9iUSnbOVZ/M+5Bv5hBPYbeSw24DXD1w9soEYL941D+c +enXV719UPw5bpBxhXjl9Hu0TQ2uoIw== -----END CERTIFICATE-----