[elasticsearch] use security by default

This commit update Elasticsearch chart to use security by default.

- Adds a new Secret templates for Elasticsearch credentials with a
  randomized password if password value isn't defined.

- Adds instructions to retrieve credentials in Elasticsearch chart
  deployment notes.

The other charts will be updated in follow-up PRs to use the proper
credentials

Relates to #1375

elasticsearch/README.md

@@ -157,6 +157,9 @@ support multiple versions with minimal changes.
 | `resources`                        | Allows you to set the [resources][] for the StatefulSet                                                                                                                                                                                                                                                           | see [values.yaml][]                              |
 | `roles`                            | A list with the specific [roles][] for the `nodeGroup`                                                                                                                                                                                                                                                            | see [values.yaml][]                              |
 | `schedulerName`                    | Name of the [alternate scheduler][]                                                                                                                                                                                                                                                                               | `""`                                             |
+| `secret.enabled`                   | Enable Secret creation for Elasticsearch credentials                                                                                                                                                                                                                                                              | `true`                                           |
+| `secret.username`                  | Name of the Elasticsearch user defined in Elasticsearch credentials                                                                                                                                                                                                                                               | `elastic`                                        |
+| `secret.password`                  | Password of the Elasticsearch user defined in Elasticsearch credentials                                                                                                                                                                                                                                           | `""` (generated randomly)                        |
 | `secretMounts`                     | Allows you easily mount a secret as a file inside the StatefulSet. Useful for mounting certificates and other secrets. See [values.yaml][] for an example                                                                                                                                                         | `[]`                                             |
 | `securityContext`                  | Allows you to set the [securityContext][] for the container                                                                                                                                                                                                                                                       | see [values.yaml][]                              |
 | `service.annotations`              | [LoadBalancer annotations][] that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer`                                                                                                                                                                      | `{}`                                             |
@@ -260,9 +263,12 @@ sufficient.
 
 ### How to deploy clusters with security (authentication and TLS) enabled?
 
-This Helm chart can use existing [Kubernetes secrets][] to setup
-credentials or certificates for examples. These secrets should be created
-outside of this chart and accessed using [environment variables][] and volumes.
+This Helm chart can generate a [Kubernetes Secret][] or use an existing one to
+setup Elastic credentials.
+
+This Helm chart can use existing [Kubernetes Secret][] to setup Elastic
+certificates for example. These secrets should be created outside of this chart
+and accessed using [environment variables][] and volumes.
 
 An example of Elasticsearch cluster using security can be found in
 [examples/security][].
@@ -438,7 +444,7 @@ about our development and testing process.
 [jvm heap size]: https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
 [hostAliases]: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
 [kind]: https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/kubernetes-kind
-[kubernetes secrets]: https://kubernetes.io/docs/concepts/configuration/secret/
+[kubernetes secret]: https://kubernetes.io/docs/concepts/configuration/secret/
 [labels]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 [lifecycle hooks]: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
 [loadBalancer annotations]: https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws

elasticsearch/examples/config/values.yaml

@@ -1,5 +1,4 @@
 ---
-
 clusterName: "config"
 replicas: 1
 
@@ -28,5 +27,8 @@ keystore:
   - secretName: elastic-config-slack
   - secretName: elastic-config-custom-path
     items:
-    - key: slack_url
-      path: xpack.notification.slack.account.otheraccount.secure_url
+      - key: slack_url
+        path: xpack.notification.slack.account.otheraccount.secure_url
+
+secret:
+  enabled: false

elasticsearch/examples/default/test/goss.yaml

@@ -6,6 +6,8 @@ http:
   http://elasticsearch-master:9200/_cluster/health:
     status: 200
     timeout: 2000
+    username: "{{ .Env.ELASTIC_USERNAME }}"
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
     body:
       - "green"
       - '"number_of_nodes":3'
@@ -14,6 +16,8 @@ http:
   http://localhost:9200:
     status: 200
     timeout: 2000
+    username: "{{ .Env.ELASTIC_USERNAME }}"
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
     body:
       - '"number" : "8.0.0-SNAPSHOT"'
       - '"cluster_name" : "elasticsearch"'

elasticsearch/examples/multi/client.yaml

@@ -2,6 +2,18 @@
 clusterName: "multi"
 nodeGroup: "client"
 
+extraEnvs:
+  - name: ELASTIC_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: multi-master-credentials
+        key: password
+  - name: ELASTIC_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: multi-master-credentials
+        key: username
+
 roles: []
 
 persistence:
@@ -12,3 +24,6 @@ persistence:
 esConfig:
   elasticsearch.yml: |
     node.roles: []
+
+secret:
+  enabled: false

elasticsearch/examples/multi/data.yaml

@@ -2,6 +2,18 @@
 clusterName: "multi"
 nodeGroup: "data"
 
+extraEnvs:
+  - name: ELASTIC_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: multi-master-credentials
+        key: password
+  - name: ELASTIC_USERNAME
+    valueFrom:
+      secretKeyRef:
+        name: multi-master-credentials
+        key: username
+
 roles:
   - data
   - data_content
@@ -10,3 +22,6 @@ roles:
   - data_cold
   - data_frozen
   - ingest
+
+secret:
+  enabled: false

elasticsearch/examples/multi/test/goss.yaml

@@ -2,8 +2,10 @@ http:
   http://localhost:9200/_cluster/health:
     status: 200
     timeout: 2000
+    username: "{{ .Env.ELASTIC_USERNAME }}"
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
     body:
-      - 'green'
+      - "green"
       - '"cluster_name":"multi"'
       - '"number_of_nodes":9'
       - '"number_of_data_nodes":3'

elasticsearch/examples/openshift/test/goss.yaml

@@ -2,6 +2,8 @@ http:
   http://localhost:9200/_cluster/health:
     status: 200
     timeout: 2000
+    username: "{{ .Env.ELASTIC_USERNAME }}"
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
     body:
       - "green"
       - '"number_of_nodes":3'
@@ -10,6 +12,8 @@ http:
   http://localhost:9200:
     status: 200
     timeout: 2000
+    username: "{{ .Env.ELASTIC_USERNAME }}"
+    password: "{{ .Env.ELASTIC_PASSWORD }}"
     body:
       - '"number" : "8.0.0-SNAPSHOT"'
       - '"cluster_name" : "elasticsearch"'

elasticsearch/examples/security/Makefile

@@ -12,7 +12,7 @@ install:
 test: secrets install goss
 
 purge:
-	kubectl delete secrets elastic-credentials elastic-certificates elastic-certificate-pem elastic-certificate-crt|| true
+	kubectl delete secrets elastic-certificates elastic-certificate-pem elastic-certificate-crt|| true
 	helm del $(RELEASE)
 
 pull-elasticsearch-image:
@@ -21,7 +21,6 @@ pull-elasticsearch-image:
 secrets:
 	docker rm -f elastic-helm-charts-certs || true
 	rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12 || true
-	password=$$([ ! -z "$$ELASTIC_PASSWORD" ] && echo $$ELASTIC_PASSWORD || echo $$(docker run --rm busybox:1.31.1 /bin/sh -c "< /dev/urandom tr -cd '[:alnum:]' | head -c20")) && \
 	docker run --name elastic-helm-charts-certs -i -w /tmp \
 		$(ELASTICSEARCH_IMAGE) \
 		/bin/sh -c " \
@@ -34,5 +33,4 @@ secrets:
 	kubectl create secret generic elastic-certificates --from-file=elastic-certificates.p12 && \
 	kubectl create secret generic elastic-certificate-pem --from-file=elastic-certificate.pem && \
 	kubectl create secret generic elastic-certificate-crt --from-file=elastic-certificate.crt && \
-	kubectl create secret generic elastic-credentials --from-literal=password=$$password --from-literal=username=elastic && \
 	rm -f elastic-certificates.p12 elastic-certificate.pem elastic-certificate.crt elastic-stack-ca.p12

elasticsearch/examples/security/values.yaml

@@ -20,18 +20,6 @@ esConfig:
     xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
     xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
 
-extraEnvs:
-  - name: ELASTIC_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: elastic-credentials
-        key: password
-  - name: ELASTIC_USERNAME
-    valueFrom:
-      secretKeyRef:
-        name: elastic-credentials
-        key: username
-
 secretMounts:
   - name: elastic-certificates
     secretName: elastic-certificates

elasticsearch/templates/NOTES.txt

@@ -1,6 +1,9 @@
 1. Watch all cluster members come up.
   $ kubectl get pods --namespace={{ .Release.Namespace }} -l app={{ template "elasticsearch.uname" . }} -w
-{{- if .Values.tests.enabled -}}
-2. Test cluster health using Helm test.
+2. Retrieve credentials.
+  $ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.username}' | base64 -d
+  $ kubectl get secrets --namespace={{ .Release.Namespace }} {{ template "elasticsearch.uname" . }}-credentials -ojsonpath='{.data.password}' | base64 -d
+{{- if .Values.tests.enabled }}
+3. Test cluster health using Helm test.
   $ helm --namespace={{ .Release.Namespace }} test {{ .Release.Name }}
 {{- end -}}

elasticsearch/templates/secret.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.secret.enabled -}}
+{{- $passwordValue := (randAlphaNum 16) | b64enc | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "elasticsearch.uname" . }}-credentials
+  labels:
+    heritage: {{ .Release.Service | quote }}
+    release: {{ .Release.Name | quote }}
+    chart: "{{ .Chart.Name }}"
+    app: "{{ template "elasticsearch.uname" . }}"
+    {{- range $key, $value := .Values.labels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+type: Opaque
+data:
+  username: {{ .Values.secret.username | b64enc}}
+  {{- if .Values.secret.password }}
+  password: {{ .Values.secret.password | b64enc }}
+  {{- else }}
+  password: {{ $passwordValue }}
+  {{- end }}
+{{- end }}

elasticsearch/templates/statefulset.yaml

@@ -231,6 +231,18 @@ spec:
               - -c
               - |
                 #!/usr/bin/env bash -e
+
+                # Exit if ELASTIC_PASSWORD in unset
+                if [ -z "${ELASTIC_PASSWORD}" ]; then
+                  echo "ELASTIC_PASSWORD variable is missing, exiting"
+                  exit 1
+                fi
+
+                # Set ELASTIC_USERNAME to "elastic" if unset
+                if [ -z "${ELASTIC_USERNAME}" ]; then
+                  export ELASTIC_USERNAME=elastic
+                fi
+
                 # If the node is starting up wait for the cluster to be ready (request params: "{{ .Values.clusterHealthCheckParams }}" )
                 # Once it has started only check that the node itself is responding
                 START_FILE=/tmp/.es_start_file
@@ -248,9 +260,7 @@ spec:
                     set -- "$@" $args
                   fi
 
-                  if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
-                    set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
-                  fi
+                  set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
 
                   curl --output /dev/null -k "$@" "{{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}${path}"
                 }
@@ -313,6 +323,18 @@ spec:
             value: "{{ .Values.clusterName }}"
           - name: network.host
             value: "{{ .Values.networkHost }}"
+          {{- if .Values.secret.enabled }}
+          - name: ELASTIC_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "elasticsearch.uname" . }}-credentials
+                key: password
+          - name: ELASTIC_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ template "elasticsearch.uname" . }}-credentials
+                key: username
+          {{- end }}
           {{- if .Values.esJavaOpts  }}
           - name: ES_JAVA_OPTS
             value: "{{ .Values.esJavaOpts }}"