[elasticsearch] SSL by default

elasticsearch/templates/_helpers.tpl

@@ -27,6 +27,18 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{/*
+Generate certificates 
+*/}}
+{{- define "elasticsearch.gen-certs" -}}
+{{- $altNames := list ( printf "%s.%s" (include "elasticsearch.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "elasticsearch.name" .) .Release.Namespace ) -}}
+{{- $ca := genCA "elasticsearch-ca" 365 -}}
+{{- $cert := genSignedCert ( include "elasticsearch.name" . ) nil $altNames 365 $ca -}}
+tls.crt: {{ $cert.Cert | toString | b64enc }}
+tls.key: {{ $cert.Key | toString | b64enc }}
+ca.crt: {{ $ca.Cert | toString | b64enc }}
+{{- end -}}
+
 {{- define "elasticsearch.masterService" -}}
 {{- if empty .Values.masterService -}}
 {{- if empty .Values.fullnameOverride -}}

elasticsearch/templates/secret-cert.yaml

@@ -0,0 +1,16 @@
+
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: {{ template "elasticsearch.name" . }}-certs
+  labels:
+    app: {{ template "elasticsearch.name" . }}
+    chart: "{{ .Chart.Name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+data:
+{{ ( include "elasticsearch.gen-certs" . ) | indent 2 }}

elasticsearch/templates/statefulset.yaml

@@ -136,6 +136,9 @@ spec:
           configMap:
             name: {{ template "elasticsearch.uname" . }}-jvm-options
         {{- end }}
+        - name: elasticsearch-certs
+          secret:
+           secretName: {{ template "elasticsearch.name" . }}-certs
 {{- if .Values.keystore }}
         - name: keystore
           emptyDir: {}
@@ -333,6 +336,28 @@ spec:
           - name: ES_JAVA_OPTS
             value: "{{ .Values.esJavaOpts }}"
           {{- end }}
+          {{- if .Values.createCert }}
+          - name: xpack.security.enabled
+            value: "true"
+          - name: xpack.security.transport.ssl.enabled
+            value: "true"
+          - name: xpack.security.http.ssl.enabled
+            value: "true"
+          - name: xpack.security.transport.ssl.verification_mode
+            value: "certificate"
+          - name: xpack.security.transport.ssl.key
+            value: "/usr/share/elasticsearch/config/certs/tls.key"
+          - name: xpack.security.transport.ssl.certificate
+            value: "/usr/share/elasticsearch/config/certs/tls.crt"
+          - name: xpack.security.transport.ssl.certificate_authorities
+            value: "/usr/share/elasticsearch/config/certs/ca.crt"
+          - name: xpack.security.http.ssl.key
+            value: "/usr/share/elasticsearch/config/certs/tls.key"
+          - name: xpack.security.http.ssl.certificate
+            value: "/usr/share/elasticsearch/config/certs/tls.crt"
+          - name: xpack.security.http.ssl.certificate_authorities
+            value: "/usr/share/elasticsearch/config/certs/ca.crt"
+          {{- end }}
 {{- if .Values.extraEnvs }}
 {{ toYaml .Values.extraEnvs | indent 10 }}
 {{- end }}
@@ -345,6 +370,9 @@ spec:
           - name: "{{ template "elasticsearch.uname" . }}"
             mountPath: /usr/share/elasticsearch/data
           {{- end }}
+          - name: elasticsearch-certs
+            mountPath: /usr/share/elasticsearch/config/certs
+            readOnly: true
 {{ if .Values.keystore }}
           - name: keystore
             mountPath: /usr/share/elasticsearch/config/elasticsearch.keystore

elasticsearch/tests/elasticsearch_test.py

@@ -72,7 +72,7 @@ def test_defaults():
     assert c["readinessProbe"]["timeoutSeconds"] == 5
 
     assert "curl" in c["readinessProbe"]["exec"]["command"][-1]
-    assert "http://127.0.0.1:9200" in c["readinessProbe"]["exec"]["command"][-1]
+    assert "https://127.0.0.1:9200" in c["readinessProbe"]["exec"]["command"][-1]
 
     # Resources
     assert c["resources"] == {

elasticsearch/values.yaml

@@ -28,13 +28,25 @@ esMajorVersion: ""
 
 # Allows you to add any config files in /usr/share/elasticsearch/config/
 # such as elasticsearch.yml and log4j2.properties
-esConfig: {}
+esConfig:  {}
 #  elasticsearch.yml: |
+#    xpack.security.enabled: true
+#    xpack.security.transport.ssl.enabled: true
+#    xpack.security.transport.ssl.verification_mode: certificate
+#    xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
+#    xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
+#    xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
+#    xpack.security.http.ssl.enabled: true
+#    xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
+#    xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
+#    xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
 #    key:
 #      nestedkey: value
 #  log4j2.properties: |
 #    key = value
 
+createCert: true
+
 esJvmOptions: {}
 #  processors.options: |
 #    -XX:ActiveProcessorCount=3
@@ -185,7 +197,7 @@ podManagementPolicy: "Parallel"
 # If you experience slow pod startups you probably want to set this to `false`.
 enableServiceLinks: true
 
-protocol: http
+protocol: https
 httpPort: 9200
 transportPort: 9300