Added the option to skip ES-Server-Cert when using Helm

Chris Wiechmann · Chris Wiechmann · commit 024a78bc0efd · 2022-01-14T09:12:56.000+01:00
#156
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
   - `APM_ELASTICSEARCH_SSL_VERIFICATIONMODE` to configure APM-Server to Elasticsearch certificate validation [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
   - `LOGSTASH_ELASTICSEARCH_SSL_VERIFICATIONMODE` to configure Logstash to Elasticsearch certificate validation [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
   - `FILEBEAT_ELASTICSEARCH_SSL_VERIFICATIONMODE` to configure Filebeat to Elasticsearch certificate validation [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
+  - Helm chart supports this by the new new parameter: `validateElasticsearchCertificate` per component [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
 
 ### Fixed
 - APIBuilder4Elastic - The Swagger for this service is invalid - Duplicate operationId renamed [#158](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/158)
diff --git a/helm/templates/apibuilder4elastic/apibuilder4elastic-config.yaml b/helm/templates/apibuilder4elastic/apibuilder4elastic-config.yaml
@@ -8,7 +8,7 @@ metadata:
 data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CA: {{ required "The path to the CA for API-Builder to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
-  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.apibuilder4elastic.ssl.validateElasticsearchCertificate | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ default true .Values.apibuilder4elastic.validateElasticsearchCertificate | quote }}
   ADMIN_NODE_MANAGER: {{ required "The Admin-Node-Manager URL (apibuilder4elastic.anmUrl) is required." .Values.apibuilder4elastic.anmUrl | quote }}
   API_MANAGER: {{ default "" .Values.apibuilder4elastic.apimgrUrl | quote }}
   API_BUILDER_SSL_CERT: {{ default "config/certificates/apibuilder4elastic.crt" .Values.apibuilder4elastic.ssl.cert | quote }}
diff --git a/helm/templates/elasticApimApmServer/apm-server-config.yaml b/helm/templates/elasticApimApmServer/apm-server-config.yaml
@@ -12,7 +12,7 @@ data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CLUSTER_UUID: {{ index .Values "apm-server" "elasticsearchClusterUUID" | quote }}
   ELASTICSEARCH_CA: {{ required "The path to the CA for APM-Server to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
-  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.apm-server.ssl.validateElasticsearchCertificate | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ index .Values "apm-server" "validateElasticsearchCertificate"  }}
   APM_SERVER_CRT: {{ index .Values "apm-server" "ssl" "cert"  }}
   APM_SERVER_KEY: {{ index .Values "apm-server" "ssl" "key"  }}
 {{- end }}
diff --git a/helm/templates/elasticApimFilebeat/filebeat-config.yaml b/helm/templates/elasticApimFilebeat/filebeat-config.yaml
@@ -13,7 +13,7 @@ data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CLUSTER_UUID: {{ .Values.filebeat.elasticsearchClusterUUID | quote }}
   ELASTICSEARCH_CRT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
-  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.filebeat.ssl.validateElasticsearchCertificate | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ default "full" .Values.filebeat.validateElasticsearchCertificate | quote }}
   FILEBEAT_WORKER: {{ .Values.filebeat.filebeatWorker | quote }}
   FILEBEAT_COMPRESSION_LEVEL: {{ .Values.filebeat.compressionLevel | quote }}
   SELF_MONITORING_ENABLED: {{ .Values.global.selfMonitoringEnabled | quote }}
diff --git a/helm/templates/elasticApimKibana/kibana-env-config.yaml b/helm/templates/elasticApimKibana/kibana-env-config.yaml
@@ -26,5 +26,5 @@ data:
   SERVER_SSL_CERTIFICATE: {{ default "config/certificates/kibana.crt" .Values.kibana.ssl.cert | quote }}
   SERVER_SSL_KEYPASSPHRASE: {{ default "" .Values.kibana.ssl.password | quote }}
   ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: {{ required "The path to the CA for Kibana to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
-  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.kibana.ssl.validateElasticsearchCertificate | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ default "full" .Values.kibana.validateElasticsearchCertificate | quote }}
 {{- end }}
diff --git a/helm/templates/elasticApimLogstash/logstash-config.yaml b/helm/templates/elasticApimLogstash/logstash-config.yaml
@@ -20,10 +20,15 @@ data:
   xpack.monitoring.enabled: "true"
   xpack.monitoring.elasticsearch.hosts: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   xpack.monitoring.elasticsearch.ssl.certificate_authority: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  xpack.monitoring.elasticsearch.ssl.verification_mode: {{ default "certificate" .Values.logstash.validateElasticsearchCertificate | quote }}
   LS_JAVA_OPTS: {{ .Values.logstash.logstashJavaOpts | quote }}
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CERT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
-  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.logstash.ssl.validateElasticsearchCertificate | quote }}
+  {{- if eq .Values.logstash.validateElasticsearchCertificate "none" }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: "false"
+  {{- else }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: "true"
+  {{- end }}
   API_BUILDER_URL: "https://{{ include "apim4elastic.fullname" . }}-apibuilder4elastic:{{ .Values.apibuilder4elastic.port }}"
   DROP_TRACE_MESSAGE_LEVELS: {{ .Values.logstash.dropTraceMessageLevels | quote }}
   API_BUILDER_SSL_CERT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -120,9 +120,6 @@ apibuilder4elastic:
   #  cert: "config/certificates/apibuilder4elastic.crt"
   #  password: ""
 
-  # Here you may disable the Elasticsearch server certificate validation for APIBuilder4Elastic
-  # validateElasticsearchCertificate: false
-
   # localAPILookup enables the Local API-Lookup feature
   # Use extraVolumes & extraVolumeMounts to mount your custom configuration into 
   # the API-Builder4Elastic container.
@@ -152,6 +149,9 @@ apibuilder4elastic:
   # if you want to raise an issue.
   #logLevel: "debug"
 
+  # Configure the Elasticsearch server certificate validation for APIBuilder4Elastic. Is enabled by default.
+  # validateElasticsearchCertificate: false
+
   # Resource requests for API-Builder
   resources:
     requests:
@@ -226,6 +226,19 @@ logstash:
   dropTraceMessageLevels: "DEBUG,DATA"
   # Number of replicas for Logstash
   replicas: 2
+
+  # Controls the Logstash to Elasticsearch certificate validation mode for pipelines and monitoring
+  # Value certificate is translated into true for pipelines certificate validation. none into false
+  # Possible values: (certificate|none)
+  # Defaults to: certificate
+  # For more information please read 
+  # https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-ssl_certificate_verification
+
+  # Controls Logstash to Elasticsearch certificate validation mode for pipelines and monitoring
+  # Value certificate is translated into true for pipelines certificate validation. none into false
+  # Possible values: (certificate|none) - Defaults to: certificate
+  validateElasticsearchCertificate: "certificate"
+
   # Injects the environment variables from the ConfigMaps and Secrets into the 
   # Logstash container. Specify your own ConfigMaps or Secrets if you don't
   # provide Configuration and Secrets as part of this values.yaml.
@@ -453,7 +466,7 @@ kibana:
   #  cert: "certificates/kibana.crt"
   #  password: ""
 
-  # Here you can configure the Elasticsearch server certificate validation for Kibana
+  # Can configure the Elasticsearch server certificate validation for Kibana
   # Possible values: (full|certificate|none) - Defaults to: full
   # validateElasticsearchCertificate: none
 
@@ -552,7 +565,7 @@ filebeat:
 
   # Here you can configure the Elasticsearch server certificate validation for Filebeat (for monitoring only)
   # Possible values: (full|strict|certificate|none) - Defaults to: full
-  # ssl.validateElasticsearchCertificate: none
+  # validateElasticsearchCertificate: none
   
   # extraVolumes is used to provide Filebeat access to the necessary log files from the API-Gateways.
   # The API-Gateways write to the same volumes accordingly.
@@ -740,7 +753,7 @@ apm-server:
 
   # Here you can configure the Elasticsearch server certificate validation for the APM-Server
   # Possible values: (full|strict|certificate|none) - Defaults to: full
-  # validateElasticsearchCertificate: none
+  validateElasticsearchCertificate: full
 
   livenessProbe:
     httpGet:
