Added required parameter to control ES-CA validation

Chris Wiechmann · Chris Wiechmann · commit 4bb756f15141 · 2022-01-13T18:35:12.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,7 +11,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Updated API-Builder custom flow node libraries
 
 ### Added
-- APIBuilder4Elastic should use configured ELASTICSEARCH_CA [#157](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/157)
+- APIBuilder4Elastic now using configured ELASTICSEARCH_CA [#157](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/157)
 - New optional parameters
   - `KIBANA_ELASTICSEARCH_SSL_VERIFICATIONMODE` to configure Kibana to Elasticsearch certificate validation [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
   - `APIBUILDER_ELASTICSEARCH_SSL_VERIFICATIONMODE` to configure API-Builder to Elasticsearch certificate validation [#156](https://github.com/Axway-API-Management-Plus/apigateway-openlogging-elk/issues/156)
diff --git a/helm/templates/apibuilder4elastic/apibuilder4elastic-config.yaml b/helm/templates/apibuilder4elastic/apibuilder4elastic-config.yaml
@@ -7,6 +7,8 @@ metadata:
     {{- include "apibuilder4elastic.labels" . | nindent 4 }}
 data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
+  ELASTICSEARCH_CA: {{ required "The path to the CA for API-Builder to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.apibuilder4elastic.ssl.validateElasticsearchCertificate | quote }}
   ADMIN_NODE_MANAGER: {{ required "The Admin-Node-Manager URL (apibuilder4elastic.anmUrl) is required." .Values.apibuilder4elastic.anmUrl | quote }}
   API_MANAGER: {{ default "" .Values.apibuilder4elastic.apimgrUrl | quote }}
   API_BUILDER_SSL_CERT: {{ default "config/certificates/apibuilder4elastic.crt" .Values.apibuilder4elastic.ssl.cert | quote }}
diff --git a/helm/templates/elasticApimApmServer/apm-server-config.yaml b/helm/templates/elasticApimApmServer/apm-server-config.yaml
@@ -12,6 +12,7 @@ data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CLUSTER_UUID: {{ index .Values "apm-server" "elasticsearchClusterUUID" | quote }}
   ELASTICSEARCH_CA: {{ required "The path to the CA for APM-Server to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.apm-server.ssl.validateElasticsearchCertificate | quote }}
   APM_SERVER_CRT: {{ index .Values "apm-server" "ssl" "cert"  }}
   APM_SERVER_KEY: {{ index .Values "apm-server" "ssl" "key"  }}
 {{- end }}
diff --git a/helm/templates/elasticApimFilebeat/filebeat-config.yaml b/helm/templates/elasticApimFilebeat/filebeat-config.yaml
@@ -13,6 +13,7 @@ data:
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CLUSTER_UUID: {{ .Values.filebeat.elasticsearchClusterUUID | quote }}
   ELASTICSEARCH_CRT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.filebeat.ssl.validateElasticsearchCertificate | quote }}
   FILEBEAT_WORKER: {{ .Values.filebeat.filebeatWorker | quote }}
   FILEBEAT_COMPRESSION_LEVEL: {{ .Values.filebeat.compressionLevel | quote }}
   SELF_MONITORING_ENABLED: {{ .Values.global.selfMonitoringEnabled | quote }}
diff --git a/helm/templates/elasticApimKibana/kibana-env-config.yaml b/helm/templates/elasticApimKibana/kibana-env-config.yaml
@@ -26,4 +26,5 @@ data:
   SERVER_SSL_CERTIFICATE: {{ default "config/certificates/kibana.crt" .Values.kibana.ssl.cert | quote }}
   SERVER_SSL_KEYPASSPHRASE: {{ default "" .Values.kibana.ssl.password | quote }}
   ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: {{ required "The path to the CA for Kibana to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.kibana.ssl.validateElasticsearchCertificate | quote }}
 {{- end }}
diff --git a/helm/templates/elasticApimLogstash/logstash-config.yaml b/helm/templates/elasticApimLogstash/logstash-config.yaml
@@ -23,6 +23,7 @@ data:
   LS_JAVA_OPTS: {{ .Values.logstash.logstashJavaOpts | quote }}
   ELASTICSEARCH_HOSTS: {{ required "The value global.elasticsearchHosts is missing." .Values.global.elasticsearchHosts | quote }}
   ELASTICSEARCH_CERT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
+  ELASTICSEARCH_SSL_VERIFICATIONMODE: {{ .Values.logstash.ssl.validateElasticsearchCertificate | quote }}
   API_BUILDER_URL: "https://{{ include "apim4elastic.fullname" . }}-apibuilder4elastic:{{ .Values.apibuilder4elastic.port }}"
   DROP_TRACE_MESSAGE_LEVELS: {{ .Values.logstash.dropTraceMessageLevels | quote }}
   API_BUILDER_SSL_CERT: {{ required "The path to the CA for Logstash to Elasticsearch communication is missing" .Values.global.elasticsearchCa | quote }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -112,14 +112,17 @@ apibuilder4elastic:
   #    configMap:
   #      name: custom-configuration
 
-  # Setup the SSL-Configuration for API-Builder for Elastic
+  # Setup the SSL-Configuration for API-Builder4Elastic
   # Use secretMounts to mount your keys & certificates into pod 
   # and configure them here.
   ssl: {}
   #  key: "config/certificates/apibuilder4elastic.key"
   #  cert: "config/certificates/apibuilder4elastic.crt"
   #  password: ""
 
+  # Here you may disable the Elasticsearch server certificate validation for APIBuilder4Elastic
+  # validateElasticsearchCertificate: false
+
   # localAPILookup enables the Local API-Lookup feature
   # Use extraVolumes & extraVolumeMounts to mount your custom configuration into 
   # the API-Builder4Elastic container.
@@ -449,6 +452,11 @@ kibana:
   #  key: "certificates/kibana.key"
   #  cert: "certificates/kibana.crt"
   #  password: ""
+
+  # Here you can configure the Elasticsearch server certificate validation for Kibana
+  # Possible values: (full|certificate|none) - Defaults to: full
+  # validateElasticsearchCertificate: none
+
   secretMounts: 
     - name: certificates
       secretName: axway-elk-apim4elastic-certificates
@@ -541,6 +549,10 @@ filebeat:
   #  - name: custom-certificate
   #    secretName: custom-certificate
   #    path: /usr/share/filebeat/config/certificates
+
+  # Here you can configure the Elasticsearch server certificate validation for Filebeat (for monitoring only)
+  # Possible values: (full|strict|certificate|none) - Defaults to: full
+  # ssl.validateElasticsearchCertificate: none
   
   # extraVolumes is used to provide Filebeat access to the necessary log files from the API-Gateways.
   # The API-Gateways write to the same volumes accordingly.
@@ -726,6 +738,10 @@ apm-server:
     key: "config/certificates/apmserver.key"
     #  password: ""
 
+  # Here you can configure the Elasticsearch server certificate validation for the APM-Server
+  # Possible values: (full|strict|certificate|none) - Defaults to: full
+  # validateElasticsearchCertificate: none
+
   livenessProbe:
     httpGet:
       path: /
