From 15f4526ce3bd81e8e6741bef96dfb26671e0f67a Mon Sep 17 00:00:00 2001 From: rajeevme Date: Sat, 28 Sep 2019 00:05:44 +0530 Subject: [AAI-2617] Search guard is no longer available Change-Id: I5cc786073ac27d3d36d05f0aa89ac5b7f1aadc02 Signed-off-by: rajeevme Change-Id: I6b8ce9867d8b1d8108fcd7002e84f798a5b4e8e2 (cherry picked from commit 360d63a7609c566a6b8043a7de70ae35bd1f258a) --- .../aai-elasticsearch/resources/bin/init_sg.sh | 11 - components/aai-elasticsearch/resources/bin/run.sh | 8 - .../resources/bin/wait_until_started.sh | 9 - .../resources/config/elasticsearch.yml | 25 -- .../resources/config/sg/auth/esaai-keystore.jks | Bin 3979 -> 0 bytes .../resources/config/sg/auth/sgadmin-keystore.p12 | Bin 4575 -> 0 bytes .../resources/config/sg/auth/truststore.jks | Bin 930 -> 0 bytes .../resources/config/sg/sg_action_groups.yml | 137 ----------- .../resources/config/sg/sg_config.yml | 123 ---------- .../resources/config/sg/sg_internal_users.yml | 45 ---- .../resources/config/sg/sg_roles.yml | 262 --------------------- .../resources/config/sg/sg_roles_mapping.yml | 38 --- .../aai-elasticsearch/templates/configmap.yaml | 26 -- .../aai-elasticsearch/templates/deployment.yaml | 27 +-- .../aai-elasticsearch/templates/secrets.yaml | 22 -- components/aai-elasticsearch/values.yaml | 2 +- .../resources/config/elastic-search.properties | 2 +- 17 files changed, 4 insertions(+), 733 deletions(-) delete mode 100644 components/aai-elasticsearch/resources/bin/init_sg.sh delete mode 100644 components/aai-elasticsearch/resources/bin/run.sh delete mode 100644 components/aai-elasticsearch/resources/bin/wait_until_started.sh delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 delete mode 100644 components/aai-elasticsearch/resources/config/sg/auth/truststore.jks delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_config.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_roles.yml delete mode 100644 components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml delete mode 100644 components/aai-elasticsearch/templates/secrets.yaml diff --git a/components/aai-elasticsearch/resources/bin/init_sg.sh b/components/aai-elasticsearch/resources/bin/init_sg.sh deleted file mode 100644 index e859365..0000000 --- a/components/aai-elasticsearch/resources/bin/init_sg.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh \ - -cd /usr/share/elasticsearch/config/sg \ - -ks /usr/share/elasticsearch/config/sg/auth/{{ .Values.config.adminKeyStore }} \ - -ts /usr/share/elasticsearch/config/sg/auth/{{ .Values.config.trustStore }} \ - -kspass {{ .Values.config.adminKeyStorePassword }} \ - -tspass {{ .Values.config.trustStorePassword}} \ - -nhnv \ - -icl \ - -p {{ .Values.service.internalPort2 }} \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/bin/run.sh b/components/aai-elasticsearch/resources/bin/run.sh deleted file mode 100644 index a612c74..0000000 --- a/components/aai-elasticsearch/resources/bin/run.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -# Wait for ES to start then initialize SearchGuard -/usr/local/bin/docker-entrypoint.sh eswrapper & -/usr/share/elasticsearch/bin/wait_until_started.sh -/usr/share/elasticsearch/bin/init_sg.sh - -wait \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/bin/wait_until_started.sh b/components/aai-elasticsearch/resources/bin/wait_until_started.sh deleted file mode 100644 index 279253b..0000000 --- a/components/aai-elasticsearch/resources/bin/wait_until_started.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -RET=1 - -while [[ RET -ne 0 ]]; do - echo "Waiting for Elasticsearch to become ready before running sgadmin..." - curl -XGET -k "https://localhost:{{ .Values.service.internalPort }}/" >/dev/null 2>&1 - RET=$? - sleep 5 -done \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/elasticsearch.yml b/components/aai-elasticsearch/resources/config/elasticsearch.yml index 87536e3..ae12344 100644 --- a/components/aai-elasticsearch/resources/config/elasticsearch.yml +++ b/components/aai-elasticsearch/resources/config/elasticsearch.yml @@ -364,31 +364,6 @@ discovery.zen.ping.unicast.hosts: ["0.0.0.0"] #monitor.jvm.gc.old.info: 5s #monitor.jvm.gc.old.debug: 2s -############################################################################################# -### SEARCH GUARD SSL # -### Configuration # -############################################################################################### -######## Start Search Guard Demo Configuration ######## - -searchguard.enterprise_modules_enabled: false - -searchguard.ssl.transport.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }} -searchguard.ssl.transport.keystore_password: {{ .Values.config.nodeKeyStorePassword }} -searchguard.ssl.transport.truststore_filepath: sg/auth/{{ .Values.config.trustStore }} -searchguard.ssl.transport.truststore_password: {{ .Values.config.trustStorePassword }} -searchguard.ssl.transport.enforce_hostname_verification: false - -searchguard.ssl.http.enabled: true -searchguard.ssl.http.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }} -searchguard.ssl.http.keystore_password: {{ .Values.config.nodeKeyStorePassword }} -searchguard.ssl.http.truststore_filepath: sg/auth/{{ .Values.config.trustStore }} -searchguard.ssl.http.truststore_password: {{ .Values.config.trustStorePassword }} - -searchguard.nodes_dn: - - CN=esaai - -searchguard.authcz.admin_dn: - - CN=sgadmin # x-pack security conflicts with searchguard xpack.security.enabled: false diff --git a/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks b/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks deleted file mode 100644 index 21ec9bb..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/esaai-keystore.jks and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 b/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 deleted file mode 100644 index db7cbf4..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/sgadmin-keystore.p12 and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks b/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks deleted file mode 100644 index b3bd666..0000000 Binary files a/components/aai-elasticsearch/resources/config/sg/auth/truststore.jks and /dev/null differ diff --git a/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml b/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml deleted file mode 100644 index be5901a..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_action_groups.yml +++ /dev/null @@ -1,137 +0,0 @@ -UNLIMITED: - readonly: true - permissions: - - "*" - -###### INDEX LEVEL ###### - -INDICES_ALL: - readonly: true - permissions: - - "indices:*" - -# for backward compatibility -ALL: - readonly: true - permissions: - - INDICES_ALL - -MANAGE: - readonly: true - permissions: - - "indices:monitor/*" - - "indices:admin/*" - -CREATE_INDEX: - readonly: true - permissions: - - "indices:admin/create" - - "indices:admin/mapping/put" - -MANAGE_ALIASES: - readonly: true - permissions: - - "indices:admin/aliases*" - -# for backward compatibility -MONITOR: - readonly: true - permissions: - - INDICES_MONITOR - -INDICES_MONITOR: - readonly: true - permissions: - - "indices:monitor/*" - -DATA_ACCESS: - readonly: true - permissions: - - "indices:data/*" - - CRUD - -WRITE: - readonly: true - permissions: - - "indices:data/write*" - - "indices:admin/mapping/put" - -READ: - readonly: true - permissions: - - "indices:data/read*" - - "indices:admin/mappings/fields/get*" - -DELETE: - readonly: true - permissions: - - "indices:data/write/delete*" - -CRUD: - readonly: true - permissions: - - READ - - WRITE - -SEARCH: - readonly: true - permissions: - - "indices:data/read/search*" - - "indices:data/read/msearch*" - - SUGGEST - -SUGGEST: - readonly: true - permissions: - - "indices:data/read/suggest*" - -INDEX: - readonly: true - permissions: - - "indices:data/write/index*" - - "indices:data/write/update*" - - "indices:admin/mapping/put" - - "indices:data/write/bulk*" - -GET: - readonly: true - permissions: - - "indices:data/read/get*" - - "indices:data/read/mget*" - -###### CLUSTER LEVEL ###### - -CLUSTER_ALL: - readonly: true - permissions: - - "cluster:*" - -CLUSTER_MONITOR: - readonly: true - permissions: - - "cluster:monitor/*" - -CLUSTER_COMPOSITE_OPS_RO: - readonly: true - permissions: - - "indices:data/read/mget" - - "indices:data/read/msearch" - - "indices:data/read/mtv" - - "indices:data/read/coordinate-msearch*" - - "indices:admin/aliases/exists*" - - "indices:admin/aliases/get*" - - "indices:data/read/scroll" - -CLUSTER_COMPOSITE_OPS: - readonly: true - permissions: - - "indices:data/write/bulk" - - "indices:admin/aliases*" - - "indices:data/write/reindex" - - CLUSTER_COMPOSITE_OPS_RO - -MANAGE_SNAPSHOTS: - readonly: true - permissions: - - "cluster:admin/snapshot/*" - - "cluster:admin/repository/*" \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_config.yml b/components/aai-elasticsearch/resources/config/sg/sg_config.yml deleted file mode 100644 index d0050e0..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_config.yml +++ /dev/null @@ -1,123 +0,0 @@ -# This is the main Search Guard configuration file where authentication -# and authorization is defined. -# -# You need to configure at least one authentication domain in the authc of this file. -# An authentication domain is responsible for extracting the user credentials from -# the request and for validating them against an authentication backend like Active Directory for example. -# -# If more than one authentication domain is configured the first one which succeeds wins. -# If all authentication domains fail then the request is unauthenticated. -# In this case an exception is thrown and/or the HTTP status is set to 401. -# -# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect -# the roles from a given backend for the authenticated user. -# -# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. -# http_enabled: true -# transport_enabled: true -# -# 5.x Migration: "enabled: true/false" will also be respected currently but only to provide backward compatibility. -# -# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to -# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. -# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "sg_anonymous" -# and one role named "sg_anonymous_backendrole". -# If you enable anonymous authentication all HTTP authenticators will not challenge. -# -# -# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" -# first and the challenging one last. -# Because it's not possible to challenge a client with two different authentication methods (for example -# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation -# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. -# -# Default value of the challenge flag is true. -# -# -# HTTP -# basic (challenging) -# proxy (not challenging, needs xff) -# clientcert (not challenging, needs https) -# host (not challenging) #DEPRECATED, will be removed in a future version. -# host based authentication is configurable in sg_roles_mapping - -# Authc -# internal -# noop - -# Authz -# noop - -# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; -# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration -# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's -# license details before enabling any additional features here. - -searchguard: - dynamic: - # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index - # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) - # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently - #filtered_alias_mode: warn - http: - anonymous_auth_enabled: false - xff: - enabled: false - internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern - #internalProxies: '.*' # trust all internal proxies, regex pattern - remoteIpHeader: 'x-forwarded-for' - proxiesHeader: 'x-forwarded-by' - #trustedProxies: '.*' # trust all external proxies, regex pattern - ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help - ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For - ###### and here https://tools.ietf.org/html/rfc7239 - ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve - authc: - basic_internal_auth_domain: - http_enabled: true - transport_enabled: true - order: 2 - http_authenticator: - type: basic - challenge: true - authentication_backend: - type: intern - proxy_auth_domain: - http_enabled: false - transport_enabled: false - order: 3 - http_authenticator: - type: proxy - challenge: false - config: - user_header: "x-proxy-user" - roles_header: "x-proxy-roles" - authentication_backend: - type: noop - jwt_auth_domain: - http_enabled: false - transport_enabled: false - order: 0 - http_authenticator: - type: jwt - challenge: false - config: - signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" - jwt_header: "Authorization" - jwt_url_parameter: null - roles_key: null - subject_key: null - authentication_backend: - type: noop - clientcert_auth_domain: - http_enabled: true - transport_enabled: true - order: 1 - http_authenticator: - type: clientcert - config: - username_attribute: cn #optional, if omitted DN becomes username - challenge: false - authentication_backend: - type: noop - authz: \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml b/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml deleted file mode 100644 index 942a716..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_internal_users.yml +++ /dev/null @@ -1,45 +0,0 @@ -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -#password is: admin -admin: - readonly: true - hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG - roles: - - admin - attributes: - #no dots allowed in attribute names - attribute1: value1 - attribute2: value2 - attribute3: value3 - -#password is: logstash -logstash: - hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2 - roles: - - logstash - -#password is: kibanaserver -kibanaserver: - readonly: true - hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H. - -#password is: kibanaro -kibanaro: - hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC - roles: - - kibanauser - - readall - -#password is: readall -readall: - hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2 - #password is: readall - roles: - - readall - -#password is: snapshotrestore -snapshotrestore: - hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W - roles: - - snapshotrestore \ No newline at end of file diff --git a/components/aai-elasticsearch/resources/config/sg/sg_roles.yml b/components/aai-elasticsearch/resources/config/sg/sg_roles.yml deleted file mode 100644 index c918e85..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_roles.yml +++ /dev/null @@ -1,262 +0,0 @@ -# Allows everything, but no changes to searchguard configuration index -sg_all_access: - readonly: true - cluster: - - UNLIMITED - indices: - '*': - '*': - - UNLIMITED - tenants: - admin_tenant: RW - -# Read all, but no write permissions -sg_readall: - readonly: true - cluster: - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Read all and monitor, but no write permissions -sg_readall_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# For users which use kibana, access to indices must be granted separately -sg_kibana_user: - readonly: true - cluster: - - INDICES_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana-6': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?kibana_*': - '*': - - MANAGE - - INDEX - - READ - - DELETE - '?tasks': - '*': - - INDICES_ALL - '?management-beats': - '*': - - INDICES_ALL - '*': - '*': - - indices:data/read/field_caps* - - indices:data/read/xpack/rollup* - - indices:admin/mappings/get* - - indices:admin/get - -# For the kibana server -sg_kibana_server: - readonly: true - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - cluster:admin/xpack/monitoring* - - indices:admin/template* - - indices:data/read/scroll* - indices: - '?kibana': - '*': - - INDICES_ALL - '?kibana-6': - '*': - - INDICES_ALL - '?kibana_*': - '*': - - INDICES_ALL - '?reporting*': - '*': - - INDICES_ALL - '?monitoring*': - '*': - - INDICES_ALL - '?tasks': - '*': - - INDICES_ALL - '?management-beats*': - '*': - - INDICES_ALL - '*': - '*': - - "indices:admin/aliases*" - -# For logstash and beats -sg_logstash: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - - indices:admin/template/get - - indices:admin/template/put - indices: - 'logstash-*': - '*': - - CRUD - - CREATE_INDEX - '*beat*': - '*': - - CRUD - - CREATE_INDEX - -# Allows adding and modifying repositories and creating and restoring snapshots -sg_manage_snapshots: - cluster: - - MANAGE_SNAPSHOTS - indices: - '*': - '*': - - "indices:data/write/index" - - "indices:admin/create" - -# Allows each user to access own named index -sg_own_index: - cluster: - - CLUSTER_COMPOSITE_OPS - indices: - '${user_name}': - '*': - - INDICES_ALL - -### X-Pack COMPATIBILITY -sg_xp_monitoring: - readonly: true - cluster: - - cluster:monitor/xpack/info - - cluster:monitor/main - - cluster:admin/xpack/monitoring/bulk - indices: - '?monitor*': - '*': - - INDICES_ALL - -sg_xp_alerting: - readonly: true - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher* - - cluster:monitor/xpack/watcher* - indices: - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ - - indices:admin/aliases/get - -sg_xp_machine_learning: - readonly: true - cluster: - - cluster:admin/persistent* - - cluster:internal/xpack/ml* - - indices:data/read/scroll* - - cluster:admin/xpack/ml* - - cluster:monitor/xpack/ml* - indices: - '*': - '*': - - READ - - indices:admin/get* - '?ml-*': - '*': - - "*" - -### LEGACY ROLES, FOR COMPATIBILITY ONLY -### WILL BE REMOVED IN SG7, DO NOT USE ANYMORE - -sg_readonly_and_monitor: - cluster: - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS_RO - indices: - '*': - '*': - - READ - -# Make xpack monitoring work -sg_monitor: - cluster: - - cluster:admin/xpack/monitoring/* - - cluster:admin/ingest/pipeline/put - - cluster:admin/ingest/pipeline/get - - indices:admin/template/get - - indices:admin/template/put - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?monitor*': - '*': - - INDICES_ALL - '?marvel*': - '*': - - INDICES_ALL - '?kibana*': - '*': - - READ - '*': - '*': - - indices:data/read/field_caps - -# Make xpack alerting work -sg_alerting: - cluster: - - indices:data/read/scroll - - cluster:admin/xpack/watcher/watch/put - - cluster:admin/xpack/watcher* - - CLUSTER_MONITOR - - CLUSTER_COMPOSITE_OPS - indices: - '?kibana*': - '*': - - READ - '?watches*': - '*': - - INDICES_ALL - '?watcher-history-*': - '*': - - INDICES_ALL - '?triggered_watches': - '*': - - INDICES_ALL - '*': - '*': - - READ - - -sg_role_test: - cluster: - - indices:admin/template/get - - indices:admin/template/put - - CLUSTER_COMPOSITE_OPS - indices: - '*': - '*': - - UNLIMITED diff --git a/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml b/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml deleted file mode 100644 index 970e027..0000000 --- a/components/aai-elasticsearch/resources/config/sg/sg_roles_mapping.yml +++ /dev/null @@ -1,38 +0,0 @@ -# In this file users, backendroles and hosts can be mapped to Search Guard roles. -# Permissions for Search Guard roles are configured in sg_roles.yml - -sg_all_access: - readonly: true - backendroles: - - admin - -sg_logstash: - backendroles: - - logstash - -sg_kibana_server: - readonly: true - users: - - kibanaserver - -sg_kibana_user: - backendroles: - - kibanauser - -sg_readall: - readonly: true - backendroles: - - readall - -sg_manage_snapshots: - readonly: true - backendroles: - - snapshotrestore - -sg_own_index: - users: - - '*' - -sg_role_test: - users: - - test diff --git a/components/aai-elasticsearch/templates/configmap.yaml b/components/aai-elasticsearch/templates/configmap.yaml index 4be124f..5067c83 100644 --- a/components/aai-elasticsearch/templates/configmap.yaml +++ b/components/aai-elasticsearch/templates/configmap.yaml @@ -24,29 +24,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-sg-scripts - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-sg-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/sg/*").AsConfig . | indent 2 }} diff --git a/components/aai-elasticsearch/templates/deployment.yaml b/components/aai-elasticsearch/templates/deployment.yaml index 785693a..0c54738 100644 --- a/components/aai-elasticsearch/templates/deployment.yaml +++ b/components/aai-elasticsearch/templates/deployment.yaml @@ -60,8 +60,8 @@ spec: - name: elasticsearch-data mountPath: /logroot/ containers: - - name: {{ include "common.name" . }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" + - name: {{ include "common.name" . }} + image: "{{ .Values.global.loggingRepository }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.pullPolicy }} ports: - containerPort: {{ .Values.service.internalPort }} @@ -93,19 +93,6 @@ spec: - name: elasticsearch-config subPath: log4j2.properties mountPath: /usr/share/elasticsearch/config/log4j2.properties - - name: searchguard-scripts - subPath: run.sh - mountPath: /usr/share/elasticsearch/bin/run.sh - - name: searchguard-scripts - subPath: wait_until_started.sh - mountPath: /usr/share/elasticsearch/bin/wait_until_started.sh - - name: searchguard-scripts - subPath: init_sg.sh - mountPath: /usr/share/elasticsearch/bin/init_sg.sh - - name: searchguard-config - mountPath: /usr/share/elasticsearch/config/sg - - name: searchguard-auth-config - mountPath: /usr/share/elasticsearch/config/sg/auth - name: elasticsearch-data mountPath: /usr/share/elasticsearch/data resources: @@ -126,16 +113,6 @@ spec: - name: elasticsearch-config configMap: name: {{ include "common.fullname" . }}-es-config - - name: searchguard-scripts - configMap: - name: {{ include "common.fullname" . }}-sg-scripts - defaultMode: 0754 - - name: searchguard-config - configMap: - name: {{ include "common.fullname" . }}-sg-config - - name: searchguard-auth-config - secret: - secretName: {{ include "common.fullname" . }}-sg-auth - name: elasticsearch-data hostPath: path: {{ .Values.persistence.mountPath }}/{{ .Release.Name }}/{{ .Values.persistence.mountSubPath }} diff --git a/components/aai-elasticsearch/templates/secrets.yaml b/components/aai-elasticsearch/templates/secrets.yaml deleted file mode 100644 index 34b272f..0000000 --- a/components/aai-elasticsearch/templates/secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-sg-auth - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/sg/auth/*").AsSecrets . | indent 2 }} \ No newline at end of file diff --git a/components/aai-elasticsearch/values.yaml b/components/aai-elasticsearch/values.yaml index 2cd835f..dff0703 100644 --- a/components/aai-elasticsearch/values.yaml +++ b/components/aai-elasticsearch/values.yaml @@ -19,7 +19,7 @@ global: # global defaults nodePortPrefix: 302 # application image -image: onap/elasticsearch-sg:1.5.1 +image: elasticsearch/elasticsearch:6.1.2 pullPolicy: Always restartPolicy: Always diff --git a/components/aai-search-data/resources/config/elastic-search.properties b/components/aai-search-data/resources/config/elastic-search.properties index 6232c14..65de20d 100644 --- a/components/aai-search-data/resources/config/elastic-search.properties +++ b/components/aai-search-data/resources/config/elastic-search.properties @@ -17,7 +17,7 @@ es.cluster-name=ES_AAI es.ip-address=aai-elasticsearch.{{.Release.Namespace}} es.http-port={{ .Values.config.elasticsearchHttpPort }} -es.uri-scheme=https +es.uri-scheme=http es.auth-user=admin es.auth-password=OBF:1u2a1toa1w8v1tok1u30 es.trust-store=auth/tomcat_keystore -- cgit 1.2.3-korg