Skip to content

Commit cab5a46

Browse files
committed
Disabled security for ES free configuration
1 parent 98e0cc7 commit cab5a46

File tree

2 files changed

+43
-20
lines changed

2 files changed

+43
-20
lines changed

.ci/functions/imports.sh

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,11 @@ if [[ -z $es_node_name ]]; then
2626
export es_node_name=instance
2727
export elastic_password=changeme
2828
export elasticsearch_image=elasticsearch
29-
export elasticsearch_url=https://elastic:${elastic_password}@${es_node_name}:9200
29+
export elasticsearch_scheme="https"
30+
if [[ $TEST_SUITE != "platinum" ]]; then
31+
export elasticsearch_scheme="http"
32+
fi
33+
export elasticsearch_url=${elasticsearch_scheme}://elastic:${elastic_password}@${es_node_name}:9200
3034
export external_elasticsearch_url=${elasticsearch_url/$es_node_name/localhost}
3135
export elasticsearch_container="${elasticsearch_image}:${STACK_VERSION}"
3236

.ci/run-elasticsearch.sh

Lines changed: 38 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
# Export the TEST_SUITE variable, eg. 'free' or 'platinum' defaults to 'free'.
88
# Export the NUMBER_OF_NODES variable to start more than 1 node
99

10-
# Version 1.3.0
10+
# Version 1.6.0
1111
# - Initial version of the run-elasticsearch.sh script
1212
# - Deleting the volume should not dependent on the container still running
1313
# - Fixed `ES_JAVA_OPTS` config
@@ -17,6 +17,9 @@
1717
# - Added 5 retries on docker pull for fixing transient network errors
1818
# - Added flags to make local CCR configurations work
1919
# - Added action.destructive_requires_name=false as the default will be true in v8
20+
# - Added ingest.geoip.downloader.enabled=false as it causes false positives in testing
21+
# - Moved ELASTIC_PASSWORD and xpack.security.enabled to the base arguments for "Security On by default"
22+
# - Use https only when TEST_SUITE is "platinum", when "free" use http
2023

2124
script_path=$(dirname $(realpath -s $0))
2225
source $script_path/functions/imports.sh
@@ -30,6 +33,8 @@ cluster_name=${moniker}${suffix}
3033

3134
declare -a volumes
3235
environment=($(cat <<-END
36+
--env ELASTIC_PASSWORD=$elastic_password
37+
--env xpack.security.enabled=false
3338
--env node.name=$es_node_name
3439
--env cluster.name=$cluster_name
3540
--env cluster.initial_master_nodes=$master_node_name
@@ -40,29 +45,43 @@ environment=($(cat <<-END
4045
--env path.repo=/tmp
4146
--env repositories.url.allowed_urls=http://snapshot.test*
4247
--env action.destructive_requires_name=false
43-
--env ELASTIC_PASSWORD=$elastic_password
44-
--env xpack.license.self_generated.type=trial
45-
--env xpack.security.enabled=true
46-
--env xpack.security.http.ssl.enabled=true
47-
--env xpack.security.http.ssl.verification_mode=certificate
48-
--env xpack.security.http.ssl.key=certs/testnode.key
49-
--env xpack.security.http.ssl.certificate=certs/testnode.crt
50-
--env xpack.security.http.ssl.certificate_authorities=certs/ca.crt
51-
--env xpack.security.transport.ssl.enabled=true
52-
--env xpack.security.transport.ssl.verification_mode=certificate
53-
--env xpack.security.transport.ssl.key=certs/testnode.key
54-
--env xpack.security.transport.ssl.certificate=certs/testnode.crt
55-
--env xpack.security.transport.ssl.certificate_authorities=certs/ca.crt
48+
--env ingest.geoip.downloader.enabled=false
49+
--env cluster.deprecation_indexing.enabled=false
50+
END
51+
))
52+
if [[ "$TEST_SUITE" == "platinum" ]]; then
53+
environment+=($(cat <<-END
54+
--env xpack.security.enabled=true
55+
--env xpack.license.self_generated.type=trial
56+
--env xpack.security.http.ssl.enabled=true
57+
--env xpack.security.http.ssl.verification_mode=certificate
58+
--env xpack.security.http.ssl.key=certs/testnode.key
59+
--env xpack.security.http.ssl.certificate=certs/testnode.crt
60+
--env xpack.security.http.ssl.certificate_authorities=certs/ca.crt
61+
--env xpack.security.transport.ssl.enabled=true
62+
--env xpack.security.transport.ssl.verification_mode=certificate
63+
--env xpack.security.transport.ssl.key=certs/testnode.key
64+
--env xpack.security.transport.ssl.certificate=certs/testnode.crt
65+
--env xpack.security.transport.ssl.certificate_authorities=certs/ca.crt
5666
END
5767
))
58-
volumes+=($(cat <<-END
59-
--volume $ssl_cert:/usr/share/elasticsearch/config/certs/testnode.crt
60-
--volume $ssl_key:/usr/share/elasticsearch/config/certs/testnode.key
61-
--volume $ssl_ca:/usr/share/elasticsearch/config/certs/ca.crt
68+
volumes+=($(cat <<-END
69+
--volume $ssl_cert:/usr/share/elasticsearch/config/certs/testnode.crt
70+
--volume $ssl_key:/usr/share/elasticsearch/config/certs/testnode.key
71+
--volume $ssl_ca:/usr/share/elasticsearch/config/certs/ca.crt
72+
END
73+
))
74+
else
75+
environment+=($(cat <<-END
76+
--env xpack.security.http.ssl.enabled=false
6277
END
6378
))
79+
fi
6480

65-
cert_validation_flags="--insecure --cacert /usr/share/elasticsearch/config/certs/ca.crt --resolve ${es_node_name}:443:127.0.0.1"
81+
cert_validation_flags=""
82+
if [[ "$TEST_SUITE" == "platinum" ]]; then
83+
cert_validation_flags="--insecure --cacert /usr/share/elasticsearch/config/certs/ca.crt --resolve ${es_node_name}:443:127.0.0.1"
84+
fi
6685

6786
# Pull the container, retry on failures up to 5 times with
6887
# short delays between each attempt. Fixes most transient network errors.

0 commit comments

Comments
 (0)