Skip to content

Add authentication to Elasticsearch via client cert #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 23, 2022
Merged

Add authentication to Elasticsearch via client cert #191

merged 2 commits into from
Nov 23, 2022

Conversation

andreaskapfer
Copy link
Contributor

This PR adds the ability to authenticate to Elasticsearch via client certificate.

It also fixes some bugs related to the options ca_file and ca_data.

@elasticmachine
Copy link

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@tobio tobio force-pushed the feature/client-auth branch from d466ade to c2ecc3f Compare November 21, 2022 23:38
@tobio tobio mentioned this pull request Nov 21, 2022
Closed
tobio
tobio reviewed Nov 22, 2022
View reviewed changes
Copy link
Member

@tobio tobio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay here, took a little longer to spin up a cluster with PKI auth to test this.

Couple of nits on the code.

internal/clients/api_client.go Outdated
Comment on lines 130 to 131
ensureTLSClientConfig(&config)
config.Transport.(*http.Transport).TLSClientConfig.Certificates = []tls.Certificate{cert}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO these blocks would likely read more nicely if ensureTLSClientConfig returned a *http.Transport so the subsequent code could avoid the casts. WDYT?

To be clear: "You're wrong because..." is totally fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! I would even go one step further. What about returning *tls.Config?
I guess everyone calling ensureTLSClientConfig wants to customize TLSClientConfig afterwards.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds great, thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

internal/clients/api_client.go
@@ -116,6 +115,37 @@ func NewApiClientFunc(version string, p *schema.Provider) func(context.Context,
if caData, ok := esConfig["ca_data"]; ok && caData.(string) != "" {
config.CACert = []byte(caData.(string))
}

if certFile, ok := esConfig["cert_file"]; ok && certFile.(string) != "" {
if keyFile, ok := esConfig["key_file"]; ok && keyFile.(string) != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is enforced in the schema, but IMO we should return an error if cert_file is ok but key_file is not ok.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

internal/clients/api_client.go
}
}
if certData, ok := esConfig["cert_data"]; ok && certData.(string) != "" {
if keyData, ok := esConfig["key_data"]; ok && keyData.(string) != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, I think this code should error out if cert_data is specified without key_data

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

internal/clients/api_client.go
}

if certFile, ok := conn["cert_file"]; ok && certFile.(string) != "" {
if keyFile, ok := conn["key_file"]; ok && keyFile.(string) != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

internal/clients/api_client.go
}
}
if certData, ok := conn["cert_data"]; ok && certData.(string) != "" {
if keyData, ok := conn["key_data"]; ok && keyData.(string) != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@andreaskapfer andreaskapfer requested a review from tobio November 22, 2022 12:04
@tobio tobio merged commit 5adb0f6 into elastic:main Nov 23, 2022
@tobio
Copy link
Member

tobio commented Nov 23, 2022

Thanks for this @andreaskapfer we'll have a new version of the provider out with this change in the next few weeks.

@andreaskapfer
Copy link
Contributor Author

Great! Many thanks for the review @tobio

@tobio
Copy link
Member

tobio commented Dec 7, 2022

This has been released with 0.5.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tobio tobio tobio approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andreaskapfer @elasticmachine @tobio