Add support for AWS Elasticsearch Service (#4664)

* Initial changes to pass role_arn to backup

Signed-off-by: Kallol Roy <[email protected]>

* WIP

* Add test and fix bug for esgateway config

Signed-off-by: Jay Mundrawala <[email protected]>

* Use optional parameters

Signed-off-by: Jay Mundrawala <[email protected]>

* Fix unit tests

Signed-off-by: Jay Mundrawala <[email protected]>

* fixup go.mod

Signed-off-by: Jay Mundrawala <[email protected]>

Co-authored-by: Jay Mundrawala <[email protected]>

Author: kalroy

api/config/es_sidecar/config_request.go

@@ -3,6 +3,7 @@ package es_sidecar
 import (
 	ac "github.com/chef/automate/api/config/shared"
 	w "github.com/chef/automate/api/config/shared/wrappers"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )
 
 // NewConfigRequest returns a new instance of ConfigRequest with zero values.
@@ -91,7 +92,8 @@ func (c *ConfigRequest) SetGlobalConfig(g *ac.GlobalConfig) {
 	c.applyGlobalBackupConfig(backupsCfg, g.GetV1().GetBackups())
 
 	if externalCfg.GetEnable().GetValue() {
-		c.applyExternalConfig(backupsCfg, g.GetV1().GetBackups(), externalCfg.GetBackup())
+		c.applyExternalConfig(backupsCfg, g.GetV1().GetBackups(), externalCfg.GetBackup(),
+			externalCfg.GetAuth(), externalCfg.GetNodes())
 		// Early return as we don't need to migrate to the backup-gateway with
 		// external es
 		return
@@ -107,7 +109,9 @@ func (c *ConfigRequest) SetGlobalConfig(g *ac.GlobalConfig) {
 func (c *ConfigRequest) applyExternalConfig(
 	cfg *ConfigRequest_V1_System_Backups,
 	global *ac.Backups,
-	override *ac.External_Elasticsearch_Backup) {
+	override *ac.External_Elasticsearch_Backup,
+	auth *ac.External_Elasticsearch_Authentication,
+	nodes []*wrapperspb.StringValue) {
 
 	// If backups are disabled we don't need to worry about applying any other
 	// config.
@@ -148,6 +152,14 @@ func (c *ConfigRequest) applyExternalConfig(
 		if s := extS3cfg.GetSettings(); s != nil {
 			cfg.S3.Es = s
 		}
+
+		if auth.GetScheme().GetValue() == "aws_es" {
+			cfg.S3.EnableAwsAuth = w.Bool(true)
+			cfg.S3.AwsAuth = auth.GetAwsEs()
+			if len(nodes) > 0 {
+				cfg.S3.EsUrl = nodes[0]
+			}
+		}
 	case "gcs":
 		cfg.Backend = w.String(backend)
 		if cfg.Gcs == nil {

api/config/es_sidecar/config_request.pb.go

@@ -51,6 +51,9 @@ message ConfigRequest {
 					google.protobuf.StringValue client = 2;
 					google.protobuf.StringValue base_path = 3;
 					chef.automate.infra.config.Backups.S3.Elasticsearch es = 4;
+					google.protobuf.BoolValue enable_aws_auth = 5;
+					chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth aws_auth = 6;
+					google.protobuf.StringValue es_url = 7;
 				}
 				message GCSSettings {
 					google.protobuf.StringValue bucket = 1;

api/config/es_sidecar/config_request.proto

@@ -122,10 +122,10 @@ func (c *ConfigRequest) SetGlobalConfig(g *ac.GlobalConfig) {
 		c.V1.Sys.External = &ConfigRequest_V1_System_External{
 			Enable: w.Bool(true),
 		}
+		endpoints := make([]*ConfigRequest_V1_System_Endpoint, 0, len(nodes))
 		if len(nodes) > 0 {
 			isSSL := false
 
-			endpoints := make([]*ConfigRequest_V1_System_Endpoint, 0, len(nodes))
 			for _, n := range nodes {
 				endpoint, ssl := uriToEndpoint(n.GetValue())
 				endpoints = append(endpoints, endpoint)
@@ -144,14 +144,29 @@ func (c *ConfigRequest) SetGlobalConfig(g *ac.GlobalConfig) {
 			}
 		}
 
-		if auth := g.GetV1().GetExternal().GetElasticsearch().GetAuth(); auth.GetScheme().GetValue() == "basic_auth" {
+		switch auth := g.GetV1().GetExternal().GetElasticsearch().GetAuth(); auth.GetScheme().GetValue() {
+		case "basic_auth":
 			c.V1.Sys.External.BasicAuthCredentials = w.String(base64.StdEncoding.EncodeToString([]byte(
 				fmt.Sprintf(
 					"%s:%s",
 					auth.GetBasicAuth().GetUsername().GetValue(),
 					auth.GetBasicAuth().GetPassword().GetValue(),
 				),
 			)))
+		case "aws_es":
+			// If we only have 1 AWS Elasticsearch Service endpoint specified, we can assume that
+			// the host header should be the name of that endpoint.
+			if c.V1.Sys.Ngx.Http.ProxySetHeaderHost.Value == "$http_host" && len(endpoints) == 1 {
+				c.V1.Sys.Ngx.Http.ProxySetHeaderHost = endpoints[0].Address
+			}
+			c.V1.Sys.External.BasicAuthCredentials = w.String(base64.StdEncoding.EncodeToString([]byte(
+				fmt.Sprintf(
+					"%s:%s",
+					auth.GetAwsEs().GetUsername().GetValue(),
+					auth.GetAwsEs().GetPassword().GetValue(),
+				),
+			)))
+		default:
 		}
 
 		c.V1.Sys.External.RootCert = g.GetV1().GetExternal().GetElasticsearch().GetSsl().GetRootCert()

api/config/esgateway/config_request.go

@@ -154,7 +154,6 @@ func TestExternalElasticsearch(t *testing.T) {
 
 		assert.Equal(t, "server1", c.GetV1().GetSys().GetExternal().GetParsedEndpoints()[0].GetAddress().GetValue())
 		assert.Equal(t, "443", c.GetV1().GetSys().GetExternal().GetParsedEndpoints()[0].GetPort().GetValue())
-
 	})
 
 	t.Run("single http endpoint with IP", func(t *testing.T) {
@@ -276,4 +275,36 @@ func TestExternalElasticsearch(t *testing.T) {
 
 		require.Equal(t, c.V1.Sys.Ngx.Main.Resolvers.NameserversString.GetValue(), "111.11.11.11:50", "does not match with the nameserver passed")
 	})
+
+	t.Run("aws elasticsearch", func(t *testing.T) {
+		c := DefaultConfigRequest()
+		c.SetGlobalConfig(&ac.GlobalConfig{
+			V1: &ac.V1{
+				External: &ac.External{
+					Elasticsearch: &ac.External_Elasticsearch{
+						Enable: w.Bool(true),
+						Nodes: []*wrappers.StringValue{
+							w.String("https://server1"),
+						},
+						Auth: &ac.External_Elasticsearch_Authentication{
+							Scheme: w.String("aws_es"),
+							AwsEs: &ac.External_Elasticsearch_Authentication_AwsElasticsearchAuth{
+								Username: w.String("testuser"),
+								Password: w.String("testpassword"),
+							},
+						},
+					},
+				},
+			},
+		})
+
+		require.True(t,
+			c.GetV1().GetSys().GetExternal().GetEnable().GetValue(),
+			"expected external ES to be enabled")
+
+		require.Equal(t, "server1", c.GetV1().GetSys().GetExternal().GetParsedEndpoints()[0].GetAddress().GetValue())
+		require.Equal(t, "443", c.GetV1().GetSys().GetExternal().GetParsedEndpoints()[0].GetPort().GetValue())
+		require.Equal(t, "server1", c.GetV1().GetSys().GetNgx().GetHttp().GetProxySetHeaderHost().GetValue())
+
+	})
 }

api/config/esgateway/config_request_test.go

@@ -215,23 +215,29 @@ func (c *GlobalConfig) Validate() error { // nolint gocyclo
 
 		auth := c.GetV1().GetExternal().GetElasticsearch().GetAuth()
 		scheme := auth.GetScheme().GetValue()
-		if scheme != "" {
-			// External ES uses a supported auth scheme
-			if scheme != "basic_auth" {
-				cfgErr.AddInvalidValue("global.v1.external.elasticsearch.auth.scheme", "Scheme should be 'basic_auth'.")
+		switch scheme {
+		case "basic_auth":
+			u := auth.GetBasicAuth().GetUsername().GetValue()
+			p := auth.GetBasicAuth().GetPassword().GetValue()
+			if u == "" {
+				cfgErr.AddMissingKey("global.v1.external.elasticsearch.auth.basic_auth.username")
 			}
-
-			// Username and password specified in config if using basic auth
-			if scheme == "basic_auth" {
-				u := auth.GetBasicAuth().GetUsername().GetValue()
-				p := auth.GetBasicAuth().GetPassword().GetValue()
-				if u == "" {
-					cfgErr.AddMissingKey("global.v1.external.elasticsearch.basic_auth.username")
-				}
-				if p == "" {
-					cfgErr.AddMissingKey("global.v1.external.elasticsearch.basic_auth.password")
-				}
+			if p == "" {
+				cfgErr.AddMissingKey("global.v1.external.elasticsearch.auth.basic_auth.password")
+			}
+		case "aws_es":
+			u := auth.GetAwsEs().GetUsername().GetValue()
+			p := auth.GetAwsEs().GetPassword().GetValue()
+			if u == "" {
+				cfgErr.AddMissingKey("global.v1.external.elasticsearch.auth.aws_es.username")
+			}
+			if p == "" {
+				cfgErr.AddMissingKey("global.v1.external.elasticsearch.auth.aws_es.password")
 			}
+		case "":
+		default:
+			cfgErr.AddInvalidValue("global.v1.external.elasticsearch.auth.scheme",
+				"Scheme should be one of 'basic_auth', 'aws_es'.")
 		}
 	}