Skip to content

Commit 7457be7

Browse files
authored
Elasticsearch TLS support (cadence-workflow#4154)
1 parent 70031de commit 7457be7

File tree

6 files changed

+88
-2
lines changed

6 files changed

+88
-2
lines changed

CONTRIBUTING.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,8 @@ This will run all the tests excluding end-to-end integration test in host/ packa
118118
```bash
119119
make test
120120
```
121-
> Note that you will see some test failures because of errors connecting to MySQL/Postgres if only Cassandra is up. This is okay if you don't write any code related to persistence layer.
121+
:warning: Note:
122+
> You will see some test failures because of errors connecting to MySQL/Postgres if only Cassandra is up. This is okay if you don't write any code related to persistence layer.
122123
123124
To run all end-to-end integration tests in **host/** package:
124125
```bash

common/config/elasticsearch.go

+2
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,8 @@ type (
4848
// optional to use AWS signing client
4949
// See more info https://github.com/olivere/elastic/wiki/Using-with-AWS-Elasticsearch-Service
5050
AWSSigning AWSSigning `yaml:"awsSigning"`
51+
// optional to use Signed Certificates over https
52+
TLS TLS `yaml:"tls"`
5153
}
5254

5355
// AWSSigning contains config to enable signing,

common/elasticsearch/client_v6.go

+10
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,16 @@ func NewV6Client(
120120
}
121121
clientOptFuncs = append(clientOptFuncs, elastic.SetHttpClient(signingClient))
122122
}
123+
if connectConfig.TLS.Enabled {
124+
var tlsClient *http.Client
125+
var err error
126+
tlsClient, err = buildTLSHTTPClient(connectConfig.TLS)
127+
if err != nil {
128+
return nil, err
129+
}
130+
clientOptFuncs = append(clientOptFuncs, elastic.SetHttpClient(tlsClient))
131+
}
132+
123133
client, err := elastic.NewClient(clientOptFuncs...)
124134
if err != nil {
125135
return nil, err

common/elasticsearch/client_v7.go

+9
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,15 @@ func NewV7Client(
113113
}
114114
clientOptFuncs = append(clientOptFuncs, elastic.SetHttpClient(signingClient))
115115
}
116+
if connectConfig.TLS.Enabled {
117+
var tlsClient *http.Client
118+
var err error
119+
tlsClient, err = buildTLSHTTPClient(connectConfig.TLS)
120+
if err != nil {
121+
return nil, err
122+
}
123+
clientOptFuncs = append(clientOptFuncs, elastic.SetHttpClient(tlsClient))
124+
}
116125
client, err := elastic.NewClient(clientOptFuncs...)
117126
if err != nil {
118127
return nil, err

common/elasticsearch/common.go

+46
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,56 @@
2121
package elasticsearch
2222

2323
import (
24+
"crypto/tls"
25+
"crypto/x509"
26+
"io/ioutil"
27+
"net/http"
2428
"time"
29+
30+
"github.com/uber/cadence/common/config"
2531
)
2632

2733
const unknownStatusCode = -1
2834

2935
// TODO https://github.com/uber/cadence/issues/3686
3036
const oneMicroSecondInNano = int64(time.Microsecond / time.Nanosecond)
37+
38+
// Build Http Client with TLS
39+
func buildTLSHTTPClient(config config.TLS) (*http.Client, error) {
40+
// Setup base TLS config
41+
// EnableHostVerification is a secure flag vs insecureSkipVerify is insecure so inverse the valu
42+
tlsConfig := &tls.Config{
43+
InsecureSkipVerify: !config.EnableHostVerification,
44+
}
45+
46+
// Setup server name
47+
if config.ServerName != "" {
48+
tlsConfig.ServerName = config.ServerName
49+
}
50+
51+
// Load client cert
52+
if config.CertFile != "" && config.KeyFile != "" {
53+
cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
54+
if err != nil {
55+
return nil, err
56+
}
57+
tlsConfig.Certificates = []tls.Certificate{cert}
58+
}
59+
60+
// Load CA cert
61+
if config.CaFile != "" {
62+
caCert, err := ioutil.ReadFile(config.CaFile)
63+
if err != nil {
64+
return nil, err
65+
}
66+
caCertPool := x509.NewCertPool()
67+
caCertPool.AppendCertsFromPEM(caCert)
68+
tlsConfig.RootCAs = caCertPool
69+
}
70+
71+
// Setup HTTPS client
72+
transport := &http.Transport{TLSClientConfig: tlsConfig}
73+
tlsClient := &http.Client{Transport: transport}
74+
75+
return tlsClient, nil
76+
}

docs/visibility-on-elasticsearch.md

+19-1
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,25 @@ This part is used to config advanced visibility store to ElasticSearch.
7575
- `url` is for Cadence to discover ES
7676
- `indices/visibility` is ElasticSearch index name for the deployment.
7777

78+
Optional TLS Support can be enabled by setting the TLS config as follows:
79+
```yaml
80+
elasticsearch:
81+
url:
82+
scheme: "https"
83+
host: "127.0.0.1:9200"
84+
indices:
85+
visibility: cadence-visibility-dev
86+
tls:
87+
enabled: true
88+
caFile: /secrets/cadence/elasticsearch_cert.pem
89+
enableHostVerification: true
90+
serverName: myServerName
91+
certFile: /secrets/cadence/certfile.crt
92+
keyFile: /secrets/cadence/keyfile.key
93+
sslmode: false
94+
```
95+
96+
Also need to add a kafka topic to visibility, as shown below.
7897
```
7998
kafka:
8099
...
@@ -84,7 +103,6 @@ kafka:
84103
dlq-topic: cadence-visibility-dev-dlq
85104
...
86105
```
87-
Also need to add a kafka topic to visibility, see above for example.
88106

89107
There are dynamic configs to control ElasticSearch visibility features:
90108
- `system.advancedVisibilityWritingMode` is an int property to control how to write visibility to data store.

0 commit comments

Comments
 (0)