File tree 6 files changed +88
-2
lines changed
6 files changed +88
-2
lines changed Original file line number Diff line number Diff line change @@ -118,7 +118,8 @@ This will run all the tests excluding end-to-end integration test in host/ packa
118
118
``` bash
119
119
make test
120
120
```
121
- > Note that you will see some test failures because of errors connecting to MySQL/Postgres if only Cassandra is up. This is okay if you don't write any code related to persistence layer.
121
+ :warning : Note:
122
+ > You will see some test failures because of errors connecting to MySQL/Postgres if only Cassandra is up. This is okay if you don't write any code related to persistence layer.
122
123
123
124
To run all end-to-end integration tests in ** host/** package:
124
125
``` bash
Original file line number Diff line number Diff line change 48
48
// optional to use AWS signing client
49
49
// See more info https://github.com/olivere/elastic/wiki/Using-with-AWS-Elasticsearch-Service
50
50
AWSSigning AWSSigning `yaml:"awsSigning"`
51
+ // optional to use Signed Certificates over https
52
+ TLS TLS `yaml:"tls"`
51
53
}
52
54
53
55
// AWSSigning contains config to enable signing,
Original file line number Diff line number Diff line change @@ -120,6 +120,16 @@ func NewV6Client(
120
120
}
121
121
clientOptFuncs = append (clientOptFuncs , elastic .SetHttpClient (signingClient ))
122
122
}
123
+ if connectConfig .TLS .Enabled {
124
+ var tlsClient * http.Client
125
+ var err error
126
+ tlsClient , err = buildTLSHTTPClient (connectConfig .TLS )
127
+ if err != nil {
128
+ return nil , err
129
+ }
130
+ clientOptFuncs = append (clientOptFuncs , elastic .SetHttpClient (tlsClient ))
131
+ }
132
+
123
133
client , err := elastic .NewClient (clientOptFuncs ... )
124
134
if err != nil {
125
135
return nil , err
Original file line number Diff line number Diff line change @@ -113,6 +113,15 @@ func NewV7Client(
113
113
}
114
114
clientOptFuncs = append (clientOptFuncs , elastic .SetHttpClient (signingClient ))
115
115
}
116
+ if connectConfig .TLS .Enabled {
117
+ var tlsClient * http.Client
118
+ var err error
119
+ tlsClient , err = buildTLSHTTPClient (connectConfig .TLS )
120
+ if err != nil {
121
+ return nil , err
122
+ }
123
+ clientOptFuncs = append (clientOptFuncs , elastic .SetHttpClient (tlsClient ))
124
+ }
116
125
client , err := elastic .NewClient (clientOptFuncs ... )
117
126
if err != nil {
118
127
return nil , err
Original file line number Diff line number Diff line change 21
21
package elasticsearch
22
22
23
23
import (
24
+ "crypto/tls"
25
+ "crypto/x509"
26
+ "io/ioutil"
27
+ "net/http"
24
28
"time"
29
+
30
+ "github.com/uber/cadence/common/config"
25
31
)
26
32
27
33
const unknownStatusCode = - 1
28
34
29
35
// TODO https://github.com/uber/cadence/issues/3686
30
36
const oneMicroSecondInNano = int64 (time .Microsecond / time .Nanosecond )
37
+
38
+ // Build Http Client with TLS
39
+ func buildTLSHTTPClient (config config.TLS ) (* http.Client , error ) {
40
+ // Setup base TLS config
41
+ // EnableHostVerification is a secure flag vs insecureSkipVerify is insecure so inverse the valu
42
+ tlsConfig := & tls.Config {
43
+ InsecureSkipVerify : ! config .EnableHostVerification ,
44
+ }
45
+
46
+ // Setup server name
47
+ if config .ServerName != "" {
48
+ tlsConfig .ServerName = config .ServerName
49
+ }
50
+
51
+ // Load client cert
52
+ if config .CertFile != "" && config .KeyFile != "" {
53
+ cert , err := tls .LoadX509KeyPair (config .CertFile , config .KeyFile )
54
+ if err != nil {
55
+ return nil , err
56
+ }
57
+ tlsConfig .Certificates = []tls.Certificate {cert }
58
+ }
59
+
60
+ // Load CA cert
61
+ if config .CaFile != "" {
62
+ caCert , err := ioutil .ReadFile (config .CaFile )
63
+ if err != nil {
64
+ return nil , err
65
+ }
66
+ caCertPool := x509 .NewCertPool ()
67
+ caCertPool .AppendCertsFromPEM (caCert )
68
+ tlsConfig .RootCAs = caCertPool
69
+ }
70
+
71
+ // Setup HTTPS client
72
+ transport := & http.Transport {TLSClientConfig : tlsConfig }
73
+ tlsClient := & http.Client {Transport : transport }
74
+
75
+ return tlsClient , nil
76
+ }
Original file line number Diff line number Diff line change @@ -75,6 +75,25 @@ This part is used to config advanced visibility store to ElasticSearch.
75
75
- ` url ` is for Cadence to discover ES
76
76
- ` indices/visibility ` is ElasticSearch index name for the deployment.
77
77
78
+ Optional TLS Support can be enabled by setting the TLS config as follows:
79
+ ``` yaml
80
+ elasticsearch :
81
+ url :
82
+ scheme : " https"
83
+ host : " 127.0.0.1:9200"
84
+ indices :
85
+ visibility : cadence-visibility-dev
86
+ tls :
87
+ enabled : true
88
+ caFile : /secrets/cadence/elasticsearch_cert.pem
89
+ enableHostVerification : true
90
+ serverName : myServerName
91
+ certFile : /secrets/cadence/certfile.crt
92
+ keyFile : /secrets/cadence/keyfile.key
93
+ sslmode : false
94
+ ` ` `
95
+
96
+ Also need to add a kafka topic to visibility, as shown below.
78
97
` ` `
79
98
kafka :
80
99
...
@@ -84,7 +103,6 @@ kafka:
84
103
dlq-topic : cadence-visibility-dev-dlq
85
104
...
86
105
```
87
- Also need to add a kafka topic to visibility, see above for example.
88
106
89
107
There are dynamic configs to control ElasticSearch visibility features:
90
108
- ` system.advancedVisibilityWritingMode ` is an int property to control how to write visibility to data store.
You can’t perform that action at this time.
0 commit comments