-
Notifications
You must be signed in to change notification settings - Fork 697
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This commit adds support for keystore to Logstash operator. The key values in keystore are available to Logstash pipelines as environment variables, which can resolve by ${KEY} notation. The keystore can be password protected by setting an environment variable called LOGSTASH_KEYSTORE_PASS. The password is expected to be declared in the main container in env. A known issue is that the keystore command logstash-keystore is very slow in proportion to the number of key values to add. In my local machine, adding 10 keys needs 6 minutes to start Logstsah. Adding or updating key values in keystore triggers pod rotation, while deleting a key does not. This commit adds e2e tests TestLogstashKeystoreWithoutPassword and TestLogstashKeystoreWithPassword Co-authored-by: Rob Bavey <rob.bavey@elastic.co> Co-authored-by: Peter Brachwitz <peter.brachwitz@elastic.co>
- Loading branch information
1 parent
d22d0a0
commit cce77a3
Showing
6 changed files
with
351 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
// or more contributor license agreements. Licensed under the Elastic License 2.0; | ||
// you may not use this file except in compliance with the Elastic License 2.0. | ||
|
||
package logstash | ||
|
||
import ( | ||
"hash" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
"k8s.io/apimachinery/pkg/api/resource" | ||
|
||
logstashv1alpha1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/logstash/v1alpha1" | ||
"github.com/elastic/cloud-on-k8s/v2/pkg/controller/common/keystore" | ||
"github.com/elastic/cloud-on-k8s/v2/pkg/controller/logstash/volume" | ||
) | ||
|
||
const ( | ||
KeystorePassKey = "LOGSTASH_KEYSTORE_PASS" // #nosec G101 | ||
) | ||
|
||
var ( | ||
keystoreCommand = "echo 'y' | /usr/share/logstash/bin/logstash-keystore" | ||
initContainersParameters = keystore.InitContainerParameters{ | ||
KeystoreCreateCommand: keystoreCommand + " create", | ||
KeystoreAddCommand: keystoreCommand + ` add "$key" --stdin < "$filename"`, | ||
SecureSettingsVolumeMountPath: keystore.SecureSettingsVolumeMountPath, | ||
KeystoreVolumePath: volume.ConfigMountPath, | ||
Resources: corev1.ResourceRequirements{ | ||
Requests: map[corev1.ResourceName]resource.Quantity{ | ||
corev1.ResourceMemory: resource.MustParse("1Gi"), | ||
corev1.ResourceCPU: resource.MustParse("1000m"), | ||
}, | ||
Limits: map[corev1.ResourceName]resource.Quantity{ | ||
corev1.ResourceMemory: resource.MustParse("1Gi"), | ||
corev1.ResourceCPU: resource.MustParse("1000m"), | ||
}, | ||
}, | ||
} | ||
) | ||
|
||
func reconcileKeystore(params Params, configHash hash.Hash) (*keystore.Resources, error) { | ||
if keystoreResources, err := keystore.ReconcileResources( | ||
params.Context, | ||
params, | ||
¶ms.Logstash, | ||
logstashv1alpha1.Namer, | ||
NewLabels(params.Logstash), | ||
initContainersParameters, | ||
); err != nil { | ||
return nil, err | ||
} else if keystoreResources != nil { | ||
_, _ = configHash.Write([]byte(keystoreResources.Version)) | ||
// set keystore password in init container | ||
if env := getKeystorePass(params.Logstash); env != nil { | ||
keystoreResources.InitContainer.Env = append(keystoreResources.InitContainer.Env, *env) | ||
} | ||
|
||
return keystoreResources, nil | ||
} | ||
|
||
return nil, nil | ||
} | ||
|
||
// getKeystorePass return env LOGSTASH_KEYSTORE_PASS from main container if set | ||
func getKeystorePass(logstash logstashv1alpha1.Logstash) *corev1.EnvVar { | ||
for _, c := range logstash.Spec.PodTemplate.Spec.Containers { | ||
if c.Name == logstashv1alpha1.LogstashContainerName { | ||
for _, env := range c.Env { | ||
if env.Name == KeystorePassKey { | ||
return &env | ||
} | ||
} | ||
} | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.