in pkg/controller/elasticsearch/settings/merged_config.go [101:175]
func xpackConfig(ver version.Version, httpCfg commonv1.HTTPConfig, remoteClusterServerEnabled, remoteClusterClientEnabled bool) *CanonicalConfig {
// enable x-pack security, including TLS
cfg := map[string]interface{}{
// x-pack security general settings
esv1.XPackSecurityEnabled: "true",
esv1.XPackSecurityAuthcReservedRealmEnabled: "false",
esv1.XPackSecurityTransportSslVerificationMode: "certificate",
// x-pack security http settings
esv1.XPackSecurityHttpSslEnabled: httpCfg.TLS.Enabled(),
esv1.XPackSecurityHttpSslKey: path.Join(volume.HTTPCertificatesSecretVolumeMountPath, certificates.KeyFileName),
esv1.XPackSecurityHttpSslCertificate: path.Join(volume.HTTPCertificatesSecretVolumeMountPath, certificates.CertFileName),
// x-pack security transport settings
esv1.XPackSecurityTransportSslEnabled: "true",
esv1.XPackSecurityTransportSslKey: path.Join(
volume.TransportCertificatesSecretVolumeMountPath,
"${POD_NAME}."+certificates.KeyFileName,
),
esv1.XPackSecurityTransportSslCertificate: path.Join(
volume.TransportCertificatesSecretVolumeMountPath,
"${POD_NAME}."+certificates.CertFileName,
),
esv1.XPackSecurityTransportSslCertificateAuthorities: []string{
path.Join(volume.TransportCertificatesSecretVolumeMountPath, certificates.CAFileName),
path.Join(volume.RemoteCertificateAuthoritiesSecretVolumeMountPath, certificates.CAFileName),
},
esv1.XPackSecurityHttpSslCertificateAuthorities: path.Join(volume.HTTPCertificatesSecretVolumeMountPath, certificates.CAFileName),
}
if remoteClusterServerEnabled {
cfg[esv1.XPackSecurityRemoteClusterServerSslKey] = path.Join(
volume.TransportCertificatesSecretVolumeMountPath,
"${POD_NAME}."+certificates.KeyFileName,
)
cfg[esv1.XPackSecurityRemoteClusterServerSslCertificate] = path.Join(
volume.TransportCertificatesSecretVolumeMountPath,
"${POD_NAME}."+certificates.CertFileName,
)
cfg[esv1.XPackSecurityRemoteClusterServerSslCertificateAuthorities] = []string{
path.Join(volume.TransportCertificatesSecretVolumeMountPath, certificates.CAFileName),
path.Join(volume.RemoteCertificateAuthoritiesSecretVolumeMountPath, certificates.CAFileName),
}
}
if remoteClusterClientEnabled {
cfg[esv1.XPackSecurityRemoteClusterClientSslKey] = true
cfg[esv1.XPackSecurityRemoteClusterClientSslCertificateAuthorities] = []string{
// Include /usr/share/elasticsearch/config/transport-certs/ca.crt to trust any additional CA in transport.tls.certificateAuthorities
path.Join(volume.TransportCertificatesSecretVolumeMountPath, certificates.CAFileName),
path.Join(volume.RemoteCertificateAuthoritiesSecretVolumeMountPath, certificates.CAFileName),
}
}
// always enable the built-in file and native internal realms for user auth, ordered as first
if ver.Major < 7 {
// 6.x syntax
cfg[esv1.XPackSecurityAuthcRealmsFile1Type] = "file"
cfg[esv1.XPackSecurityAuthcRealmsFile1Order] = -100
cfg[esv1.XPackSecurityAuthcRealmsNative1Type] = "native"
cfg[esv1.XPackSecurityAuthcRealmsNative1Order] = -99
} else {
// 7.x syntax
cfg[esv1.XPackSecurityAuthcRealmsFileFile1Order] = -100
cfg[esv1.XPackSecurityAuthcRealmsNativeNative1Order] = -99
}
if ver.GTE(version.MustParse("7.8.1")) {
cfg[esv1.XPackLicenseUploadTypes] = []string{
string(client.ElasticsearchLicenseTypeTrial), string(client.ElasticsearchLicenseTypeEnterprise),
}
}
return &CanonicalConfig{common.MustCanonicalConfig(cfg)}
}