Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connect to Elasticsearch via SSL when starting kibana with --ssl #42840

Merged
merged 8 commits into from
Aug 8, 2019
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@
"@kbn/babel-code-parser": "1.0.0",
"@kbn/babel-preset": "1.0.0",
"@kbn/config-schema": "1.0.0",
"@kbn/dev-utils": "1.0.0",
"@kbn/es-query": "1.0.0",
"@kbn/i18n": "1.0.0",
"@kbn/interpreter": "1.0.0",
Expand Down
9 changes: 9 additions & 0 deletions src/cli/serve/serve.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import _ from 'lodash';
import { statSync } from 'fs';
import { resolve } from 'path';
import { CA_CERT_PATH } from '@kbn/dev-utils';
Copy link
Member

@jbudz jbudz Aug 8, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we okay shipping dev certs? i know there's quite a bit in this file that makes it tough and extends beyond the scope of this PR

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we should only be requiring this when opts.dev is true so that we don't have to ship @kbn/dev-utils in the distributable.


import { fromRoot, IS_KIBANA_DISTRIBUTABLE } from '../../legacy/utils';
import { getConfig } from '../../legacy/server/path';
Expand Down Expand Up @@ -94,6 +95,14 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
set('server.ssl.certificate', DEV_SSL_CERT_PATH);
set('server.ssl.key', DEV_SSL_KEY_PATH);
}

if (opts.ssl && !opts.elasticsearch && !has('elasticsearch.hosts')) {
set('elasticsearch.hosts', 'https://localhost:9200');
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem to be the best way to hardcode the host. Maybe there's a better way to do this? Or to findout if Elasticsearch is running on a different port?

Note the certificate within CA_CERT_PATH is bound to localhost.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If --elasticsearch or --elasticsearch.hosts is defined we should parse that url with url.parse(), throw if parsedUrl.hostname !== 'localhost', and if it is then use parsedUrl.port and default to 9200.

}

if (opts.ssl && !has('elasticsearch.ssl.certificateAuthorities')) {
set('elasticsearch.ssl.certificateAuthorities', CA_CERT_PATH);
}
}

if (opts.elasticsearch) set('elasticsearch.hosts', opts.elasticsearch.split(','));
Expand Down