diff --git a/pkg/es/config/config.go b/pkg/es/config/config.go index 7968a175526..84c7a6cfaf1 100644 --- a/pkg/es/config/config.go +++ b/pkg/es/config/config.go @@ -62,10 +62,11 @@ type Configuration struct { // TLSConfig describes the configuration properties to connect tls enabled ElasticSearch cluster type TLSConfig struct { - Enabled bool - CertPath string - KeyPath string - CaPath string + Enabled bool + SkipHostVerify bool + CertPath string + KeyPath string + CaPath string } // ClientBuilder creates new es.Client @@ -297,9 +298,11 @@ func (tlsConfig *TLSConfig) createTLSConfig() (*tls.Config, error) { if err != nil { return nil, err } + // #nosec return &tls.Config{ - RootCAs: rootCerts, - Certificates: []tls.Certificate{*clientPrivateKey}, + RootCAs: rootCerts, + Certificates: []tls.Certificate{*clientPrivateKey}, + InsecureSkipVerify: tlsConfig.SkipHostVerify, }, nil } diff --git a/plugin/storage/es/options.go b/plugin/storage/es/options.go index 3e74333b0b7..2b168303c50 100644 --- a/plugin/storage/es/options.go +++ b/plugin/storage/es/options.go @@ -43,6 +43,7 @@ const ( suffixCert = ".tls.cert" suffixKey = ".tls.key" suffixCA = ".tls.ca" + suffixSkipHostVerify = ".tls.skip-host-verify" suffixIndexPrefix = ".index-prefix" suffixTagsAsFields = ".tags-as-fields" suffixTagsAsFieldsAll = suffixTagsAsFields + ".all" @@ -174,6 +175,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig *namespaceConfig) { nsConfig.namespace+suffixTLS, nsConfig.TLS.Enabled, "Enable TLS with client certificates.") + flagSet.Bool( + nsConfig.namespace+suffixSkipHostVerify, + nsConfig.TLS.SkipHostVerify, + "(insecure) Skip server's certificate chain and host name verification") flagSet.String( nsConfig.namespace+suffixCert, nsConfig.TLS.CertPath, @@ -240,6 +245,7 @@ func initFromViper(cfg *namespaceConfig, v *viper.Viper) { cfg.BulkFlushInterval = v.GetDuration(cfg.namespace + suffixBulkFlushInterval) cfg.Timeout = v.GetDuration(cfg.namespace + suffixTimeout) cfg.TLS.Enabled = v.GetBool(cfg.namespace + suffixTLS) + cfg.TLS.SkipHostVerify = v.GetBool(cfg.namespace + suffixSkipHostVerify) cfg.TLS.CertPath = v.GetString(cfg.namespace + suffixCert) cfg.TLS.KeyPath = v.GetString(cfg.namespace + suffixKey) cfg.TLS.CaPath = v.GetString(cfg.namespace + suffixCA) diff --git a/plugin/storage/es/options_test.go b/plugin/storage/es/options_test.go index ddade1303ef..e94cd529e6c 100644 --- a/plugin/storage/es/options_test.go +++ b/plugin/storage/es/options_test.go @@ -56,6 +56,8 @@ func TestOptionsWithFlags(t *testing.T) { "--es.aux.server-urls=3.3.3.3, 4.4.4.4", "--es.aux.max-span-age=24h", "--es.aux.num-replicas=10", + "--es.tls=true", + "--es.tls.skip-host-verify=true", }) opts.InitFromViper(v) @@ -65,6 +67,8 @@ func TestOptionsWithFlags(t *testing.T) { assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers) assert.Equal(t, 48*time.Hour, primary.MaxSpanAge) assert.True(t, primary.Sniffer) + assert.Equal(t, true, primary.TLS.Enabled) + assert.Equal(t, true, primary.TLS.SkipHostVerify) aux := opts.Get("es.aux") assert.Equal(t, []string{"3.3.3.3", "4.4.4.4"}, aux.Servers)