+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
##################### Elasticsearch Configuration Example #####################
# This file contains an overview of various configuration settings,
# Set the number of shards (splits) of an index (5 by default):
-index.number_of_shards: 5
+#index.number_of_shards: 5
# Set the number of replicas (additional copies) of an index (1 by default):
-index.number_of_replicas: 1
+#index.number_of_replicas: 1
# These settings directly affect the performance of index and search operations
# in your cluster. Assuming you have enough machines to hold shards and
# Path to directory where to store index data allocated for this node.
# Use swm auto link to redirect the data directory if necessary.
-#path.data: /opt/app/elasticsearch/data
+path.data: /usr/share/elasticsearch/data
# path.data: /path/to/data1,/path/to/data2
# path.work: /path/to/work
-#path.logs: /opt/app/elasticsearch/logs
+path.logs: /usr/share/elasticsearch/logs
#path.plugins: /opt/app/elasticsearch/plugins
#
# Set this property to true to lock the memory: default is true
-bootstrap.mlockall: true
+#bootstrap.memory_lock: true
# Make sure that the ES_MIN_MEM and ES_MAX_MEM environment variables are set
# to the same value, and that the machine has enough memory to allocate
# You should also make sure that the Elasticsearch process is allowed to lock
# the memory, eg. by using `ulimit -l unlimited`.
+### Kernel Settings
+
+# Elasticsearch installs system call filters of various flavors depending on the
+# operating system (e.g., seccomp on Linux). These system call filters are
+# installed to prevent the ability to execute system calls related to forking
+# as a defense mechanism against arbitrary code execution attacks on
+# Elasticsearch The system call filter check ensures that if system call
+# filters are enabled, then they were successfully installed. To pass the system
+# call filter check you must either fix any configuration errors on your system
+# that prevented system call filters from installing (check your logs), or at
+# your own risk disable system call filters by setting
+# bootstrap.system_call_filter to false.
+# See: https://www.elastic.co/guide/en/elasticsearch/reference/current/system-call-filter-check.html
+#
+# seccomp is found in Linux kernels: 2.6.37\962.6.39, 3.0\963.19, 4.0\964.9,
+# 4.10-rc+HEAD
+#
+# The default setting is to disable the filters assuming an older kernel
+# version where seccomp is not available.
+# See: https://discuss.elastic.co/t/elasticsearch-warn-unable-to-install-syscall-filter/42819
+
+bootstrap.system_call_filter: false
############################## Network And HTTP ###############################
# Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens
# Set a custom port for the node to node communication (9300 by default):
-transport.tcp.port: {{ .Values.config.tcpPort }}
+transport.tcp.port: {{ .Values.service.internalPort2 }}
# Enable compression for all communication between nodes (disabled by default):
transport.tcp.compress: false
# recovering a shard from a peer:
#
# indices.recovery.concurrent_streams: 5
-indices.recovery.concurrent_streams: 5
+#indices.recovery.concurrent_streams: 5
################################## Discovery ##################################
# Set this option to a higher value on a slow or congested network
# to minimize discovery failures:
#
-# discovery.zen.ping.timeout: 3s
-discovery.zen.ping.timeout:
+# discovery.zen.ping_timeout: 3s
+discovery.zen.ping_timeout: 3s
# For more information, see
# <http://elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-zen.html>
#
# 1. Disable multicast discovery (enabled by default):
# discovery.zen.ping.multicast.enabled: false
-discovery.zen.ping.multicast.enabled: false
+#discovery.zen.ping.multicast.enabled: false
# 2. Configure an initial list of master nodes in the cluster
### SEARCH GUARD SSL #
### Configuration #
###############################################################################################
-## Uncomment all lines below prefixed with #X# (globally remove #X#) for searchguard
-##
-###############################################################################################
-### Transport layer SSL #
-### #
-###############################################################################################
-### Enable or disable node-to-node ssl encryption (default: true)
-#X#searchguard.ssl.transport.enable_openssl_if_available: true
-#X#searchguard.ssl.transport.enabled: true
-### JKS or PKCS12 (default: JKS)
-#X#searchguard.ssl.transport.keystore_type: JKS
-### Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir
-#X#searchguard.ssl.transport.keystore_filepath: /some/path
-### Alias name (default: first alias which could be found)
-###searchguard.ssl.transport.keystore_alias: localhost
-### Keystore password (default: changeit)
-#X#searchguard.ssl.transport.keystore_password: changeit
-##
-### JKS or PKCS12 (default: JKS)
-#X#searchguard.ssl.transport.truststore_type: JKS
-### Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir
-#X#searchguard.ssl.transport.truststore_filepath: truststore.jks
-### Alias name (default: first alias which could be found)
-###searchguard.ssl.transport.truststore_alias: my_alias
-### Truststore password (default: changeit)
-#X#searchguard.ssl.transport.truststore_password: changeit
-### Enforce hostname verification (default: true)
-###searchguard.ssl.transport.enforce_hostname_verification: true
-### If hostname verification specify if hostname should be resolved (default: true)
-###searchguard.ssl.transport.resolve_hostname: true
-### Use native Open SSL instead of JDK SSL if available (default: true)
-###searchguard.ssl.transport.enable_openssl_if_available: false
-##
-###############################################################################################
-### HTTP/REST layer SSL #
-### #
-###############################################################################################
-### Enable or disable rest layer security - https, (default: false)
-#X#searchguard.ssl.http.enable_openssl_if_available: true
-#X#searchguard.ssl.http.enabled: true
-### JKS or PKCS12 (default: JKS)
-#X#searchguard.ssl.http.keystore_type: JKS
-### Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir
-#X#searchguard.ssl.http.keystore_filepath: /keystore/path
-### Alias name (default: first alias which could be found)
-###searchguard.ssl.http.keystore_alias: my_alias
-### Keystore password (default: changeit)
-#X#searchguard.ssl.http.keystore_password: changeit
-### Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL
-### To enforce authentication use REQUIRE, to completely disable client certificates use NONE
-###searchguard.ssl.http.clientauth_mode: REQUIRE
-### JKS or PKCS12 (default: JKS)
-#X#searchguard.ssl.http.truststore_type: JKS
-### Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir
-#X#searchguard.ssl.http.truststore_filepath: truststore.jks
-### Alias name (default: first alias which could be found)
-###searchguard.ssl.http.truststore_alias: my_alias
-### Truststore password (default: changeit)
-#X#searchguard.ssl.http.truststore_password: changeit
-### Use native Open SSL instead of JDK SSL if available (default: true)
-###searchguard.ssl.http.enable_openssl_if_available: false
-
-#####################################################
-##### Security manager - Searchguard Configuration
-#####################################################
-#X#security.manager.enabled: false
-#X#searchguard.authcz.admin_dn:
+######## Start Search Guard Demo Configuration ########
+
+searchguard.enterprise_modules_enabled: false
+
+searchguard.ssl.transport.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }}
+searchguard.ssl.transport.keystore_password: {{ .Values.config.nodeKeyStorePassword }}
+searchguard.ssl.transport.truststore_filepath: sg/auth/{{ .Values.config.trustStore }}
+searchguard.ssl.transport.truststore_password: {{ .Values.config.trustStorePassword }}
+searchguard.ssl.transport.enforce_hostname_verification: false
+
+searchguard.ssl.http.enabled: true
+searchguard.ssl.http.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }}
+searchguard.ssl.http.keystore_password: {{ .Values.config.nodeKeyStorePassword }}
+searchguard.ssl.http.truststore_filepath: sg/auth/{{ .Values.config.trustStore }}
+searchguard.ssl.http.truststore_password: {{ .Values.config.trustStorePassword }}
+
+searchguard.nodes_dn:
+ - CN=esaai
+
+searchguard.authcz.admin_dn:
+ - CN=sgadmin
+
+# x-pack security conflicts with searchguard
+xpack.security.enabled: false
+xpack.ml.enabled: false
+xpack.monitoring.enabled: false
+xpack.watcher.enabled: false