X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Faai%2Fcharts%2Faai-elasticsearch%2Fresources%2Fconfig%2Felasticsearch.yml;h=87536e3faa6d33ca630810c396f2bfea601e47bd;hb=5c2fe5c4f4e6ee6cd987a154d68697211623fdb7;hp=822ae32f1030c6b3516fed2734125c86a182bd56;hpb=262bc57bb3be7d222fe6e521344a8fd7e918be8c;p=oom.git diff --git a/kubernetes/aai/charts/aai-elasticsearch/resources/config/elasticsearch.yml b/kubernetes/aai/charts/aai-elasticsearch/resources/config/elasticsearch.yml index 822ae32f10..87536e3faa 100644 --- a/kubernetes/aai/charts/aai-elasticsearch/resources/config/elasticsearch.yml +++ b/kubernetes/aai/charts/aai-elasticsearch/resources/config/elasticsearch.yml @@ -1,3 +1,18 @@ +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + ##################### Elasticsearch Configuration Example ##################### # This file contains an overview of various configuration settings, @@ -65,11 +80,11 @@ node.max_local_storage_nodes: 1 # Set the number of shards (splits) of an index (5 by default): -index.number_of_shards: 5 +#index.number_of_shards: 5 # Set the number of replicas (additional copies) of an index (1 by default): -index.number_of_replicas: 1 +#index.number_of_replicas: 1 # These settings directly affect the performance of index and search operations # in your cluster. Assuming you have enough machines to hold shards and @@ -101,13 +116,13 @@ index.number_of_replicas: 1 # Path to directory where to store index data allocated for this node. # Use swm auto link to redirect the data directory if necessary. -#path.data: /opt/app/elasticsearch/data +path.data: /usr/share/elasticsearch/data # path.data: /path/to/data1,/path/to/data2 # path.work: /path/to/work -#path.logs: /opt/app/elasticsearch/logs +path.logs: /usr/share/elasticsearch/logs #path.plugins: /opt/app/elasticsearch/plugins @@ -126,7 +141,7 @@ index.number_of_replicas: 1 # # Set this property to true to lock the memory: default is true -bootstrap.mlockall: true +#bootstrap.memory_lock: true # Make sure that the ES_MIN_MEM and ES_MAX_MEM environment variables are set # to the same value, and that the machine has enough memory to allocate @@ -135,6 +150,28 @@ bootstrap.mlockall: true # You should also make sure that the Elasticsearch process is allowed to lock # the memory, eg. by using `ulimit -l unlimited`. +### Kernel Settings + +# Elasticsearch installs system call filters of various flavors depending on the +# operating system (e.g., seccomp on Linux). These system call filters are +# installed to prevent the ability to execute system calls related to forking +# as a defense mechanism against arbitrary code execution attacks on +# Elasticsearch The system call filter check ensures that if system call +# filters are enabled, then they were successfully installed. To pass the system +# call filter check you must either fix any configuration errors on your system +# that prevented system call filters from installing (check your logs), or at +# your own risk disable system call filters by setting +# bootstrap.system_call_filter to false. +# See: https://www.elastic.co/guide/en/elasticsearch/reference/current/system-call-filter-check.html +# +# seccomp is found in Linux kernels: 2.6.37–2.6.39, 3.0–3.19, 4.0–4.9, +# 4.10-rc+HEAD +# +# The default setting is to disable the filters assuming an older kernel +# version where seccomp is not available. +# See: https://discuss.elastic.co/t/elasticsearch-warn-unable-to-install-syscall-filter/42819 + +bootstrap.system_call_filter: false ############################## Network And HTTP ############################### # Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens @@ -155,7 +192,7 @@ network.bind_host: 0.0.0.0 # Set a custom port for the node to node communication (9300 by default): -transport.tcp.port: {{ .Values.config.tcpPort }} +transport.tcp.port: {{ .Values.service.internalPort2 }} # Enable compression for all communication between nodes (disabled by default): transport.tcp.compress: false @@ -237,7 +274,7 @@ indices.recovery.max_bytes_per_sec: 20mb # recovering a shard from a peer: # # indices.recovery.concurrent_streams: 5 -indices.recovery.concurrent_streams: 5 +#indices.recovery.concurrent_streams: 5 ################################## Discovery ################################## @@ -254,8 +291,8 @@ discovery.zen.minimum_master_nodes: 1 # Set this option to a higher value on a slow or congested network # to minimize discovery failures: # -# discovery.zen.ping.timeout: 3s -discovery.zen.ping.timeout: +# discovery.zen.ping_timeout: 3s +discovery.zen.ping_timeout: 3s # For more information, see # @@ -266,7 +303,7 @@ discovery.zen.ping.timeout: # # 1. Disable multicast discovery (enabled by default): # discovery.zen.ping.multicast.enabled: false -discovery.zen.ping.multicast.enabled: false +#discovery.zen.ping.multicast.enabled: false # 2. Configure an initial list of master nodes in the cluster @@ -331,70 +368,30 @@ discovery.zen.ping.unicast.hosts: ["0.0.0.0"] ### SEARCH GUARD SSL # ### Configuration # ############################################################################################### -## Uncomment all lines below prefixed with #X# (globally remove #X#) for searchguard -## -############################################################################################### -### Transport layer SSL # -### # -############################################################################################### -### Enable or disable node-to-node ssl encryption (default: true) -#X#searchguard.ssl.transport.enable_openssl_if_available: true -#X#searchguard.ssl.transport.enabled: true -### JKS or PKCS12 (default: JKS) -#X#searchguard.ssl.transport.keystore_type: JKS -### Relative path to the keystore file (mandatory, this stores the server certificates), must be placed under the config/ dir -#X#searchguard.ssl.transport.keystore_filepath: /some/path -### Alias name (default: first alias which could be found) -###searchguard.ssl.transport.keystore_alias: localhost -### Keystore password (default: changeit) -#X#searchguard.ssl.transport.keystore_password: changeit -## -### JKS or PKCS12 (default: JKS) -#X#searchguard.ssl.transport.truststore_type: JKS -### Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir -#X#searchguard.ssl.transport.truststore_filepath: truststore.jks -### Alias name (default: first alias which could be found) -###searchguard.ssl.transport.truststore_alias: my_alias -### Truststore password (default: changeit) -#X#searchguard.ssl.transport.truststore_password: changeit -### Enforce hostname verification (default: true) -###searchguard.ssl.transport.enforce_hostname_verification: true -### If hostname verification specify if hostname should be resolved (default: true) -###searchguard.ssl.transport.resolve_hostname: true -### Use native Open SSL instead of JDK SSL if available (default: true) -###searchguard.ssl.transport.enable_openssl_if_available: false -## -############################################################################################### -### HTTP/REST layer SSL # -### # -############################################################################################### -### Enable or disable rest layer security - https, (default: false) -#X#searchguard.ssl.http.enable_openssl_if_available: true -#X#searchguard.ssl.http.enabled: true -### JKS or PKCS12 (default: JKS) -#X#searchguard.ssl.http.keystore_type: JKS -### Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir -#X#searchguard.ssl.http.keystore_filepath: /keystore/path -### Alias name (default: first alias which could be found) -###searchguard.ssl.http.keystore_alias: my_alias -### Keystore password (default: changeit) -#X#searchguard.ssl.http.keystore_password: changeit -### Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL -### To enforce authentication use REQUIRE, to completely disable client certificates use NONE -###searchguard.ssl.http.clientauth_mode: REQUIRE -### JKS or PKCS12 (default: JKS) -#X#searchguard.ssl.http.truststore_type: JKS -### Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir -#X#searchguard.ssl.http.truststore_filepath: truststore.jks -### Alias name (default: first alias which could be found) -###searchguard.ssl.http.truststore_alias: my_alias -### Truststore password (default: changeit) -#X#searchguard.ssl.http.truststore_password: changeit -### Use native Open SSL instead of JDK SSL if available (default: true) -###searchguard.ssl.http.enable_openssl_if_available: false - -##################################################### -##### Security manager - Searchguard Configuration -##################################################### -#X#security.manager.enabled: false -#X#searchguard.authcz.admin_dn: +######## Start Search Guard Demo Configuration ######## + +searchguard.enterprise_modules_enabled: false + +searchguard.ssl.transport.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }} +searchguard.ssl.transport.keystore_password: {{ .Values.config.nodeKeyStorePassword }} +searchguard.ssl.transport.truststore_filepath: sg/auth/{{ .Values.config.trustStore }} +searchguard.ssl.transport.truststore_password: {{ .Values.config.trustStorePassword }} +searchguard.ssl.transport.enforce_hostname_verification: false + +searchguard.ssl.http.enabled: true +searchguard.ssl.http.keystore_filepath: sg/auth/{{ .Values.config.nodeKeyStore }} +searchguard.ssl.http.keystore_password: {{ .Values.config.nodeKeyStorePassword }} +searchguard.ssl.http.truststore_filepath: sg/auth/{{ .Values.config.trustStore }} +searchguard.ssl.http.truststore_password: {{ .Values.config.trustStorePassword }} + +searchguard.nodes_dn: + - CN=esaai + +searchguard.authcz.admin_dn: + - CN=sgadmin + +# x-pack security conflicts with searchguard +xpack.security.enabled: false +xpack.ml.enabled: false +xpack.monitoring.enabled: false +xpack.watcher.enabled: false