add additional logic for es restriction from airflow (#2159)

* add additional logic for es restriction from airflow

* move common templates

* Update charts/external-es-proxy/templates/_helpers.tpl

Co-authored-by: Daniel Hoherd <daniel.hoherd@gmail.com>

* rename helperts

* update templates

* add base test cases

* add tests

* fix line endings

* fix failures

* update conf

* fix namespace in test conf

* rework test cases

---------

Co-authored-by: Daniel Hoherd <daniel.hoherd@gmail.com>

.pre-commit-config.yaml

@@ -1,5 +1,5 @@
 ---
-exclude: '(venv|\.vscode|tests/k8s_schema)' # regex
+exclude: '(venv|\.vscode|tests/k8s_schema|tests/chart_tests/test_data)' # regex
 repos:
   - repo: local
     hooks:

charts/external-es-proxy/templates/_helpers.tpl

@@ -62,15 +62,21 @@ Create the name of the service account to use
 {{- end }}
 
 
+{{/*
+Option to add trust certs when privateCA or self signed certs are used
+with hosted elastic search. By defaults it is off when trustCaCerts are
+provided it will use that certs to trust the connection
+*/}}
+
 {{- define "external-es-proxy-trustcerts" -}}
 {{- if .Values.global.customLogging.trustCaCerts  }}
 {{- $secret_name := .Values.global.customLogging.trustCaCerts }}
-  proxy_ssl_trusted_certificate /etc/ssl/certs/{{ $secret_name }}.pem;
-  proxy_ssl_verify              on;
-  proxy_ssl_verify_depth        2;
-  proxy_ssl_session_reuse on;
+proxy_ssl_trusted_certificate /etc/ssl/certs/{{ $secret_name }}.pem;
+proxy_ssl_verify              on;
+proxy_ssl_verify_depth        2;
+proxy_ssl_session_reuse on;
 {{- else }}
-  proxy_ssl_verify              off;
+proxy_ssl_verify              off;
 {{- end }}
 {{- end }}
 
@@ -101,3 +107,20 @@ imagePullSecrets:
 {{ .Values.images.awsproxy.repository }}:{{ .Values.images.awsproxy.tag }}
 {{- end }}
 {{- end }}
+
+
+{{/*
+Switches the elasticsearch configuratiob based on customLogging
+when aws managed elastic search is confired awsesproxy settings is required
+to authenticate with aws managed elastic search or opensearch
+*/}}
+
+{{- define "external-es-proxy-nginx-location-common" -}}
+{{- if  or .Values.global.customLogging.awsSecretName  .Values.global.customLogging.awsServiceAccountAnnotation .Values.global.customLogging.awsIAMRole }}
+proxy_pass http://localhost:{{ .Values.service.awsproxy }};
+{{- else }}
+access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+proxy_pass {{.Values.global.customLogging.scheme}}://{{.Values.global.customLogging.host}}:{{.Values.global.customLogging.port}};
+{{- include "external-es-proxy-trustcerts" . }}
+{{- end }}
+{{- end }}

charts/external-es-proxy/templates/external-es-proxy-configmap.yaml

@@ -31,27 +31,23 @@ data:
         proxy_set_header Connection "Keep-Alive";
         proxy_set_header Proxy-Connection "Keep-Alive";
 
-        location ~ ^/ {
-          {{- if  or .Values.global.customLogging.awsSecretName  .Values.global.customLogging.awsServiceAccountAnnotation .Values.global.customLogging.awsIAMRole }}
-          proxy_pass http://localhost:{{ .Values.service.awsproxy }};
-          {{- else }}
-          access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
-          proxy_pass {{.Values.global.customLogging.scheme}}://{{.Values.global.customLogging.host}}:{{.Values.global.customLogging.port}};
-          {{- include "external-es-proxy-trustcerts" . | indent 8 }}
-          {{- end }}
+        # The following "location" rules limit airflow interactions to only their indices. Any further
+        # additions should follow this pattern.
+        location ~* /_count$ {
+          rewrite /_count(.*) /{{ include "logging.indexNamePrefix" . }}.$remote_user.*/_count$1 break;
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
+        }
+
+        location ~* /_bulk$ {
+          rewrite /_bulk(.*) /{{ include "logging.indexNamePrefix" . }}.$remote_user.*/_bulk$1 break;
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
         }
 
         location = /_search {
           # This combined with disabling explicit index searching downstream
           # prevents any deployment from being able to query any other indexes.
           rewrite ^/(.*) /{{ include "logging.indexNamePrefix" . }}.$remote_user.*/$1 break;
-          {{- if  or .Values.global.customLogging.awsSecretName  .Values.global.customLogging.awsServiceAccountAnnotation .Values.global.customLogging.awsIAMRole }}
-          proxy_pass http://localhost:{{ .Values.service.awsproxy }};
-          {{- else }}
-          access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
-          proxy_pass {{.Values.global.customLogging.scheme}}://{{.Values.global.customLogging.host}}:{{.Values.global.customLogging.port}};
-          {{- include "external-es-proxy-trustcerts" . | indent 8 }}
-          {{- end }}
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
         }
 
         location = /auth {
@@ -60,6 +56,15 @@ data:
           proxy_set_header Content-Length "";
           proxy_set_header X-Original-URI $request_uri;
         }
+
+        location = /_cluster/state/version {
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
+        }
+
+        location = /_cluster/health {
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
+        }
+
       }
       server {
         listen {{ .Values.service.http }};
@@ -68,13 +73,7 @@ data:
         proxy_set_header Proxy-Connection "Keep-Alive";
 
         location ~ ^/ {
-          {{- if  or .Values.global.customLogging.awsSecretName  .Values.global.customLogging.awsServiceAccountAnnotation .Values.global.customLogging.awsIAMRole }}
-          proxy_pass http://localhost:{{ .Values.service.awsproxy }};
-          {{- else }}
-          access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
-          proxy_pass {{.Values.global.customLogging.scheme}}://{{.Values.global.customLogging.host}}:{{.Values.global.customLogging.port}};
-          {{- include "external-es-proxy-trustcerts" . | indent 8 }}
-          {{- end }}
+          {{- include "external-es-proxy-nginx-location-common" . | indent 10 }}
         }
       }
     }

tests/chart_tests/test_data/default-external-es-nginx.conf

@@ -0,0 +1,76 @@
+worker_processes 1;
+pid /tmp/nginx.pid;
+events { worker_connections 1024; }
+error_log /dev/stdout info;
+env ES_SECRET;
+env ES_SECRET_NAME;
+
+http {
+  access_log /dev/stdout;
+  client_max_body_size 1024M;
+
+  server {
+    listen 9200;
+    auth_request /auth;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "Keep-Alive";
+    proxy_set_header Proxy-Connection "Keep-Alive";
+
+    # The following "location" rules limit airflow interactions to only their indices. Any further
+    # additions should follow this pattern.
+    location ~* /_count$ {
+      rewrite /_count(.*) /fluentd.$remote_user.*/_count$1 break;          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+
+    location ~* /_bulk$ {
+      rewrite /_bulk(.*) /fluentd.$remote_user.*/_bulk$1 break;          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+
+    location = /_search {
+      # This combined with disabling explicit index searching downstream
+      # prevents any deployment from being able to query any other indexes.
+      rewrite ^/(.*) /fluentd.$remote_user.*/$1 break;          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+
+    location = /auth {
+      internal;
+      proxy_pass http://release-name-houston.default:8871/v1/elasticsearch;
+      proxy_set_header Content-Length "";
+      proxy_set_header X-Original-URI $request_uri;
+    }
+
+    location = /_cluster/state/version {          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+
+    location = /_cluster/health {          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+
+  }
+  server {
+    listen 9201;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "Keep-Alive";
+    proxy_set_header Proxy-Connection "Keep-Alive";
+
+    location ~ ^/ {          
+      access_by_lua_file  /usr/local/openresty/nginx/conf/setenv.lua;
+      proxy_pass https://esdemo.example.com:;
+      proxy_ssl_verify              off;
+    }
+  }
+}

tests/chart_tests/test_data/external-es-nginx-with-aws-secrets.conf

@@ -0,0 +1,64 @@
+worker_processes 1;
+pid /tmp/nginx.pid;
+events { worker_connections 1024; }
+error_log /dev/stdout info;
+env ES_SECRET;
+env ES_SECRET_NAME;
+
+http {
+  access_log /dev/stdout;
+  client_max_body_size 1024M;
+
+  server {
+    listen 9200;
+    auth_request /auth;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "Keep-Alive";
+    proxy_set_header Proxy-Connection "Keep-Alive";
+
+    # The following "location" rules limit airflow interactions to only their indices. Any further
+    # additions should follow this pattern.
+    location ~* /_count$ {
+      rewrite /_count(.*) /fluentd.$remote_user.*/_count$1 break;          
+      proxy_pass http://localhost:9203;
+    }
+
+    location ~* /_bulk$ {
+      rewrite /_bulk(.*) /fluentd.$remote_user.*/_bulk$1 break;          
+      proxy_pass http://localhost:9203;
+    }
+
+    location = /_search {
+      # This combined with disabling explicit index searching downstream
+      # prevents any deployment from being able to query any other indexes.
+      rewrite ^/(.*) /fluentd.$remote_user.*/$1 break;          
+      proxy_pass http://localhost:9203;
+    }
+
+    location = /auth {
+      internal;
+      proxy_pass http://release-name-houston.default:8871/v1/elasticsearch;
+      proxy_set_header Content-Length "";
+      proxy_set_header X-Original-URI $request_uri;
+    }
+
+    location = /_cluster/state/version {          
+      proxy_pass http://localhost:9203;
+    }
+
+    location = /_cluster/health {          
+      proxy_pass http://localhost:9203;
+    }
+
+  }
+  server {
+    listen 9201;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "Keep-Alive";
+    proxy_set_header Proxy-Connection "Keep-Alive";
+
+    location ~ ^/ {          
+      proxy_pass http://localhost:9203;
+    }
+  }
+}

tests/chart_tests/test_external_elasticsearch.py

@@ -3,6 +3,7 @@
 import jmespath
 import pytest
 import yaml
+import pathlib
 
 from tests import get_containers_by_name, supported_k8s_versions
 from tests.chart_tests.helm_template_generator import render_chart
@@ -125,10 +126,11 @@ def test_externalelasticsearch_with_awsSecretName(self, kube_version):
             show_only=[
                 "charts/external-es-proxy/templates/external-es-proxy-deployment.yaml",
                 "charts/external-es-proxy/templates/external-es-proxy-service.yaml",
+                "charts/external-es-proxy/templates/external-es-proxy-configmap.yaml",
             ],
         )
 
-        assert len(docs) == 2
+        assert len(docs) == 3
         doc = docs[0]
         assert doc["kind"] == "Deployment"
         assert doc["apiVersion"] == "apps/v1"
@@ -168,6 +170,11 @@ def test_externalelasticsearch_with_awsSecretName(self, kube_version):
             "appProtocol": "http",
         } in jmespath.search("spec.ports", docs[1])
 
+        nginx_conf = pathlib.Path(
+            "tests/chart_tests/test_data/external-es-nginx-with-aws-secrets.conf"
+        ).read_text()
+        assert nginx_conf in docs[2]["data"]["nginx.conf"]
+
     def test_externalelasticsearch_with_awsIAMRole(self, kube_version):
         """Test External ElasticSearch with iam roles passed as Deployment
         annotation."""
@@ -574,3 +581,29 @@ def test_externalelasticsearch_with_extraenv(self, kube_version):
         assert {"name": "TEST_VAR_NAME", "value": "test_var_value"} in doc["spec"][
             "template"
         ]["spec"]["containers"][0]["env"]
+
+    def test_external_elasticsearch_nginx_defaults_config(self, kube_version):
+        """Test External ElasticSearch with nginx defaults."""
+        docs = render_chart(
+            kube_version=kube_version,
+            values={
+                "global": {
+                    "customLogging": {
+                        "enabled": True,
+                        "secret": secret,
+                        "host": "esdemo.example.com",
+                    }
+                }
+            },
+            show_only=[
+                "charts/external-es-proxy/templates/external-es-proxy-configmap.yaml",
+            ],
+        )
+
+        assert len(docs) == 1
+        doc = docs[0]
+        nginx_conf = pathlib.Path(
+            "tests/chart_tests/test_data/default-external-es-nginx.conf"
+        ).read_text()
+        assert doc["kind"] == "ConfigMap"
+        assert nginx_conf in doc["data"]["nginx.conf"]