Implement apm support for presenting client certificates to elasticsearch#9307
Implement apm support for presenting client certificates to elasticsearch#9307pkoutsovasilis merged 5 commits intoelastic:mainfrom
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
f48fe2b to
58159ba
Compare
|
buildkite test this -f p=gke,t=TestClientAuthRequired.*,E2E_TAGS=apm -m s=9.3.2,s=8.19.13,s=9.2.7 |
58159ba to
e5a3760
Compare
|
buildkite test this -f p=gke,t=TestClientAuthRequired.*,E2E_TAGS=apm -m s=9.3.3,s=8.19.14,s=9.2.8 |
simitt
left a comment
There was a problem hiding this comment.
Overall, LGMT, just some nits - but feel free to ignore.
nit: I wonder whether a test scenario where the ES cluster uses a publicly trusted cert but mTLS is configured is worth testing in the unit tests.
# Conflicts: # docs/reference/api-reference/main.md
🔍 Preview links for changed docs |
Vale Linting ResultsSummary: 1 warning found
|
| File | Line | Rule | Message |
|---|---|---|---|
| docs/reference/api-reference/main.md | 207 | Elastic.BritishSpellings | Use American English spelling 'customization' instead of British English 'customisation'. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
A couple of thoughts on this:
Is there a particular edge case you have in mind @simitt where the combination would behave differently? Happy to discuss and fabricate a test if there's a concrete scenario worth covering. |
|
@pkoutsovasilis , looking at this
No particular use case, just something I thought missing in test coverage. |
Summary
This PR implements client certificate support for APM Server when connecting to an Elasticsearch cluster that has client authentication enabled.
Relates to #9081
Changes
ElasticsearchSelector: ChangesElasticsearchReffromObjectSelectortoElasticsearchSelector, addingclientCertificateSecretNamesupport to APM Server'selasticsearchRefoutput.elasticsearch.ssl.certificateandoutput.elasticsearch.ssl.keywhen client authentication is required, pointing to the mounted client certificate fileswithAssociationCACertsVolumesintowithAssociationCertsVolumesto handle both CA and client certificate volume mountsCheckElasticsearchSelectorRefsfor the APM Server'selasticsearchRefTestClientAuthRequiredTransition(verifies APM Server remains healthy when ES transitions from client auth required to disabled, and that client certificate secrets are cleaned up) andTestClientAuthRequiredCustomCertificate(verifies APM Server works with a user-provided client certificate)API