From 3798959eef49355b0cabaa5d6c3f65bcc665389b Mon Sep 17 00:00:00 2001 From: Daniel Hu Date: Tue, 30 Mar 2021 03:33:49 +0000 Subject: [PATCH] Let ks-apiserver optionally support authentication enabled and es without authentication enabled Signed-off-by: Daniel Hu --- .../auditing/elasticsearch/elasticsearch.go | 2 +- pkg/simple/client/auditing/options.go | 18 ++++++++++ pkg/simple/client/es/client.go | 34 +++++++++++-------- pkg/simple/client/es/client_test.go | 2 +- pkg/simple/client/es/versions/v5/v5.go | 14 ++++++-- pkg/simple/client/es/versions/v6/v6.go | 14 ++++++-- pkg/simple/client/es/versions/v7/v7.go | 14 ++++++-- .../events/elasticsearch/elasticsearch.go | 2 +- pkg/simple/client/events/options.go | 17 ++++++++++ .../logging/elasticsearch/elasticsearch.go | 2 +- pkg/simple/client/logging/options.go | 17 ++++++++++ 11 files changed, 112 insertions(+), 24 deletions(-) diff --git a/pkg/simple/client/auditing/elasticsearch/elasticsearch.go b/pkg/simple/client/auditing/elasticsearch/elasticsearch.go index 5e46b6cea..4b546cbfd 100644 --- a/pkg/simple/client/auditing/elasticsearch/elasticsearch.go +++ b/pkg/simple/client/auditing/elasticsearch/elasticsearch.go @@ -101,7 +101,7 @@ func NewClient(options *auditing.Options) (auditing.Client, error) { c := &client{} var err error - c.c, err = es.NewClient(options.Host, options.IndexPrefix, options.Version) + c.c, err = es.NewClient(options.Host, options.BasicAuth, options.Username, options.Password, options.IndexPrefix, options.Version) return c, err } diff --git a/pkg/simple/client/auditing/options.go b/pkg/simple/client/auditing/options.go index c12359a23..4a2094f58 100644 --- a/pkg/simple/client/auditing/options.go +++ b/pkg/simple/client/auditing/options.go @@ -34,6 +34,9 @@ type Options struct { // The batch interval of auditing events. EventBatchInterval time.Duration `json:"eventBatchInterval" yaml:"eventBatchInterval"` Host string `json:"host" yaml:"host"` + BasicAuth bool `json:"basicAuth" yaml:"basicAuth"` + Username string `json:"username" yaml:"username"` + Password string `json:"password" yaml:"password"` IndexPrefix string `json:"indexPrefix,omitempty" yaml:"indexPrefix"` Version string `json:"version" yaml:"version"` } @@ -61,6 +64,21 @@ func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) { fs.BoolVar(&s.Enable, "auditing-enabled", c.Enable, "Enable auditing component or not. ") fs.StringVar(&s.WebhookUrl, "auditing-webhook-url", c.WebhookUrl, "Auditing wehook url") + + fs.BoolVar(&s.BasicAuth, "auditing-elasticsearch-basicAuth", c.BasicAuth, ""+ + "Elasticsearch auditing service basic auth enabled. KubeSphere is using elastic as auditing store, "+ + "if it is set to true, KubeSphere will connect to ElasticSearch using provided username and password by "+ + "auditing-elasticsearch-username and auditing-elasticsearch-username. Otherwise, KubeSphere will "+ + "anonymously access the Elasticsearch.") + + fs.StringVar(&s.Username, "auditing-elasticsearch-username", c.Username, ""+ + "ElasticSearch authentication username, only needed when auditing-elasticsearch-basicAuth is"+ + "set to true. ") + + fs.StringVar(&s.Password, "auditing-elasticsearch-password", c.Password, ""+ + "ElasticSearch authentication password, only needed when auditing-elasticsearch-basicAuth is"+ + "set to true. ") + fs.IntVar(&s.EventSendersNum, "auditing-event-senders-num", c.EventSendersNum, "The maximum concurrent senders which send auditing events to the auditing webhook.") fs.IntVar(&s.EventBatchSize, "auditing-event-batch-size", c.EventBatchSize, diff --git a/pkg/simple/client/es/client.go b/pkg/simple/client/es/client.go index 4e84add26..f99081892 100644 --- a/pkg/simple/client/es/client.go +++ b/pkg/simple/client/es/client.go @@ -41,29 +41,35 @@ const ( // Elasticsearch client type Client struct { - host string - version string - index string + host string + basicAuth bool + username string + password string + version string + index string c versions.Client mux sync.Mutex } -func NewClient(host, indexPrefix, version string) (*Client, error) { +func NewClient(host string, basicAuth bool, username, password, indexPrefix, version string) (*Client, error) { var err error es := &Client{ - host: host, - version: version, - index: indexPrefix, + host: host, + basicAuth: basicAuth, + username: username, + password: password, + version: version, + index: indexPrefix, } switch es.version { case ElasticV5: - es.c, err = v5.New(es.host, es.index) + es.c, err = v5.New(es.host, es.basicAuth, es.username, es.password, es.index) case ElasticV6: - es.c, err = v6.New(es.host, es.index) + es.c, err = v6.New(es.host, es.basicAuth, es.username, es.password, es.index) case ElasticV7: - es.c, err = v7.New(es.host, es.index) + es.c, err = v7.New(es.host, es.basicAuth, es.username, es.password, es.index) case "": es.c = nil default: @@ -89,7 +95,7 @@ func (c *Client) loadClient() error { // Detect Elasticsearch server version using Info API. // Info API is backward compatible across v5, v6 and v7. - esv6, err := v6.New(c.host, "") + esv6, err := v6.New(c.host, c.basicAuth, c.username, c.password, c.index) if err != nil { return err } @@ -126,11 +132,11 @@ func (c *Client) loadClient() error { v := strings.Split(number, ".")[0] switch v { case ElasticV5: - vc, err = v5.New(c.host, c.index) + vc, err = v5.New(c.host, c.basicAuth, c.username, c.password, c.index) case ElasticV6: - vc, err = v6.New(c.host, c.index) + vc, err = v6.New(c.host, c.basicAuth, c.username, c.password, c.index) case ElasticV7: - vc, err = v7.New(c.host, c.index) + vc, err = v7.New(c.host, c.basicAuth, c.username, c.password, c.index) default: err = fmt.Errorf("unsupported elasticsearch version %s", version) } diff --git a/pkg/simple/client/es/client_test.go b/pkg/simple/client/es/client_test.go index 059366839..54a53c195 100644 --- a/pkg/simple/client/es/client_test.go +++ b/pkg/simple/client/es/client_test.go @@ -90,7 +90,7 @@ func TestClient_Search(t *testing.T) { srv := mockElasticsearchService("/ks-logstash*/_search", test.fakeResp, test.fakeCode) defer srv.Close() - c, err := NewClient(srv.URL, "ks-logstash", test.fakeVersion) + c, err := NewClient(srv.URL, false, "", "", "ks-logstash", test.fakeVersion) if err != nil { t.Fatalf("create client error, %s", err) } diff --git a/pkg/simple/client/es/versions/v5/v5.go b/pkg/simple/client/es/versions/v5/v5.go index 5ff02f43b..42e32d356 100644 --- a/pkg/simple/client/es/versions/v5/v5.go +++ b/pkg/simple/client/es/versions/v5/v5.go @@ -33,9 +33,19 @@ type Elastic struct { index string } -func New(address string, index string) (*Elastic, error) { - client, err := elasticsearch.NewClient(elasticsearch.Config{ +func New(address string, basicAuth bool, username, password, index string) (*Elastic, error) { + var client *elasticsearch.Client + var err error + + if !basicAuth { + username = "" + password = "" + } + + client, err = elasticsearch.NewClient(elasticsearch.Config{ Addresses: []string{address}, + Username: username, + Password: password, }) return &Elastic{client: client, index: index}, err diff --git a/pkg/simple/client/es/versions/v6/v6.go b/pkg/simple/client/es/versions/v6/v6.go index 0f92d60ba..b18754496 100644 --- a/pkg/simple/client/es/versions/v6/v6.go +++ b/pkg/simple/client/es/versions/v6/v6.go @@ -33,9 +33,19 @@ type Elastic struct { index string } -func New(address string, index string) (*Elastic, error) { - client, err := elasticsearch.NewClient(elasticsearch.Config{ +func New(address string, basicAuth bool, username, password, index string) (*Elastic, error) { + var client *elasticsearch.Client + var err error + + if !basicAuth { + username = "" + password = "" + } + + client, err = elasticsearch.NewClient(elasticsearch.Config{ Addresses: []string{address}, + Username: username, + Password: password, }) return &Elastic{Client: client, index: index}, err diff --git a/pkg/simple/client/es/versions/v7/v7.go b/pkg/simple/client/es/versions/v7/v7.go index cd8509090..b85a6dce0 100644 --- a/pkg/simple/client/es/versions/v7/v7.go +++ b/pkg/simple/client/es/versions/v7/v7.go @@ -33,9 +33,19 @@ type Elastic struct { index string } -func New(address string, index string) (*Elastic, error) { - client, err := elasticsearch.NewClient(elasticsearch.Config{ +func New(address string, basicAuth bool, username, password, index string) (*Elastic, error) { + var client *elasticsearch.Client + var err error + + if !basicAuth { + username = "" + password = "" + } + + client, err = elasticsearch.NewClient(elasticsearch.Config{ Addresses: []string{address}, + Username: username, + Password: password, }) return &Elastic{client: client, index: index}, err diff --git a/pkg/simple/client/events/elasticsearch/elasticsearch.go b/pkg/simple/client/events/elasticsearch/elasticsearch.go index c829f3bde..117e1abce 100644 --- a/pkg/simple/client/events/elasticsearch/elasticsearch.go +++ b/pkg/simple/client/events/elasticsearch/elasticsearch.go @@ -32,7 +32,7 @@ func NewClient(options *events.Options) (events.Client, error) { c := &client{} var err error - c.c, err = es.NewClient(options.Host, options.IndexPrefix, options.Version) + c.c, err = es.NewClient(options.Host, options.BasicAuth, options.Username, options.Password, options.IndexPrefix, options.Version) return c, err } diff --git a/pkg/simple/client/events/options.go b/pkg/simple/client/events/options.go index a995e7555..7126f2c3f 100644 --- a/pkg/simple/client/events/options.go +++ b/pkg/simple/client/events/options.go @@ -24,6 +24,9 @@ import ( type Options struct { Host string `json:"host" yaml:"host"` + BasicAuth bool `json:"basicAuth" yaml:"basicAuth"` + Username string `json:"username" yaml:"username"` + Password string `json:"password" yaml:"password"` IndexPrefix string `json:"indexPrefix,omitempty" yaml:"indexPrefix"` Version string `json:"version" yaml:"version"` } @@ -54,6 +57,20 @@ func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) { "if this filed left blank, KubeSphere will use kubernetes builtin event API instead, and"+ " the following elastic search options will be ignored.") + fs.BoolVar(&s.BasicAuth, "events-elasticsearch-basicAuth", c.BasicAuth, ""+ + "Elasticsearch events service basic auth enabled. KubeSphere is using elastic as events store, "+ + "if it is set to true, KubeSphere will connect to ElasticSearch using provided username and password by "+ + "events-elasticsearch-username and events-elasticsearch-username. Otherwise, KubeSphere will "+ + "anonymously access the Elasticsearch.") + + fs.StringVar(&s.Username, "events-elasticsearch-username", c.Username, ""+ + "ElasticSearch authentication username, only needed when events-elasticsearch-basicAuth is"+ + "set to true. ") + + fs.StringVar(&s.Password, "events-elasticsearch-password", c.Password, ""+ + "ElasticSearch authentication password, only needed when events-elasticsearch-basicAuth is"+ + "set to true. ") + fs.StringVar(&s.IndexPrefix, "events-index-prefix", c.IndexPrefix, ""+ "Index name prefix. KubeSphere will retrieve events against indices matching the prefix.") diff --git a/pkg/simple/client/logging/elasticsearch/elasticsearch.go b/pkg/simple/client/logging/elasticsearch/elasticsearch.go index 793e7036b..31a762e3b 100644 --- a/pkg/simple/client/logging/elasticsearch/elasticsearch.go +++ b/pkg/simple/client/logging/elasticsearch/elasticsearch.go @@ -59,7 +59,7 @@ func NewClient(options *logging.Options) (logging.Client, error) { c := &client{} var err error - c.c, err = es.NewClient(options.Host, options.IndexPrefix, options.Version) + c.c, err = es.NewClient(options.Host, options.BasicAuth, options.Username, options.Password, options.IndexPrefix, options.Version) return c, err } diff --git a/pkg/simple/client/logging/options.go b/pkg/simple/client/logging/options.go index 62c78c96c..814ce47fd 100644 --- a/pkg/simple/client/logging/options.go +++ b/pkg/simple/client/logging/options.go @@ -24,6 +24,9 @@ import ( type Options struct { Host string `json:"host" yaml:"host"` + BasicAuth bool `json:"basicAuth" yaml:"basicAuth"` + Username string `json:"username" yaml:"username"` + Password string `json:"password" yaml:"password"` IndexPrefix string `json:"indexPrefix,omitempty" yaml:"indexPrefix"` Version string `json:"version" yaml:"version"` } @@ -53,6 +56,20 @@ func (s *Options) AddFlags(fs *pflag.FlagSet, c *Options) { "if this filed left blank, KubeSphere will use kubernetes builtin log API instead, and"+ " the following elastic search options will be ignored.") + fs.BoolVar(&s.BasicAuth, "logging-elasticsearch-basicAuth", c.BasicAuth, ""+ + "Elasticsearch logging service basic auth enabled. KubeSphere is using elastic as logging store, "+ + "if it is set to true, KubeSphere will connect to ElasticSearch using provided username and password by "+ + "logging-elasticsearch-username and logging-elasticsearch-username. Otherwise, KubeSphere will "+ + "anonymously access the Elasticsearch.") + + fs.StringVar(&s.Username, "logging-elasticsearch-username", c.Username, ""+ + "ElasticSearch authentication username, only needed when logging-elasticsearch-basicAuth is"+ + "set to true. ") + + fs.StringVar(&s.Password, "logging-elasticsearch-password", c.Password, ""+ + "ElasticSearch authentication password, only needed when logging-elasticsearch-basicAuth is"+ + "set to true. ") + fs.StringVar(&s.IndexPrefix, "logging-index-prefix", c.IndexPrefix, ""+ "Index name prefix. KubeSphere will retrieve logs against indices matching the prefix.")