Cleanup

consul/config/service-defaults/elasticsearch.hcl

@@ -1,3 +1,4 @@
 Kind = "service-defaults"
 Name = "[[ .instance ]][[ .consul.suffix ]]"
 Protocol = "http"
+LocalRequestTimeoutMs = "300000"

consul/config/service-resolver/elasticsearch.hcl

@@ -1,3 +1,3 @@
 Kind = "service-resolver"
 Name = "[[ .instance ]][[ .consul.suffix ]]"
-RequestTimeout = "60m"
+RequestTimeout = "5m"

elasticsearch.nomad.hcl

@@ -44,23 +44,7 @@ job "[[ .instance ]]" {
 
       tags = [
         "[[ .instance ]]-${NOMAD_ALLOC_INDEX}",
-[[- if $c.traefik.enabled ]]
-
-        "[[ $c.traefik.instance ]].enable=true",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
-  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
-
-  [[- if not (regexp.Match "^/?$" (urlParse $c.public_url).Path) ]]
-        # ES is exposed by traefik on a subpath. Define a middleware to strip the prefix before passing the request to the backend
-        "[[ $c.traefik.instance ]].http.middlewares.[[ .instance ]]-prefix[[ .consul.suffix ]].stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ .instance ]]-prefix[[ .consul.suffix ]],[[ template "common/traefik_middlewares" $c ]]",
-  [[- else ]]
-        "[[ $c.traefik.instance ]].http.routers.[[ .instance ]][[ .consul.suffix ]].middlewares=[[ template "common/traefik_middlewares" $c ]]"
-  [[- end ]]
-
-
-[[- end ]]
+[[ template "common/traefik_tags" $c ]]
       ]
     }
 

prep.d/01-mv-conf.sh

@@ -1 +0,0 @@
-[[ template "common/mv_conf.sh" dict "ctx" . "services" (dict "elasticsearch" .instance) ]]

prep.d/10-rand-secrets.sh

@@ -2,9 +2,10 @@
 
 set -euo pipefail
 
-[[ template "common/vault.rand_secrets" dict "ctx" . "keys" (coll.Slice "es_bootstrap_pwd" "exporter_pwd" "elastic_pwd") ]]
+[[- $pass_to_gen := .elasticsearch.vault.rand_secrets.fields ]]
 [[- range $k, $v := .elasticsearch.server.users ]]
   [[- if not (has $v "password") ]]
-[[ template "common/vault.rand_secrets" dict "ctx" $ "keys" (coll.Slice (printf "%s_pwd" ($k | regexp.Replace "\\-" "_"))) ]]
+    [[- $pass_to_gen = append (printf "%s_pwd" ($k | regexp.Replace "\\-" "_")) $pass_to_gen ]]
   [[- end ]]
 [[- end ]]
+[[ template "common/vault.rand_secrets" merge (dict "vault" (dict "rand_secrets" (dict "fields" $pass_to_gen))) . ]]

templates/entrypoint.env

@@ -11,14 +11,14 @@ unset JAVA_HOME
 
 echo "Adding elastic bootstrap password in the keystore"
 [ -f config/elasticsearch.keystore ] || elasticsearch-keystore create
-echo '{{ with secret "[[ $c.vault.kv.path ]]" }}{{ .Data.data.es_bootstrap_pwd }}{{ end }}' | elasticsearch-keystore add -x 'bootstrap.password'
+echo '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.es_bootstrap_pwd }}{{ end }}' | elasticsearch-keystore add -x 'bootstrap.password'
 
-{{ with secret "[[ $c.vault.kv.path ]]" -}}
+{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" -}}
 echo "Creating exporter user"
 (elasticsearch-users list | grep -qE '^exporter$') || elasticsearch-users useradd exporter -r monitor -p '{{ .Data.data.exporter_pwd }}'
 {{- end }}
 
 [[- range $k, $v := $c.users ]]
 echo "Creating user [[ $k ]]"
-(elasticsearch-users list | grep -qE '^[[ $k ]]$') || elasticsearch-users useradd [[ $k ]] -p '[[ if has $v "password" ]][[ $v.password ]][[ else ]]{{ with secret "[[ $c.vault.kv.path ]]" }}{{ .Data.data.[[ $k | regexp.Replace "\\-" "_" ]]_pwd }}{{ end }}[[ end ]]' [[- if gt (len $v.roles) 0 ]] -r [[ join $v.roles "," ]][[ end ]]
+(elasticsearch-users list | grep -qE '^[[ $k ]]$') || elasticsearch-users useradd [[ $k ]] -p '[[ if has $v "password" ]][[ $v.password ]][[ else ]]{{ with secret "[[ $.vault.root ]]kv/service/[[ $.instance ]]" }}{{ .Data.data.[[ $k | regexp.Replace "\\-" "_" ]]_pwd }}{{ end }}[[ end ]]' [[- if gt (len $v.roles) 0 ]] -r [[ join $v.roles "," ]][[ end ]]
 [[- end ]]

variables.yml

@@ -10,6 +10,11 @@ elasticsearch:
   vault:
     policies:
       - '[[ .instance ]][[ .consul.suffix ]]'
+    rand_secrets:
+      fields:
+        - elastic_pwd
+        - es_bootstrap_pwd
+        - exporter_pwd
 
   # ES server settings
   server:
@@ -17,7 +22,7 @@ elasticsearch:
     version: 8.12.0
 
     # Docker image to use
-    image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-3'
+    image: '[[ .docker.repo ]]elasticsearch:[[ .elasticsearch.server.version ]]-5'
 
     # Number of instances
     count: 3
@@ -28,9 +33,8 @@ elasticsearch:
     # Vault PKI (mTLS between the different nodes
     vault:
       pki:
-        path: '[[ .vault.prefix ]]pki/[[ .instance ]]'
+        path: '[[ .vault.root ]]pki/[[ .instance ]]'
         ou: Elasticsearch Cluster
-        issuer: '[[ .vault.prefix ]]pki/root'
 
     # Resource allocation
     resources:
@@ -44,7 +48,8 @@ elasticsearch:
     traefik:
       enabled: false
       middlewares:
-        - ip-trusted@file
+        csp: false
+        src-ip: ip-trusted@file
 
     # List of roles and users to create. Eg
     # roles:
@@ -90,12 +95,12 @@ elasticsearch:
     version: 1.7.0
 
     # Docker image to use
-    image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-2'
+    image: '[[ .docker.repo ]]elasticsearch-exporter:[[ .elasticsearch.exporter.version ]]-3'
 
     # Environment var to set in the container
     env:
       ES_USERNAME: exporter
-      ES_PASSWORD: '{{ with secret "[[ .vault.kv.path ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
+      ES_PASSWORD: '{{ with secret "[[ .vault.root ]]kv/service/ [[ .instance ]]" }}{{ .Data.data.exporter_pwd }}{{ end }}'
 
     # Resource allocation
     resources: