open-contracting · Apr 14, 2023 · Mar 10, 2023 · Mar 10, 2023 · Mar 10, 2023 · Mar 10, 2023
diff --git a/deploy-docs.sh b/deploy-docs.sh
@@ -25,10 +25,10 @@ if [ "$RELEASE" != "true" ]; then
 
     # Index the build directory.
     ocdsindex sphinx build/ https://standard.open-contracting.org/"$PREFIX""$PATH_PREFIX""$REF"/ > documents.json
-    ocdsindex index https://standard.open-contracting.org:9200 documents.json
+    ocdsindex index https://standard.open-contracting.org/search documents.json
     if [ "$REF" == "$VERSION" ]; then
         ocdsindex sphinx build/ https://standard.open-contracting.org/"$PREFIX""$PATH_PREFIX"latest/ > documents.json
-        ocdsindex index https://standard.open-contracting.org:9200 documents.json
+        ocdsindex index https://standard.open-contracting.org/search documents.json
     fi
 
     if [ "$PRODUCTION" == "true" ]; then

diff --git a/pillar/docs.sls b/pillar/docs.sls
@@ -25,9 +25,6 @@ apache:
       servername: standard.open-contracting.org
 
 elasticsearch:
-  public_access: False
-  # Allow OCDS documentation and GitHub Actions.
-  allowed_origins: "*"
   # This is to inform the installation of ReadOnlyREST – not to control the version of Elasticsearch to install.
   version: 8.6.2
   plugins:

diff --git a/salt/elasticsearch/files/config/readonlyrest-docs.yml b/salt/elasticsearch/files/config/readonlyrest-docs.yml
@@ -5,8 +5,18 @@ readonlyrest:
   access_control_rules:
     - name: Allow manage admin access over localhost
       groups:
-        - manage
-      x_forwarded_for: ["127.0.0.0/8", "178.79.135.174/32"]
+        - ocpadmin
+      x_forwarded_for:
+        - "127.0.0.0/8"
+        - "{{ pillar.network.ipv4 }}"
+        {%- if "ipv6" in pillar.network %}
+        - "{{ pillar.network.ipv6 }}"
+        {%- endif %}
+        {%- if "admin_ips" in pillar.elasticsearch %}
+        {%- for ip in pillar.elasticsearch.admin_ips %}
+        - "{{ ip }}"
+        {%- endfor %}
+        {%- endif %}
     - name: Allow the public group to search indices created by OCDS Index
       groups:
         - public

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
@@ -1,4 +1,4 @@
-{% from 'lib.sls' import set_firewall, unset_firewall%}
+{% from 'lib.sls' import set_firewall, unset_firewall %}
 
 {% if pillar.elasticsearch.get('public_access') %}
   {{ set_firewall("PUBLIC_ELASTICSEARCH") }}
@@ -41,56 +41,38 @@ set jvm maximum heap size:
     - watch_in:
       - service: elasticsearch
 
-{% if pillar.elasticsearch.get('public_access') %}
 /etc/elasticsearch/elasticsearch.yml:
   file.keyvalue:
     - name: /etc/elasticsearch/elasticsearch.yml
     - key_values:
         # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/modules-network.html
+        {% if pillar.elasticsearch.get('public_access') %}
         network.bind_host: 0.0.0.0
-        network.publish_host: _local_
-    - separator: ': '
-    - append_if_not_found: True
-    - watch_in:
-      - service: elasticsearch
-{% else %}
-/etc/elasticsearch/elasticsearch.yml:
-  file.keyvalue:
-    - name: /etc/elasticsearch/elasticsearch.yml
-    - key_values:
-        # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/modules-network.html
+        {% else %}
+        http.host: 127.0.0.1
         network.bind_host: 127.0.0.1
+        {% endif %}
         network.publish_host: _local_
-    - separator: ': '
-    - append_if_not_found: True
-    - watch_in:
-      - service: elasticsearch
-{% endif %}
-
-ElasticSearch Global Config:
-  file.keyvalue:
-    - name: /etc/elasticsearch/elasticsearch.yml
-    - key_values:
         # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/query-dsl.html
         search.allow_expensive_queries: 'false'
         # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/modules-scripting-security.html
         script.allowed_types: inline
         script.allowed_contexts: ingest
         # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/bootstrap-checks.html
         discovery.type: single-node
-#        {% if 'allowed_origins' in pillar.elasticsearch %}
-#        # https://www.elastic.co/guide/en/elasticsearch/reference/7.10/modules-http.html
-#        http.cors.enabled: 'true'
-#        http.cors.allow-origin: "'{{ pillar.elasticsearch.allowed_origins }}'"
-#        http.cors.allow-methods: OPTIONS, GET, POST
-#        http.cors.allow-headers: X-Requested-With, Content-Type, Content-Length, Authorization
-#        {% endif %}
     - separator: ': '
     - append_if_not_found: True
     - watch_in:
       - service: elasticsearch
 
-{# Prevent Elasticsearch from starting in the case of misconfiguration. #}
+/etc/elasticsearch/elasticsearch.yml disable cluster mode:
+  file.comment:
+    - name: /etc/elasticsearch/elasticsearch.yml
+    - regex: "^cluster.initial_master_nodes:"
+    - backup: False
+    - ignore_missing: True
+
+{# Prevent ElasticSearch from starting in the case of misconfiguration. #}
 /etc/elasticsearch/jvm.options.d/bootstrap-checks.options:
   file.managed:
     - name: /etc/elasticsearch/jvm.options.d/bootstrap-checks.options

diff --git a/salt/elasticsearch/plugins/readonlyrest.sls b/salt/elasticsearch/plugins/readonlyrest.sls
@@ -32,6 +32,8 @@ readonlyrest-install:
         readonlyrest.force_load_from_file: 'true'
         # https://github.com/beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#5-disable-x-pack-security-module
         xpack.security.enabled: 'false'
+        xpack.security.transport.ssl.enabled: 'false'
+        xpack.security.http.ssl.enabled: 'false'
     - separator: ': '
     - append_if_not_found: True
     - require: