From 5f6fd76db34ceaf7f9b1262acb579f84f9d95393 Mon Sep 17 00:00:00 2001 From: Christian F Date: Wed, 16 Nov 2022 13:49:50 +0100 Subject: [PATCH] Improvement provide more configuration options for elasticsearch client (#7) * added several configuration options * added basic documentation * added docker-compose template * updated installation and configuration docs --- README.md | 22 +++- doc/03_Docker.md | 151 ++++++++++++++++++++++ src/DependencyInjection/Configuration.php | 26 +++- src/EsClientFactory.php | 24 ++++ 4 files changed, 221 insertions(+), 2 deletions(-) create mode 100644 doc/03_Docker.md diff --git a/README.md b/README.md index d2843c0..843cb43 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,11 @@ Supported elasticsearch version: Elasticsearch 8 ## Installation +Install bundle via composer +```bash +composer require pimcore/elasticsearch-client +``` + This bundle is a standard symfony bundle. If not required and activated by another bundle, it can be enabled by adding it to the `bundles.php` of your application. @@ -24,6 +29,8 @@ By default, a `default` client with host set to `localhost:9200` is available an For details on the configuration opens have a look at inline documentation via command `bin/console config:dump-reference PimcoreElasticsearchClientBundle` +Also see the [Elasticsearch Docs](https://www.elastic.co/guide/en/elasticsearch/client/php-api/current/connecting.html) for +more information. ```yaml pimcore_elasticsearch_client: @@ -36,7 +43,20 @@ pimcore_elasticsearch_client: statistics: hosts: ['statistics-node:9200'] logger_channel: 'pimcore.statistics' - + + #optional options + ca_bundle: 'path/to/ca/cert' + ssl_key: 'path/to/ssl/key' + ssl_cert: 'path/to/ssl/cert' + ssl_password: 'secretePW' + ssl_verification: false #false is the default value + http_options: + proxy: 'http://localhost:8125' + cloud_id: '123456789' + api_key: 'secret-apikey' + cloud: + cloud_id: '123456789' + api_key: 'secret-apikey' ``` ## Integration into other Bundles diff --git a/doc/03_Docker.md b/doc/03_Docker.md new file mode 100644 index 0000000..7cb2adc --- /dev/null +++ b/doc/03_Docker.md @@ -0,0 +1,151 @@ +# Docker + +We created a sample docker setup for running Elasticsearch locally on your machine. + +Feel free to customize and use this as a template to create your own setup. + +### Docker Compose Setup + +This will create an Elasticsearch container (`elastic`) and a Kibana container (`kibana`). +They will communicate between each other via an encrypted connection! If you do not need an +encrypted connection just comment out the ssl stuff (see code comments) + +```yaml +#docker-compose.yaml + +services: + php: + user: '1000:1000' # set to your uid:gid + + supervisord: + user: '1000:1000' # set to your uid:gid + + db: + ports: + - "3306:3306" + + create_certs: + container_name: elastic_create_certs + image: elasticsearch:8.4.3 + command: > + bash -c ' + if [[ ! -f ./certs/certs-bundle.zip ]]; then + echo "Generating CA"; + #bin/elasticsearch-certutil ca --silent --pass "password" --pem --out ./certs/certs-bundle.zip; + bin/elasticsearch-certutil ca --silent --pem --out ./certs/certs-bundle.zip; + unzip ./certs/certs-bundle.zip -d ./certs; + fi + + if [ ! -f ./certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: elastic\n"\ + " dns:\n"\ + " - elastic\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > ./certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem --ca-cert ./certs/ca/ca.crt --ca-key ./certs/ca/ca.key --in ./certs/instances.yml --out ./certs/certs.zip; + unzip ./certs/certs.zip -d ./certs; + fi + + echo "Setting file permissions" + chown -R root:root ./certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + + echo "Waiting for Elasticsearch availability"; + until curl --insecure -s --cacert ./certs/ca/ca.crt https://elastic:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + + echo "Setting kibana_system password"; + until curl --insecure -s -X POST --cacert ./certs/ca/ca.crt -u "elastic:somethingsecret" -H "Content-Type: application/json" https://elastic:9200/_security/user/kibana_system/_password -d "{\"password\":\"somethingsecret\"}" | grep -q "^{}"; do sleep 10; done; + + echo "All done!" + ' + user: "0" + working_dir: /usr/share/elasticsearch + volumes: + - pimcore-enterprise-elastic-certs:/usr/share/elasticsearch/certs + + elastic: + container_name: elastic-10 + image: elasticsearch:8.4.3 + environment: + - discovery.type=single-node + - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - xpack.security.enabled=true + - ELASTIC_PASSWORD=somethingsecret + + # DISABLE LINES BELOW IF SSL IS NOT NEEDED! + + #CONFIG BELOW USES PEM + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/elastic/elastic.key + - xpack.security.http.ssl.certificate=certs/elastic/elastic.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.http.ssl.verification_mode=certificate + + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/elastic/elastic.key + - xpack.security.transport.ssl.certificate=certs/elastic/elastic.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + + # CONFIG BELOW USES KEYSTORES + #- xpack.security.transport.ssl.enabled=true + #- xpack.security.transport.ssl.keystore.password=elastic + #- xpack.security.transport.ssl.truststore.password=elastic + #- xpack.security.transport.ssl.keystore.path=certs/elasticsearch01.p12 + #- xpack.security.transport.ssl.verification_mode=certificate + + #- xpack.security.http.ssl.enabled=true + #- xpack.security.http.ssl.keystore.password=elastic + #- xpack.security.http.ssl.truststore.password=elastic + #- xpack.security.http.ssl.keystore.path=certs/elasticsearch01.p12 + #- xpack.security.http.ssl.verification_mode=certificate + ports: + - 9200:9200 + volumes: + - pimcore-enterprise-elastic:/usr/share/elasticsearch/data + - pimcore-enterprise-elastic-certs:/usr/share/elasticsearch/config/certs + deploy: + resources: + limits: + cpus: '1' + memory: '2G' + + kibana: + container_name: kibana-10 + image: kibana:8.4.3 + ports: + - 5601:5601 + environment: + - ELASTICSEARCH_HOSTS=https://elastic:9200 + - XPACK_SECURITY_ENABLED=true + + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=somethingsecret + + # DISABLE LINES BELOW IF SSL IS NOT NEEDED! + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + + #- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + #- ELASTICSEARCH_SSL_VERIFICATIONMODE=certificate + #- SERVER_SSL_ENABLED=true + #- SERVER_SSL_KEY=config/certs/kibana.key + #- SERVER_SSL_CERTIFICATE=config/certs/kibana.crt + #- SERVER_SSL_PASSWORD=kibana + #- SERVER_SSL_KEYPASSPHRASE=kibana + volumes: + - pimcore-enterprise-elastic-certs:/usr/share/kibana/config/certs + +volumes: + pimcore-enterprise-elastic: + pimcore-enterprise-elastic-certs: +``` + +Use `docker-compose up -d` to run the configured stack. + +Also `docker compose logs -f` could be helpful to debug certain errors. \ No newline at end of file diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php index e09772c..46843bd 100644 --- a/src/DependencyInjection/Configuration.php +++ b/src/DependencyInjection/Configuration.php @@ -50,7 +50,31 @@ public function getConfigTreeBuilder() ->scalarNode('password') ->info('Password for elasticsearch authentication') ->end() - ->end() + ->scalarNode('ca_bundle') + ->info('Path to certificate authority file (.crt)') + ->end() + ->scalarNode('ssl_key') + ->info('Path to private SSL key file (.key)') + ->end() + ->scalarNode('ssl_cert') + ->info('Path to PEM formatted SSL cert file (.cert)') + ->end() + ->scalarNode('ssl_password') + ->info('If private key and certificate require a password (default: null)') + ->end() + ->booleanNode('ssl_verification') + ->info('Enable or disable the SSL verification (default: false)') + ->end() + ->arrayNode('http_options') + ->prototype('scalar')->end() + ->info('List of http client options') + ->end() + ->scalarNode('cloud_id') + ->info('Elastic Cloud Id for elasticsearch cloud authentication') + ->end() + ->scalarNode('api_key') + ->info('Elastic Cloud API key for elasticsearch cloud authentication') + ->end() ->end() ->end() ->end(); diff --git a/src/EsClientFactory.php b/src/EsClientFactory.php index 886d15c..98eb4cf 100644 --- a/src/EsClientFactory.php +++ b/src/EsClientFactory.php @@ -31,6 +31,30 @@ public static function create(LoggerInterface $logger, array $configuration): Cl $builder->setBasicAuthentication($configuration['username'], $configuration['password']); } + if(isset($configuration['cloud_id'], $configuration['api_key'])){ + $builder + ->setElasticCloudId($configuration['cloud_id']) + ->setApiKey($configuration['api_key']); + } + + if(isset($configuration['ca_bundle'])){ + $builder->setCABundle($configuration['ca_bundle']); + } + + if(isset($configuration['ssl_key']) && $configuration['ssl_cert']){ + $builder + ->setSSLKey($configuration['ssl_key'], $configuration['ssl_password'] ?? null) + ->setSSLCert($configuration['ssl_cert'], $configuration['ssl_password'] ?? null); + + if(isset($configuration['ssl_verification'])){ + $builder->setSSLVerification($configuration['ssl_verification']); + } + } + + if(isset($configuration['http_options'])){ + $builder->setHttpClientOptions($configuration['http_options']); + } + return $builder->build(); } }