diff --git a/docker-compose/compose.yaml b/docker-compose/compose.yaml index ccdf4026f..e8b5a0686 100644 --- a/docker-compose/compose.yaml +++ b/docker-compose/compose.yaml @@ -181,7 +181,7 @@ services: retries: 3 start_period: 5s elasticsearch: - image: elasticsearch:7.17.3 + image: elasticsearch:7.17.26 environment: - xpack.security.enabled=false - discovery.type=single-node @@ -204,7 +204,7 @@ services: retries: 5 start_period: 30s kibana: - image: kibana:7.17.3 + image: kibana:7.17.26 mem_limit: 1g environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 diff --git a/docker-compose/pre-release-compose.yaml b/docker-compose/pre-release-compose.yaml index 8d5da672d..a419048b1 100644 --- a/docker-compose/pre-release-compose.yaml +++ b/docker-compose/pre-release-compose.yaml @@ -181,7 +181,7 @@ services: retries: 3 start_period: 5s elasticsearch: - image: elasticsearch:7.17.3 + image: elasticsearch:7.17.26 environment: - xpack.security.enabled=false - discovery.type=single-node @@ -204,7 +204,7 @@ services: retries: 5 start_period: 30s kibana: - image: kibana:7.17.3 + image: kibana:7.17.26 mem_limit: 1g environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 diff --git a/docs/helm/examples/with-elasticsearch-auth.md b/docs/helm/examples/with-elasticsearch-auth.md new file mode 100644 index 000000000..3c85a7e74 --- /dev/null +++ b/docs/helm/examples/with-elasticsearch-auth.md @@ -0,0 +1,77 @@ +--- +title: ACS with local elasticsearch cluster with auth enabled +parent: Examples +grand_parent: Helm +--- + +# Deploying Elasticsearch with Kibana and Authentication Enabled + +This guide demonstrates how to deploy Elasticsearch with Kibana and +authentication enabled using the Alfresco ACS Deployment repository. + +> :warning: This example demonstrates how to use an embedded Elasticsearch cluster +> with authentication enabled. However, it is intended for demonstration purposes +> only and is **not recommended for production use**. We strongly advise against using +> an embedded Elasticsearch cluster in production environments. This example is +> provided solely for cases where the embedded setup is specifically needed, such +> as for testing or development scenarios. + +## Prerequisites + +Ensure you have the following: + +- Helm installed on your system. +- Kubernetes cluster configured and running. + +## Steps to Deploy + +### 1. Create a Secret + +First, create a Kubernetes secret containing the credentials for Elasticsearch +and Kibana. Customize the values as needed for your setup. + +```bash +ELASTIC_USERNAME="elastic" ELASTIC_PASSWORD="alfresco" KIBANA_PASSWORD="alfrescokibana" && \ +kubectl create secret generic elastic-search-secret \ + --namespace=default \ + --from-literal=elastic-user=$ELASTIC_USERNAME \ + --from-literal=elasticsearch-password=$ELASTIC_PASSWORD \ + --from-literal=kibana-password=$KIBANA_PASSWORD \ + --from-literal=AUDIT_ELASTICSEARCH_USERNAME=$ELASTIC_USERNAME \ + --from-literal=AUDIT_ELASTICSEARCH_PASSWORD=$ELASTIC_PASSWORD \ + --from-literal=SEARCH_USERNAME=$ELASTIC_USERNAME \ + --from-literal=SEARCH_PASSWORD=$ELASTIC_PASSWORD +``` + +### 2. Understand the Patch File + +Patch file `docs/helm/values/elasticsearch_auth_values.yaml` defines the configuration +for enabling authentication and integrating Elasticsearch and Kibana with the +Alfresco deployment. Update the patch file to match your requirements if +necessary. + +### 3. Deploy the Infrastructure + +Deploy the ACS stack with the appropriate values files. + +```bash +helm install acs ./helm/alfresco-content-services \ + --set global.search.sharedSecret="$(openssl rand -hex 24)" \ + --set global.known_urls=http://localhost \ + --set global.alfrescoRegistryPullSecrets=quay-registry-secret \ + --values docs/helm/values/local-dev_values.yaml \ + --values docs/helm/values/elasticsearch_auth_values.yaml +``` + +## Accessing Kibana + +After the deployment is successful: + +1. Open your browser and navigate to: `http://localhost/kibana` + +2. Use the credentials specified in the secret to log in. + + - **Username**: elastic + - **Password**: alfresco + +You should now have access to Kibana with Elasticsearch authentication enabled. diff --git a/docs/helm/values/elasticsearch_auth_values.yaml b/docs/helm/values/elasticsearch_auth_values.yaml new file mode 100644 index 000000000..2c96a89b8 --- /dev/null +++ b/docs/helm/values/elasticsearch_auth_values.yaml @@ -0,0 +1,34 @@ +global: + kibanaEnabled: true +alfresco-repository: + configuration: + search: + existingSecret: + name: &secretName elastic-search-secret +alfresco-audit-storage: + index: + existingSecret: + name: *secretName +alfresco-search-enterprise: + search: + existingSecret: + name: *secretName +elasticsearch: + security: + enabled: true + existingSecret: *secretName + tls: + restEncryption: false + autoGenerated: true + verificationMode: "none" + kibana: + elasticsearch: + security: + auth: + enabled: true + createSystemUser: true + elasticsearchPasswordSecret: *secretName + existingSecret: *secretName + tls: + enabled: false + verificationMode: "none" diff --git a/docs/helm/values/local-dev_values.yaml b/docs/helm/values/local-dev_values.yaml index 2574ac07f..1f991a650 100644 --- a/docs/helm/values/local-dev_values.yaml +++ b/docs/helm/values/local-dev_values.yaml @@ -92,15 +92,30 @@ alfresco-search-enterprise: cpu: "1" memory: "1Gi" elasticsearch: - esJavaOpts: "-Xmx512m -Xms512m" + master: + resources: + requests: + cpu: "0.1" + memory: "512Mi" + limits: + cpu: "1" + memory: "1Gi" + kibana: + resources: + requests: + cpu: "0.1" + memory: "512Mi" + limits: + cpu: "1" + memory: "1Gi" +share: resources: requests: - cpu: "100m" - memory: "512Mi" + cpu: "0.01" + memory: "256Mi" limits: - cpu: "1000m" - memory: "1Gi" -share: + memory: "512Mi" +alfresco-audit-storage: resources: requests: cpu: "0.01" diff --git a/helm/alfresco-content-services/7.2.N_values.yaml b/helm/alfresco-content-services/7.2.N_values.yaml index 0e03897b9..354eaeb64 100644 --- a/helm/alfresco-content-services/7.2.N_values.yaml +++ b/helm/alfresco-content-services/7.2.N_values.yaml @@ -85,10 +85,6 @@ alfresco-connector-ms365: alfresco-connector-msteams: image: tag: 2.0.4 -elasticsearch-audit: - enabled: false -kibana-audit: - enabled: false alfresco-audit-storage: enabled: false dtas: diff --git a/helm/alfresco-content-services/7.3.N_values.yaml b/helm/alfresco-content-services/7.3.N_values.yaml index d08ca341e..bc1f7894a 100644 --- a/helm/alfresco-content-services/7.3.N_values.yaml +++ b/helm/alfresco-content-services/7.3.N_values.yaml @@ -85,10 +85,6 @@ alfresco-connector-ms365: alfresco-connector-msteams: image: tag: 2.0.4 -elasticsearch-audit: - enabled: false -kibana-audit: - enabled: false alfresco-audit-storage: enabled: false dtas: diff --git a/helm/alfresco-content-services/7.4.N_values.yaml b/helm/alfresco-content-services/7.4.N_values.yaml index 32052f6d9..50538a8ed 100644 --- a/helm/alfresco-content-services/7.4.N_values.yaml +++ b/helm/alfresco-content-services/7.4.N_values.yaml @@ -85,10 +85,6 @@ alfresco-connector-ms365: alfresco-connector-msteams: image: tag: 2.0.4 -elasticsearch-audit: - enabled: false -kibana-audit: - enabled: false alfresco-audit-storage: enabled: false dtas: diff --git a/helm/alfresco-content-services/Chart.lock b/helm/alfresco-content-services/Chart.lock index 07694c67c..891babd0a 100644 --- a/helm/alfresco-content-services/Chart.lock +++ b/helm/alfresco-content-services/Chart.lock @@ -31,7 +31,7 @@ dependencies: version: 7.0.0-alpha.0 - name: alfresco-search-enterprise repository: https://alfresco.github.io/alfresco-helm-charts/ - version: 4.2.0 + version: 4.3.0-alpha.0 - name: alfresco-connector-msteams repository: https://alfresco.github.io/alfresco-helm-charts/ version: 2.0.0-alpha.0 @@ -45,16 +45,10 @@ dependencies: repository: https://alfresco.github.io/alfresco-helm-charts/ version: 3.0.0 - name: elasticsearch - repository: https://helm.elastic.co - version: 7.17.3 -- name: elasticsearch - repository: https://helm.elastic.co - version: 7.17.3 -- name: kibana - repository: https://helm.elastic.co - version: 7.17.3 + repository: oci://registry-1.docker.io/bitnamicharts + version: 21.4.1 - name: alfresco-audit-storage repository: https://alfresco.github.io/alfresco-helm-charts/ - version: 0.1.0 -digest: sha256:86c84fe4d02c8b094428b4015cb60496932c9825c2e93af080a261173e4b623a -generated: "2024-12-10T18:02:25.499745+01:00" + version: 0.2.0-alpha.0 +digest: sha256:809e677e581430f219dbc1024c239aed0f62862493d27ec980f7ee078098b5c8 +generated: "2024-12-18T14:47:30.487767+01:00" diff --git a/helm/alfresco-content-services/Chart.yaml b/helm/alfresco-content-services/Chart.yaml index 725803826..227791c66 100644 --- a/helm/alfresco-content-services/Chart.yaml +++ b/helm/alfresco-content-services/Chart.yaml @@ -4,7 +4,7 @@ # https://www.alfresco.com/platform/content-services-ecm/trial/download apiVersion: v2 name: alfresco-content-services -version: 9.0.0-alpha.0 +version: 9.0.0-alpha.1 appVersion: 23.4.0 description: A Helm chart for deploying Alfresco Content Services keywords: @@ -61,7 +61,7 @@ dependencies: version: 7.0.0-alpha.0 condition: alfresco-sync-service.enabled - name: alfresco-search-enterprise - version: 4.2.0 + version: 4.3.0-alpha.0 repository: https://alfresco.github.io/alfresco-helm-charts/ condition: alfresco-search-enterprise.enabled - name: alfresco-connector-msteams @@ -82,21 +82,11 @@ dependencies: repository: https://alfresco.github.io/alfresco-helm-charts/ condition: alfresco-ai-transformer.enabled - name: elasticsearch - repository: https://helm.elastic.co - version: 7.17.3 + repository: oci://registry-1.docker.io/bitnamicharts + version: 21.4.1 condition: elasticsearch.enabled - - name: elasticsearch - alias: elasticsearch-audit - repository: https://helm.elastic.co - version: 7.17.3 - condition: elasticsearch-audit.enabled - - name: kibana - alias: kibana-audit - repository: https://helm.elastic.co - version: 7.17.3 - condition: kibana-audit.enabled - name: alfresco-audit-storage - version: 0.1.0 + version: 0.2.0-alpha.0 repository: https://alfresco.github.io/alfresco-helm-charts/ condition: alfresco-audit-storage.enabled icon: https://avatars0.githubusercontent.com/u/391127?s=200&v=4 diff --git a/helm/alfresco-content-services/README.md b/helm/alfresco-content-services/README.md index d530f7fa1..abd19a1f9 100644 --- a/helm/alfresco-content-services/README.md +++ b/helm/alfresco-content-services/README.md @@ -6,7 +6,7 @@ grand_parent: Helm # alfresco-content-services -![Version: 9.0.0-alpha.0](https://img.shields.io/badge/Version-9.0.0--alpha.0-informational?style=flat-square) ![AppVersion: 23.4.0](https://img.shields.io/badge/AppVersion-23.4.0-informational?style=flat-square) +![Version: 9.0.0-alpha.1](https://img.shields.io/badge/Version-9.0.0--alpha.1-informational?style=flat-square) ![AppVersion: 23.4.0](https://img.shields.io/badge/AppVersion-23.4.0-informational?style=flat-square) A Helm chart for deploying Alfresco Content Services @@ -26,19 +26,17 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-control-center(alfresco-adf-app) | 0.2.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-digital-workspace(alfresco-adf-app) | 0.2.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-ai-transformer | 3.0.0 | -| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-audit-storage | 0.1.0 | +| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-audit-storage | 0.2.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-common | 4.0.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-connector-ms365 | 3.0.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-connector-msteams | 2.0.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-repository | 0.8.0 | -| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-search-enterprise | 4.2.0 | +| https://alfresco.github.io/alfresco-helm-charts/ | alfresco-search-enterprise | 4.3.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-search(alfresco-search-service) | 5.0.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | share(alfresco-share) | 1.2.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-sync-service | 7.0.0-alpha.0 | | https://alfresco.github.io/alfresco-helm-charts/ | alfresco-transform-service | 2.1.2 | -| https://helm.elastic.co | elasticsearch | 7.17.3 | -| https://helm.elastic.co | elasticsearch-audit(elasticsearch) | 7.17.3 | -| https://helm.elastic.co | kibana-audit(kibana) | 7.17.3 | +| oci://registry-1.docker.io/bitnamicharts | elasticsearch | 21.4.1 | | oci://registry-1.docker.io/bitnamicharts | postgresql-sync(postgresql) | 12.8.5 | | oci://registry-1.docker.io/bitnamicharts | postgresql | 12.8.5 | @@ -71,6 +69,7 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | alfresco-audit-storage.index.existingSecret.name | string | `"alfresco-aas-elasticsearch-secret"` | | | alfresco-audit-storage.messageBroker.existingConfigMap.name | string | `"alfresco-infrastructure"` | Name of the configmap which holds the message broker URL | | alfresco-audit-storage.messageBroker.existingSecret.name | string | `"acs-alfresco-cs-brokersecret"` | Name of the configmap which holds the message broker credentials | +| alfresco-audit-storage.nameOverride | string | `"alfresco-audit-storage"` | | | alfresco-connector-ms365.enabled | bool | `false` | Enable/Disable Alfresco Content Connector for Microsoft 365 | | alfresco-connector-ms365.image.repository | string | `"quay.io/alfresco/alfresco-ooi-service"` | | | alfresco-connector-ms365.image.tag | string | `"2.0.4"` | | @@ -222,8 +221,8 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | database.url | string | `nil` | External Postgresql jdbc url ex: `jdbc:postgresql://oldfashioned-mule-postgresql-acs:5432/alfresco` | | database.user | string | `nil` | External Postgresql database user | | dtas.additionalArgs[0] | string | `"--tb=short"` | | -| dtas.config.assertions.aas.audit_host | string | `"http://acs-alfresco-audit-storage:8081"` | | -| dtas.config.assertions.aas.elasticsearch_host | string | `"http://elasticsearch-aas-master:9200"` | | +| dtas.config.assertions.aas.audit_host | string | `"{{ include \"alfresco-content-services.audit.serviceName\" $ }}"` | | +| dtas.config.assertions.aas.elasticsearch_host | string | `"{{ include \"alfresco-content-services.audit.elasticsearchUrl\" $ }}"` | | | dtas.config.assertions.acs.edition | string | `"Enterprise"` | | | dtas.config.assertions.acs.identity | bool | `false` | | | dtas.config.assertions.acs.modules[0].id | string | `"org.alfresco.integrations.google.docs"` | | @@ -241,28 +240,29 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | dtas.image.pullPolicy | string | `"IfNotPresent"` | | | dtas.image.repository | string | `"quay.io/alfresco/alfresco-deployment-test-automation-scripts"` | | | dtas.image.tag | string | `"v1.6.0"` | | -| elasticsearch-audit.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` | | -| elasticsearch-audit.clusterName | string | `"elasticsearch-aas"` | | -| elasticsearch-audit.enabled | bool | `true` | Enables the embedded elasticsearch cluster for alfresco-audit-storage | -| elasticsearch-audit.extraEnvs[0].name | string | `"ELASTIC_USERNAME"` | | -| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` | | -| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | -| elasticsearch-audit.extraEnvs[1].name | string | `"ELASTIC_PASSWORD"` | | -| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` | | -| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | -| elasticsearch-audit.ingress.enabled | bool | `false` | toggle deploying elasticsearch-audit ingress for more details about configuration check https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255 | -| elasticsearch-audit.nameOverride | string | `"elasticsearch-aas"` | | -| elasticsearch-audit.replicas | int | `1` | | -| elasticsearch.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` | | +| elasticsearch.coordinating.replicaCount | int | `0` | | +| elasticsearch.data.replicaCount | int | `0` | | | elasticsearch.enabled | bool | `true` | Enables the embedded elasticsearch cluster | -| elasticsearch.replicas | int | `1` | | +| elasticsearch.image.tag | string | `"7.17.26"` | | +| elasticsearch.ingest.replicaCount | int | `0` | | +| elasticsearch.ingress.enabled | bool | `false` | toggle deploying elasticsearch-audit ingress for more details about configuration check https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml#L366 | +| elasticsearch.kibana.configuration.server.basePath | string | `"/kibana"` | | +| elasticsearch.kibana.configuration.server.publicBaseUrl | string | `"http://localhost/kibana"` | This setting defines the base URL for accessing Kibana in your deployment. - For **local deployments**: Use "http://localhost/kibana" (default). - For **production or remote deployments**: Replace `localhost` with the fully qualified domain name (FQDN) or IP address where Kibana is accessible. Example: "http://kibana.mycompany.com" or "http://192.168.1.100/kibana". - Ensure this URL is accessible by users or other services that need to interact with Kibana. | +| elasticsearch.kibana.configuration.server.rewriteBasePath | bool | `true` | | +| elasticsearch.kibana.image.tag | string | `"7.17.26"` | | +| elasticsearch.kibana.ingress.enabled | bool | `true` | | +| elasticsearch.kibana.ingress.hostname | string | `"*"` | | +| elasticsearch.kibana.ingress.ingressClassName | string | `"nginx"` | | +| elasticsearch.kibana.ingress.path | string | `"/kibana"` | | +| elasticsearch.master.masterOnly | bool | `false` | | +| elasticsearch.master.replicaCount | int | `1` | | | global.alfrescoRegistryPullSecrets | string | `nil` | If a private image registry a secret can be defined and passed to kubernetes, see: https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret | | global.auditIndex.existingSecretName | string | `nil` | Name of an existing secret that contains AUDIT_ELASTICSEARCH_USERNAME and AUDIT_ELASTICSEARCH_PASSWORD keys. | -| global.auditIndex.password | string | `nil` | Elasticsearch password | -| global.auditIndex.publicBaseUrl | string | `nil` | Base url for kibana environment variable `SERVER_PUBLICBASEURL` | +| global.auditIndex.password | string | `nil` | set password for authentication against the external elasticsearch service for audit indexing | | global.auditIndex.secretName | string | `"alfresco-aas-elasticsearch-secret"` | Name of the secret managed by this chart | -| global.auditIndex.url | string | `nil` | Elasticsearch URL | -| global.auditIndex.username | string | `nil` | Elasticsearch username | +| global.auditIndex.url | string | `nil` | set this URL if you have an external elasticsearch for audit indexing | +| global.auditIndex.username | string | `nil` | set usernname for authentication against the external elasticsearch service for audit indexing | +| global.kibanaEnabled | bool | `false` | Enable/Disable Kibana for the embedded elasticsearch cluster | | global.known_urls | list | `["https://localhost","http://localhost"]` | list of trusted URLs. URLs a re used to configure Cross-origin protections Also the first entry is considered the main hosting domain of the platform. | | global.mail | object | `{"host":null,"password":null,"port":587,"protocol":"smtp","smtp":{"auth":true,"starttls":{"enable":true}},"smtps":{"auth":true},"username":"anonymous"}` | For a full information of configuring the outbound email system, see https://support.hyland.com/r/Alfresco/Alfresco-Content-Services/23.4/Alfresco-Content-Services/Configure/Email/Configure-Inbound-and-Outbound-Email/Manage-Outbound-Emails | | global.mail.host | string | `nil` | SMTP server to use for the system to send outgoing email | @@ -280,28 +280,6 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | global.strategy.rollingUpdate.maxUnavailable | int | `0` | | | infrastructure.configMapName | string | `"alfresco-infrastructure"` | | | keda.components | list | `[]` | The list of components that will be scaled by KEDA (chart names) | -| kibana-audit.elasticsearchHosts | string | `""` | Makes sure there is no default elasticsearch hosts defined | -| kibana-audit.enabled | bool | `true` | | -| kibana-audit.extraEnvs[0].name | string | `"SERVER_BASEPATH"` | | -| kibana-audit.extraEnvs[0].value | string | `"/kibana"` | | -| kibana-audit.extraEnvs[1].name | string | `"SERVER_REWRITEBASEPATH"` | | -| kibana-audit.extraEnvs[1].value | string | `"true"` | | -| kibana-audit.extraEnvs[2].name | string | `"ELASTICSEARCH_HOSTS"` | | -| kibana-audit.extraEnvs[2].valueFrom.configMapKeyRef.key | string | `"AUDIT_ELASTICSEARCH_URL"` | | -| kibana-audit.extraEnvs[2].valueFrom.configMapKeyRef.name | string | `"alfresco-infrastructure"` | | -| kibana-audit.extraEnvs[3].name | string | `"SERVER_PUBLICBASEURL"` | | -| kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.key | string | `"AUDIT_SERVER_PUBLICBASEURL"` | | -| kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.name | string | `"alfresco-infrastructure"` | | -| kibana-audit.extraEnvs[4].name | string | `"ELASTICSEARCH_USERNAME"` | | -| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` | | -| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | -| kibana-audit.extraEnvs[5].name | string | `"ELASTICSEARCH_PASSWORD"` | | -| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` | | -| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | -| kibana-audit.healthCheckPath | string | `"/kibana/app/kibana"` | | -| kibana-audit.ingress.enabled | bool | `true` | | -| kibana-audit.ingress.hosts[0].paths[0].path | string | `"/kibana"` | | -| kibana-audit.ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | | messageBroker.brokerName | string | `nil` | name of the message broker as set in the Broker configuration | | messageBroker.existingSecretName | string | `nil` | Name of an existing secret that contains BROKER_USERNAME and BROKER_PASSWORD keys. and optionally the credentials to the web console (can be the same as broker access). | | messageBroker.password | string | `nil` | External message broker password | diff --git a/helm/alfresco-content-services/community_values.yaml b/helm/alfresco-content-services/community_values.yaml index 51dc99201..0e05b25f0 100644 --- a/helm/alfresco-content-services/community_values.yaml +++ b/helm/alfresco-content-services/community_values.yaml @@ -59,9 +59,5 @@ alfresco-connector-ms365: enabled: false alfresco-connector-msteams: enabled: false -elasticsearch-audit: - enabled: false -kibana-audit: - enabled: false alfresco-audit-storage: enabled: false diff --git a/helm/alfresco-content-services/pre-release_values.yaml b/helm/alfresco-content-services/pre-release_values.yaml index 0982cdc19..aa800af7e 100644 --- a/helm/alfresco-content-services/pre-release_values.yaml +++ b/helm/alfresco-content-services/pre-release_values.yaml @@ -78,6 +78,12 @@ alfresco-connector-ms365: alfresco-connector-msteams: image: tag: 2.0.4-A4 +elastisearch: + image: + tag: 7.17.26 + kibana: + image: + tag: 7.17.26 alfresco-audit-storage: image: tag: 1.0.0 diff --git a/helm/alfresco-content-services/templates/_helpers-audit.tpl b/helm/alfresco-content-services/templates/_helpers-audit.tpl new file mode 100644 index 000000000..1d62c484e --- /dev/null +++ b/helm/alfresco-content-services/templates/_helpers-audit.tpl @@ -0,0 +1,13 @@ +{{/* +Get Alfresco Audit Storage URL for testing +*/}} +{{- define "alfresco-content-services.audit.serviceName" -}} +{{- with (index .Values "alfresco-audit-storage") }} + {{- if .enabled }} + {{- $aasCtx := dict "Values" . "Chart" $.Chart "Release" $.Release }} + {{- $aasServiceName := include "alfresco-audit-storage.fullname" $aasCtx }} + {{- $aasServicePort := .service.port | toString }} + {{- printf "http://%s:%s" $aasServiceName $aasServicePort }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/alfresco-content-services/templates/_helpers-search.tpl b/helm/alfresco-content-services/templates/_helpers-search.tpl index e6d7e7696..8f6562c3a 100644 --- a/helm/alfresco-content-services/templates/_helpers-search.tpl +++ b/helm/alfresco-content-services/templates/_helpers-search.tpl @@ -27,3 +27,28 @@ Usage: include "alfresco-content-services.search.flavor" $ {{- end }} {{- end }} {{- end -}} + +{{/* +Compute the url for elasticsearch for audit + +Usage: include "alfresco-content-services.audit.elasticsearchUrl" $ + +*/}} +{{- define "alfresco-content-services.audit.elasticsearchUrl" -}} +{{- $elasticsearch_audit_url := "" }} + {{- if .Values.global.auditIndex.url }} + {{- $elasticsearch_audit_url = .Values.global.auditIndex.url }} + {{- else }} + {{- with (index .Values "elasticsearch") }} + {{- if .enabled }} + {{- $auditEsHost := printf "%s-%s" $.Release.Name (($.Values.global.elasticsearch).service.name | default "elasticsearch") }} + {{- $auditEsPort := ($.Values.global.elasticsearch).service.ports.restApi | default 9200 }} + {{- $auditEsProto := .protocol | default "http" }} + {{- $elasticsearch_audit_url = coalesce $.Values.global.auditIndex.url (printf "%s://%s:%v" $auditEsProto $auditEsHost $auditEsPort) }} + {{- else if index $.Values "alfresco-audit-storage" "enabled" }} + {{- fail "Chart is configured to use Alfresco Audit Storage but no index backend has been provided. Set one using either global.auditIndex.url or elasticsearch.enabled" }} + {{- end }} + {{- end }} + {{- end }} + {{- print $elasticsearch_audit_url }} +{{- end -}} diff --git a/helm/alfresco-content-services/templates/config-infrastructure.yaml b/helm/alfresco-content-services/templates/config-infrastructure.yaml index fe88472b2..34d867c27 100644 --- a/helm/alfresco-content-services/templates/config-infrastructure.yaml +++ b/helm/alfresco-content-services/templates/config-infrastructure.yaml @@ -30,9 +30,9 @@ data: {{- else if eq "elasticsearch" $search_flavor }} {{- with .Values.elasticsearch }} {{- if .enabled }} + {{- $esHost := printf "%s-%s" $.Release.Name (($.Values.global.elasticsearch).service.name | default "elasticsearch") }} + {{- $esPort := ($.Values.global.elasticsearch).service.ports.restApi | default 9200 }} {{- $esProto := .protocol | default "http" }} - {{- $esHost := printf "%s-%s" (.clusterName | default "elasticsearch") (.nodeGroup | default "master") }} - {{- $esPort := .port | default 9200 }} {{- $search_url = coalesce $.Values.global.search.url (printf "%s://%s:%v" $esProto $esHost $esPort) }} {{- else }} {{- fail "Chart is configured to use Alfresco Search Enterprise but no index backend has been provided. Set one using either global.search.url or elasticsearch.enabled" }} @@ -69,22 +69,7 @@ data: {{- fail "Alfresco Intelligence service has been enabled but Transformation service is not available" }} {{- end }} {{- end }} - {{- $elasticsearch_audit_url := "" }} - {{- if .Values.global.auditIndex.url }} - {{- $elasticsearch_audit_url = .Values.global.auditIndex.url }} - {{- else }} - {{- with (index .Values "elasticsearch-audit") }} - {{- if .enabled }} - {{- $auditEsProto := .protocol | default "http" }} - {{- $auditEsHost := printf "%s-%s" (.clusterName | default "elasticsearch") (.nodeGroup | default "master") }} - {{- $auditEsPort := .port | default 9200 }} - {{- $elasticsearch_audit_url = coalesce $.Values.global.auditIndex.url (printf "%s://%s:%v" $auditEsProto $auditEsHost $auditEsPort) }} - {{- else if index $.Values "alfresco-audit-storage" "enabled" }} - {{- fail "Chart is configured to use Alfresco Audit Storage but no index backend has been provided. Set one using either global.auditIndex.url or elasticsearch-audit.enabled" }} - {{- end }} - {{- end }} - {{- end }} + {{- $elasticsearch_audit_url := include "alfresco-content-services.audit.elasticsearchUrl" $ }} {{- printf "AUDIT_ELASTICSEARCH_URL: %s" $elasticsearch_audit_url | nindent 2 }} {{- printf "AUDIT_ELASTICSEARCH_HOST: %s" (include "alfresco-common.url.host" $elasticsearch_audit_url) | nindent 2 }} {{- printf "AUDIT_ELASTICSEARCH_PORT: %s" (include "alfresco-common.url.port" $elasticsearch_audit_url | quote) | nindent 2 }} - AUDIT_SERVER_PUBLICBASEURL: {{ .Values.global.auditIndex.publicBaseUrl | default "http://localhost/kibana" }} diff --git a/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml b/helm/alfresco-content-services/templates/secret-audit-elasticsearch.yaml similarity index 62% rename from helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml rename to helm/alfresco-content-services/templates/secret-audit-elasticsearch.yaml index 5563f8967..a7ebbc807 100644 --- a/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml +++ b/helm/alfresco-content-services/templates/secret-audit-elasticsearch.yaml @@ -8,7 +8,7 @@ metadata: {{- include "alfresco-content-services.labels" $ | nindent 4 }} type: Opaque data: - AUDIT_ELASTICSEARCH_USERNAME: {{ .username | default "elastic" | b64enc | quote }} - AUDIT_ELASTICSEARCH_PASSWORD: {{ .password | default "elastic" | b64enc | quote }} + AUDIT_ELASTICSEARCH_USERNAME: {{ .username | default "" | b64enc | quote }} + AUDIT_ELASTICSEARCH_PASSWORD: {{ .password | default "" | b64enc | quote }} {{- end }} {{- end }} diff --git a/helm/alfresco-content-services/templates/test/configmap-dtas.yaml b/helm/alfresco-content-services/templates/test/configmap-dtas.yaml index 54c16678c..d5ef2b0ac 100644 --- a/helm/alfresco-content-services/templates/test/configmap-dtas.yaml +++ b/helm/alfresco-content-services/templates/test/configmap-dtas.yaml @@ -4,5 +4,6 @@ kind: ConfigMap metadata: name: dtas-config data: - config.json: {{ .Values.dtas.config | toJson | quote }} + config.json: | + {{- tpl (toYaml .Values.dtas.config) $ | fromYaml | toJson | nindent 4 -}} {{- end -}} diff --git a/helm/alfresco-content-services/tests/config-infrastructure_test.yaml b/helm/alfresco-content-services/tests/config-infrastructure_test.yaml index 5024721ec..8976718e1 100644 --- a/helm/alfresco-content-services/tests/config-infrastructure_test.yaml +++ b/helm/alfresco-content-services/tests/config-infrastructure_test.yaml @@ -77,6 +77,7 @@ tests: alfresco-search-enterprise.enabled: true elasticsearch.enabled: false global.search.url: https://mydomain.opensearch.domain.tld + global.auditIndex.url: https://mydomain.opensearch.audit.domain.tld global.search.flavor: elasticsearch global.search.securecomms: none # commented to test url has precedence @@ -108,6 +109,9 @@ tests: - equal: path: data.SEARCH_URL value: https://mydomain.opensearch.domain.tld + - equal: + path: data.AUDIT_ELASTICSEARCH_URL + value: https://mydomain.opensearch.audit.domain.tld - notExists: path: data.SOLR_BASE_URL - equal: @@ -153,3 +157,38 @@ tests: - equal: path: data.DATABASE_URL value: jdbc:postgresql://alfresco:QA6fMXtdr%3EK%2F8aDFft,MJ%40p%3E@postgres-ha-primary.postgres-operator.svc:5432/alfresco + + - it: should render correct values when external elasticsearch and local elasticsearch for audit + values: *testvalues + set: + global.search.url: https://my.external.elasticsearch.com + asserts: + - equal: + path: data.SEARCH_URL + value: https://my.external.elasticsearch.com + - equal: + path: data.AUDIT_ELASTICSEARCH_URL + value: http://RELEASE-NAME-elasticsearch:9200 + + - it: should render correct values when external elasticsearch and external elasticsearch for audit + values: *testvalues + set: + global.search.url: https://my.external.elasticsearch.com + global.auditIndex.url: https://my.external.elasticsearch.com + asserts: + - equal: + path: data.SEARCH_URL + value: https://my.external.elasticsearch.com + - equal: + path: data.AUDIT_ELASTICSEARCH_URL + value: https://my.external.elasticsearch.com + + - it: should render same url for elasticsearch by default + values: *testvalues + asserts: + - equal: + path: data.SEARCH_URL + value: http://RELEASE-NAME-elasticsearch:9200 + - equal: + path: data.AUDIT_ELASTICSEARCH_URL + value: http://RELEASE-NAME-elasticsearch:9200 diff --git a/helm/alfresco-content-services/tests/search_test.yaml b/helm/alfresco-content-services/tests/search_test.yaml index 5b6e676e1..e0b9e2e65 100644 --- a/helm/alfresco-content-services/tests/search_test.yaml +++ b/helm/alfresco-content-services/tests/search_test.yaml @@ -3,6 +3,7 @@ suite: test repository properties in a secret templates: - config-infrastructure.yaml - secret-search.yaml + - secret-audit-elasticsearch.yaml tests: - it: should render solr6 with secret values: &testvalues @@ -97,10 +98,10 @@ tests: value: none - equal: path: data.SEARCH_URL - value: http://elasticsearch-master:9200 + value: http://RELEASE-NAME-elasticsearch:9200 - equal: path: data.SEARCH_HOST - value: elasticsearch-master + value: RELEASE-NAME-elasticsearch - equal: path: data.SEARCH_PORT value: "9200" @@ -175,3 +176,67 @@ tests: path: data.SEARCH_FLAVOR value: solr6 template: config-infrastructure.yaml + + - it: Should set deafult correct credentials for elastisearch + values: *testvalues + template: secret-search.yaml + asserts: + - equal: + path: data.SEARCH_USERNAME + value: "" + - equal: + path: data.SEARCH_PASSWORD + value: "" + + - it: Should set correct credentials with local audit and external elastisearch + values: *testvalues + set: + global: + search: + username: elastic + password: changeme + asserts: + - equal: + path: data.SEARCH_USERNAME + value: ZWxhc3RpYw== + template: secret-search.yaml + - equal: + path: data.SEARCH_PASSWORD + value: Y2hhbmdlbWU= + template: secret-search.yaml + - equal: + path: data.AUDIT_ELASTICSEARCH_USERNAME + value: "" + template: secret-audit-elasticsearch.yaml + - equal: + path: data.AUDIT_ELASTICSEARCH_PASSWORD + value: "" + template: secret-audit-elasticsearch.yaml + + - it: Should set correct credentials with external audit and external elastisearch as the same cluster + values: *testvalues + set: + global: + search: + username: elastic + password: changeme + auditIndex: + username: auditelastic + password: auditchangeme + asserts: + - equal: + path: data.SEARCH_USERNAME + value: ZWxhc3RpYw== + template: secret-search.yaml + - equal: + path: data.SEARCH_PASSWORD + value: Y2hhbmdlbWU= + template: secret-search.yaml + - equal: + path: data.AUDIT_ELASTICSEARCH_USERNAME + value: YXVkaXRlbGFzdGlj + template: secret-audit-elasticsearch.yaml + - equal: + path: data.AUDIT_ELASTICSEARCH_PASSWORD + value: YXVkaXRjaGFuZ2VtZQ== + template: secret-audit-elasticsearch.yaml diff --git a/helm/alfresco-content-services/values.yaml b/helm/alfresco-content-services/values.yaml index 463e0ab43..419afab10 100644 --- a/helm/alfresco-content-services/values.yaml +++ b/helm/alfresco-content-services/values.yaml @@ -63,18 +63,18 @@ global: # is solr6 or SEARCH_USERNAME and SEARCH_PASSWORD keys. existingSecretName: null auditIndex: - # -- Elasticsearch URL + # -- set this URL if you have an external elasticsearch for audit indexing url: null - # -- Elasticsearch username + # -- set usernname for authentication against the external elasticsearch service for audit indexing username: null - # -- Elasticsearch password + # -- set password for authentication against the external elasticsearch service for audit indexing password: null # -- Name of the secret managed by this chart secretName: &aas_elasticsearch_secretName alfresco-aas-elasticsearch-secret # -- Name of an existing secret that contains AUDIT_ELASTICSEARCH_USERNAME and AUDIT_ELASTICSEARCH_PASSWORD keys. existingSecretName: null - # -- Base url for kibana environment variable `SERVER_PUBLICBASEURL` - publicBaseUrl: null + # -- Enable/Disable Kibana for the embedded elasticsearch cluster + kibanaEnabled: false # -- If a private image registry a secret can be defined and passed to # kubernetes, see: # https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret @@ -549,32 +549,42 @@ alfresco-ai-transformer: elasticsearch: # -- Enables the embedded elasticsearch cluster enabled: true - replicas: 1 - clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" -elasticsearch-audit: - # -- Enables the embedded elasticsearch cluster for alfresco-audit-storage - enabled: true - nameOverride: elasticsearch-aas - replicas: 1 - clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" - clusterName: elasticsearch-aas - extraEnvs: - - name: ELASTIC_USERNAME - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_USERNAME - - name: ELASTIC_PASSWORD - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_PASSWORD + image: + tag: 7.17.26 + master: + masterOnly: false + replicaCount: 1 + data: + replicaCount: 0 + coordinating: + replicaCount: 0 + ingest: + replicaCount: 0 + kibana: + image: + tag: 7.17.26 + configuration: + server: + basePath: "/kibana" + # -- This setting defines the base URL for accessing Kibana in your deployment. + # - For **local deployments**: Use "http://localhost/kibana" (default). + # - For **production or remote deployments**: Replace `localhost` with the fully qualified domain name (FQDN) or IP address + # where Kibana is accessible. Example: "http://kibana.mycompany.com" or "http://192.168.1.100/kibana". + # - Ensure this URL is accessible by users or other services that need to interact with Kibana. + publicBaseUrl: "http://localhost/kibana" + rewriteBasePath: true + ingress: + enabled: true + ingressClassName: nginx + hostname: "*" + path: /kibana ingress: # -- toggle deploying elasticsearch-audit ingress for more details about configuration check - # https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255 + # https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml#L366 enabled: false alfresco-audit-storage: enabled: true + nameOverride: alfresco-audit-storage image: repository: quay.io/alfresco/alfresco-audit-storage tag: 1.0.0 @@ -595,43 +605,6 @@ alfresco-audit-storage: keys: username: AUDIT_ELASTICSEARCH_USERNAME password: AUDIT_ELASTICSEARCH_PASSWORD -kibana-audit: - enabled: true - healthCheckPath: "/kibana/app/kibana" - # -- Makes sure there is no default elasticsearch hosts defined - elasticsearchHosts: "" - # All of the values has to be set there to escape the issue with overriding the values - extraEnvs: - - name: SERVER_BASEPATH - value: "/kibana" - - name: SERVER_REWRITEBASEPATH - value: "true" - - name: ELASTICSEARCH_HOSTS - valueFrom: - configMapKeyRef: - name: *infrastructure_cmName - key: AUDIT_ELASTICSEARCH_URL - - name: SERVER_PUBLICBASEURL - valueFrom: - configMapKeyRef: - name: *infrastructure_cmName - key: AUDIT_SERVER_PUBLICBASEURL - - name: ELASTICSEARCH_USERNAME - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_USERNAME - - name: ELASTICSEARCH_PASSWORD - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_PASSWORD - ingress: - enabled: true - hosts: - - paths: - - path: /kibana - pathType: Prefix dtas: # -- Enables the deployment test suite which can run via `helm test` (currently available for Enterprise only) enabled: false @@ -661,8 +634,8 @@ dtas: adw: base_path: "/workspace" aas: - audit_host: http://acs-alfresco-audit-storage:8081 - elasticsearch_host: http://elasticsearch-aas-master:9200 + audit_host: '{{ include "alfresco-content-services.audit.serviceName" $ }}' + elasticsearch_host: '{{ include "alfresco-content-services.audit.elasticsearchUrl" $ }}' keda: # -- The list of components that will be scaled by KEDA (chart names) components: [] diff --git a/test/community-integration-test-values.yaml b/test/community-integration-test-values.yaml index ebf951370..1d41c478a 100644 --- a/test/community-integration-test-values.yaml +++ b/test/community-integration-test-values.yaml @@ -90,10 +90,6 @@ postgresql: limits: cpu: "2" memory: "1Gi" -elasticsearch-audit: - enabled: false -kibana-audit: - enabled: false alfresco-audit-storage: enabled: false dtas: diff --git a/test/enterprise-integration-test-values.yaml b/test/enterprise-integration-test-values.yaml index e62cbcff2..4d91e6f14 100644 --- a/test/enterprise-integration-test-values.yaml +++ b/test/enterprise-integration-test-values.yaml @@ -37,14 +37,22 @@ alfresco-search: cpu: "2" memory: "1280Mi" elasticsearch: - esJavaOpts: "-Xmx512m -Xms512m" - resources: - requests: - cpu: "0.25" - memory: "512Mi" - limits: - cpu: "1" - memory: "1Gi" + master: + resources: + requests: + cpu: "0.25" + memory: "512Mi" + limits: + cpu: "1" + memory: "1Gi" + kibana: + resources: + requests: + cpu: "0.25" + memory: "512Mi" + limits: + cpu: "1" + memory: "1Gi" alfresco-search-enterprise: reindexing: hookExecution: false @@ -180,20 +188,11 @@ alfresco-ai-transformer: memory: "512Mi" livenessProbe: initialDelaySeconds: 120 -elasticsearch-audit: - resources: - requests: - cpu: "0.01" - memory: "256Mi" alfresco-audit-storage: resources: requests: cpu: "0.01" memory: "256Mi" -kibana-audit: - resources: - requests: - cpu: "0.01" - memory: "256Mi" dtas: enabled: true +# In case of any changes, please ensure that the values are also updated in `docs/helm/values/local-dev_values.yaml`