Skip to content

Commit

Permalink
FTR - adjust auth for esSupertest in serverless (#166745)
Browse files Browse the repository at this point in the history
## Summary

This PR removes the `systemIndicesSuperuser` auth in the `esSupertest`
service for serverless test runs, adds `certificateAuthorities` to the
Elasticsearch server config in serverless and adds a tiny test to verify
functionality of this fix.

### Details

Issues before this PR when using the `esSupertest` service in serverless
tests (can be reproduced by running the added `elasticsearch_api` test
without the supertest and config changes):

1. Running against a local `functional_tests_server`, `esSupertest`
produces an error: `Error: self-signed certificate in certificate chain`
2. Running against an MKI project produces an error: `unable to
authenticate user [system_indices_superuser] for REST request [/]`,
because the `system_indices_superuser` doesn't exist in MKI.

How this PR addresses the issues:

1. Add `certificateAuthorities` to `servers.elasticsearch` in
`x-pack/test_serverless/shared/config.base.ts` in the same way we
already have it for `servers.kibana`
2. Modify the `esSUpertest` service to not override the default ES auth
when running in serverless, instead go with the default auth (regular
superuser), which is the best we can get.

### Additional information

It has been considered to add a serverless specific version of
`esSupertest` in order to avoid the `config.get('serverless') ?` code.
The fact that a number of stateful services are planned to be re-used in
serverless and rely on `esSupertest` in combination with the very small
change in a central service made it seem worth to make an exception
here.

Note that service methods or tests that use `esSupertest` can still run
into issues on serverless if they actually try to modify system indices.
This should be avoided anyways and particularly for serverless tests.
  • Loading branch information
pheyos authored Sep 21, 2023
1 parent f074853 commit d2feac0
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 3 deletions.
8 changes: 6 additions & 2 deletions test/api_integration/services/supertest.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,14 @@ export function KibanaSupertestProvider({ getService }: FtrProviderContext) {
export function ElasticsearchSupertestProvider({ getService }: FtrProviderContext) {
const config = getService('config');
const esServerConfig = config.get('servers.elasticsearch');

// For stateful tests, use system indices user so tests can write to system indices
// For serverless tests, we don't have a system indices user, so we're using the default superuser
const elasticSearchServerUrl = formatUrl({
...esServerConfig,
// Use system indices user so tests can write to system indices
auth: `${systemIndicesSuperuser.username}:${systemIndicesSuperuser.password}`,
...(config.get('serverless')
? []
: { auth: `${systemIndicesSuperuser.username}:${systemIndicesSuperuser.password}` }),
});

let agentOptions = {};
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { FtrProviderContext } from '../../ftr_provider_context';

export default function ({ getService }: FtrProviderContext) {
const esSupertest = getService('esSupertest');
const svlCommonApi = getService('svlCommonApi');

describe('Elasticsearch API', function () {
it('can request /', async () => {
const { body, status } = await esSupertest.get('/');
svlCommonApi.assertResponseStatusCode(200, status, body);
});
});
}
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,6 @@ export default function ({ loadTestFile }: FtrProviderContext) {
loadTestFile(require.resolve('./scripts_tests'));
loadTestFile(require.resolve('./search_oss'));
loadTestFile(require.resolve('./search_xpack'));
loadTestFile(require.resolve('./elasticsearch_api'));
});
}
6 changes: 5 additions & 1 deletion x-pack/test_serverless/shared/config.base.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ export default async () => {
protocol: 'https',
certificateAuthorities: process.env.TEST_CLOUD ? undefined : [Fs.readFileSync(CA_CERT_PATH)],
},
elasticsearch: { ...esTestConfig.getUrlParts(), protocol: 'https' },
elasticsearch: {
...esTestConfig.getUrlParts(),
protocol: 'https',
certificateAuthorities: process.env.TEST_CLOUD ? undefined : [Fs.readFileSync(CA_CERT_PATH)],
},
};

// "Fake" SAML provider
Expand Down

0 comments on commit d2feac0

Please sign in to comment.