Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FTR - adjust auth for esSupertest in serverless #166745

Merged
merged 3 commits into from
Sep 21, 2023
Merged

FTR - adjust auth for esSupertest in serverless #166745

merged 3 commits into from
Sep 21, 2023

Conversation

pheyos
Copy link
Member

@pheyos pheyos commented Sep 19, 2023
edited
Loading

Summary

This PR removes the systemIndicesSuperuser auth in the esSupertest service for serverless test runs, adds certificateAuthorities to the Elasticsearch server config in serverless and adds a tiny test to verify functionality of this fix.

Details

Issues before this PR when using the esSupertest service in serverless tests (can be reproduced by running the added elasticsearch_api test without the supertest and config changes):

  1. Running against a local functional_tests_server, esSupertest produces an error: Error: self-signed certificate in certificate chain
  2. Running against an MKI project produces an error: unable to authenticate user [system_indices_superuser] for REST request [/], because the system_indices_superuser doesn't exist in MKI.

How this PR addresses the issues:

  1. Add certificateAuthorities to servers.elasticsearch in x-pack/test_serverless/shared/config.base.ts in the same way we already have it for servers.kibana
  2. Modify the esSUpertest service to not override the default ES auth when running in serverless, instead go with the default auth (regular superuser), which is the best we can get.

Additional information

It has been considered to add a serverless specific version of esSupertest in order to avoid the config.get('serverless') ? code. The fact that a number of stateful services are planned to be re-used in serverless and rely on esSupertest in combination with the very small change in a central service made it seem worth to make an exception here.

Note that service methods or tests that use esSupertest can still run into issues on serverless if they actually try to modify system indices. This should be avoided anyways and particularly for serverless tests.

@pheyos pheyos added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting v8.11.0 labels Sep 19, 2023
@pheyos pheyos self-assigned this Sep 19, 2023
@pheyos pheyos requested a review from a team as a code owner September 19, 2023 14:44
@pheyos
Copy link
Member Author

pheyos commented Sep 20, 2023

@elasticmachine merge upstream

@pheyos
Copy link
Member Author

pheyos commented Sep 20, 2023

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @pheyos

dmlemeshko
dmlemeshko approved these changes Sep 21, 2023
View reviewed changes
Copy link
Member

@dmlemeshko dmlemeshko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pheyos pheyos merged commit d2feac0 into elastic:main Sep 21, 2023
20 checks passed
@pheyos pheyos deleted the svl_ftr_es_supertest branch September 21, 2023 08:57
gergoabraham pushed a commit to gergoabraham/kibana that referenced this pull request Sep 21, 2023
@pheyos @gergoabraham
FTR - adjust auth for esSupertest in serverless (elastic#166745)
1eb09d8 
## Summary

This PR removes the `systemIndicesSuperuser` auth in the `esSupertest`
service for serverless test runs, adds `certificateAuthorities` to the
Elasticsearch server config in serverless and adds a tiny test to verify
functionality of this fix.

### Details

Issues before this PR when using the `esSupertest` service in serverless
tests (can be reproduced by running the added `elasticsearch_api` test
without the supertest and config changes):

1. Running against a local `functional_tests_server`, `esSupertest`
produces an error: `Error: self-signed certificate in certificate chain`
2. Running against an MKI project produces an error: `unable to
authenticate user [system_indices_superuser] for REST request [/]`,
because the `system_indices_superuser` doesn't exist in MKI.

How this PR addresses the issues:

1. Add `certificateAuthorities` to `servers.elasticsearch` in
`x-pack/test_serverless/shared/config.base.ts` in the same way we
already have it for `servers.kibana`
2. Modify the `esSUpertest` service to not override the default ES auth
when running in serverless, instead go with the default auth (regular
superuser), which is the best we can get.

### Additional information

It has been considered to add a serverless specific version of
`esSupertest` in order to avoid the `config.get('serverless') ?` code.
The fact that a number of stateful services are planned to be re-used in
serverless and rely on `esSupertest` in combination with the very small
change in a central service made it seem worth to make an exception
here.

Note that service methods or tests that use `esSupertest` can still run
into issues on serverless if they actually try to modify system indices.
This should be avoided anyways and particularly for serverless tests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmlemeshko dmlemeshko dmlemeshko approved these changes

Assignees

@pheyos pheyos

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes v8.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pheyos @kibana-ci @dmlemeshko @kibanamachine