diff --git a/.github/workflows/helm-community.yml b/.github/workflows/helm-community.yml index cc2f58bc3..fd552a007 100644 --- a/.github/workflows/helm-community.yml +++ b/.github/workflows/helm-community.yml @@ -89,6 +89,7 @@ jobs: helm repo add self https://alfresco.github.io/alfresco-helm-charts/ helm repo add codecentric https://codecentric.github.io/helm-charts/ helm repo add elastic https://helm.elastic.co/ + helm repo add wiremind https://wiremind.github.io/wiremind-helm-charts - name: Helm install run: | diff --git a/docs/helm/upgrades.md b/docs/helm/upgrades.md index 80953ff0c..dea76970b 100644 --- a/docs/helm/upgrades.md +++ b/docs/helm/upgrades.md @@ -20,6 +20,11 @@ version in which they have been released. * External dependencies on bitnami/common chart have been completely removed from alfresco charts. +* When using Elasticsearch, the username and password are now configured with + default values. See [secret + template](../../helm/alfresco-content-services/templates/secret-search.yaml) + It is strongly recommended to update these credentials to more secure values + to enhance security and prevent unauthorized access. ## 8.0.0 diff --git a/helm/alfresco-content-services/README.md b/helm/alfresco-content-services/README.md index d17fbe0fd..dac6cc07e 100644 --- a/helm/alfresco-content-services/README.md +++ b/helm/alfresco-content-services/README.md @@ -61,13 +61,13 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | alfresco-ai-transformer.messageBroker.existingSecret.name | string | `"acs-alfresco-cs-brokersecret"` | Name of the configmap which holds the message broker credentials | | alfresco-ai-transformer.sfs.existingConfigMap.keys.url | string | `"SFS_URL"` | Name of the key within the configmap which holds the sfs url | | alfresco-ai-transformer.sfs.existingConfigMap.name | string | `"alfresco-infrastructure"` | Name of the configmap which holds the ATS shared filestore URL | -| alfresco-audit-storage.enabled | bool | `false` | | +| alfresco-audit-storage.enabled | bool | `true` | | | alfresco-audit-storage.image.repository | string | `"quay.io/alfresco/alfresco-audit-storage"` | | -| alfresco-audit-storage.image.tag | string | `"1.0.0"` | | +| alfresco-audit-storage.image.tag | string | `"latest"` | | | alfresco-audit-storage.index.existingConfigMap.keys.url | string | `"AUDIT_ELASTICSEARCH_URL"` | | | alfresco-audit-storage.index.existingConfigMap.name | string | `"alfresco-infrastructure"` | | -| alfresco-audit-storage.index.existingSecret.keys.password | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` | | -| alfresco-audit-storage.index.existingSecret.keys.username | string | `"AUDIT_ELASTICSEARCH_USERNAME"` | | +| alfresco-audit-storage.index.existingSecret.keys.password | string | `"password"` | | +| alfresco-audit-storage.index.existingSecret.keys.username | string | `"username"` | | | alfresco-audit-storage.index.existingSecret.name | string | `"alfresco-aas-elasticsearch-secret"` | | | alfresco-audit-storage.messageBroker.existingConfigMap.name | string | `"alfresco-infrastructure"` | Name of the configmap which holds the message broker URL | | alfresco-audit-storage.messageBroker.existingSecret.name | string | `"acs-alfresco-cs-brokersecret"` | Name of the configmap which holds the message broker credentials | @@ -222,6 +222,8 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | database.url | string | `nil` | External Postgresql jdbc url ex: `jdbc:postgresql://oldfashioned-mule-postgresql-acs:5432/alfresco` | | database.user | string | `nil` | External Postgresql database user | | dtas.additionalArgs[0] | string | `"--tb=short"` | | +| dtas.config.assertions.aas.audit_host | string | `"http://acs-alfresco-audit-storage:8081"` | | +| dtas.config.assertions.aas.elasticsearch_host | string | `"http://elasticsearch-aas-master:9200"` | | | dtas.config.assertions.acs.edition | string | `"Enterprise"` | | | dtas.config.assertions.acs.identity | bool | `false` | | | dtas.config.assertions.acs.modules[0].id | string | `"org.alfresco.integrations.google.docs"` | | @@ -241,17 +243,20 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | dtas.image.tag | string | `"v1.6.0"` | | | elasticsearch-audit.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` | | | elasticsearch-audit.clusterName | string | `"elasticsearch-aas"` | | -| elasticsearch-audit.enabled | bool | `false` | Enables the embedded elasticsearch cluster for alfresco-audit-storage | +| elasticsearch-audit.enabled | bool | `true` | Enables the embedded elasticsearch cluster for alfresco-audit-storage | | elasticsearch-audit.extraEnvs[0].name | string | `"ELASTIC_USERNAME"` | | -| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` | | +| elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.key | string | `"username"` | | | elasticsearch-audit.extraEnvs[0].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | | elasticsearch-audit.extraEnvs[1].name | string | `"ELASTIC_PASSWORD"` | | -| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` | | +| elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.key | string | `"password"` | | | elasticsearch-audit.extraEnvs[1].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | +| elasticsearch-audit.httpTls.enabled | bool | `false` | | | elasticsearch-audit.ingress.enabled | bool | `false` | toggle deploying elasticsearch-audit ingress for more details about configuration check https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255 | +| elasticsearch-audit.minimumMasterNodes | int | `1` | | | elasticsearch-audit.nameOverride | string | `"elasticsearch-aas"` | | | elasticsearch-audit.protocol | string | `"http"` | | | elasticsearch-audit.replicas | int | `1` | | +| elasticsearch-audit.secret | object | `{"enabled":false}` | Disabled to use the password produced by the umbrella chart | | elasticsearch.clusterHealthCheckParams | string | `"wait_for_status=yellow&timeout=1s"` | | | elasticsearch.enabled | bool | `true` | Enables the embedded elasticsearch cluster | | elasticsearch.extraEnvs[0].name | string | `"ELASTIC_USERNAME"` | | @@ -264,7 +269,7 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | elasticsearch.minimumMasterNodes | int | `1` | | | elasticsearch.protocol | string | `"http"` | | | elasticsearch.replicas | int | `1` | | -| elasticsearch.secret | object | `{"enabled":false}` | Disabled to usel the password produced by the chart | +| elasticsearch.secret | object | `{"enabled":false}` | Disabled to use the password produced by the umbrella chart | | elasticsearch.tests.enabled | bool | `false` | | | global.alfrescoRegistryPullSecrets | string | `nil` | If a private image registry a secret can be defined and passed to kubernetes, see: https://github.com/Alfresco/acs-deployment/blob/a924ad6670911f64f1bba680682d266dd4ea27fb/docs/helm/eks-deployment.md#docker-registry-secret | | global.auditIndex.existingSecretName | string | `nil` | Name of an existing secret that contains AUDIT_ELASTICSEARCH_USERNAME and AUDIT_ELASTICSEARCH_PASSWORD keys. | @@ -290,7 +295,9 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | global.strategy.rollingUpdate.maxUnavailable | int | `0` | | | infrastructure.configMapName | string | `"alfresco-infrastructure"` | | | keda.components | list | `[]` | The list of components that will be scaled by KEDA (chart names) | -| kibana-audit.elasticsearchHosts | string | `""` | Makes sure there is no default elasticsearch hosts defined | +| kibana-audit.elasticsearchCertificateSecret | string | `"elasticsearch-aas-master-certs"` | | +| kibana-audit.elasticsearchCredentialSecret | string | `"alfresco-aas-elasticsearch-secret"` | | +| kibana-audit.elasticsearchHosts | string | `"${ELASTICSEARCH_HOSTS}"` | Makes sure there is no default elasticsearch hosts defined | | kibana-audit.enabled | bool | `false` | | | kibana-audit.extraEnvs[0].name | string | `"SERVER_BASEPATH"` | | | kibana-audit.extraEnvs[0].value | string | `"/kibana"` | | @@ -302,12 +309,6 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b | kibana-audit.extraEnvs[3].name | string | `"SERVER_PUBLICBASEURL"` | | | kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.key | string | `"AUDIT_SERVER_PUBLICBASEURL"` | | | kibana-audit.extraEnvs[3].valueFrom.configMapKeyRef.name | string | `"alfresco-infrastructure"` | | -| kibana-audit.extraEnvs[4].name | string | `"ELASTICSEARCH_USERNAME"` | | -| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_USERNAME"` | | -| kibana-audit.extraEnvs[4].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | -| kibana-audit.extraEnvs[5].name | string | `"ELASTICSEARCH_PASSWORD"` | | -| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.key | string | `"AUDIT_ELASTICSEARCH_PASSWORD"` | | -| kibana-audit.extraEnvs[5].valueFrom.secretKeyRef.name | string | `"alfresco-aas-elasticsearch-secret"` | | | kibana-audit.healthCheckPath | string | `"/kibana/app/kibana"` | | | kibana-audit.ingress.enabled | bool | `true` | | | kibana-audit.ingress.hosts[0].paths[0].path | string | `"/kibana"` | | diff --git a/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml b/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml index a4ecdc4ce..2edd36db6 100644 --- a/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml +++ b/helm/alfresco-content-services/templates/secret-aas-elasticearch.yaml @@ -8,7 +8,7 @@ metadata: {{- include "alfresco-content-services.labels" $ | nindent 4 }} type: Opaque data: - AUDIT_ELASTICSEARCH_USERNAME: {{ .username | default "elasticuser" | b64enc | quote }} - AUDIT_ELASTICSEARCH_PASSWORD: {{ .password | default "elasticpassword" | b64enc | quote }} + username: {{ .username | default "elastic" | b64enc | quote }} + password: {{ .password | default "elasticpassword" | b64enc | quote }} {{- end }} {{- end }} diff --git a/helm/alfresco-content-services/values.yaml b/helm/alfresco-content-services/values.yaml index 6d2974028..21d9d6200 100644 --- a/helm/alfresco-content-services/values.yaml +++ b/helm/alfresco-content-services/values.yaml @@ -553,7 +553,7 @@ elasticsearch: clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" protocol: http minimumMasterNodes: 1 - # -- Disabled to usel the password produced by the chart + # -- Disabled to use the password produced by the umbrella chart secret: enabled: false httpTls: @@ -573,32 +573,38 @@ elasticsearch: enabled: false elasticsearch-audit: # -- Enables the embedded elasticsearch cluster for alfresco-audit-storage - enabled: false + enabled: true nameOverride: elasticsearch-aas replicas: 1 clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s" clusterName: elasticsearch-aas protocol: http + minimumMasterNodes: 1 + # -- Disabled to use the password produced by the umbrella chart + secret: + enabled: false + httpTls: + enabled: false extraEnvs: - name: ELASTIC_USERNAME valueFrom: secretKeyRef: name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_USERNAME + key: username - name: ELASTIC_PASSWORD valueFrom: secretKeyRef: name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_PASSWORD + key: password ingress: # -- toggle deploying elasticsearch-audit ingress for more details about configuration check # https://github.com/elastic/helm-charts/blob/main/elasticsearch/values.yaml#L255 enabled: false alfresco-audit-storage: - enabled: false + enabled: true image: repository: quay.io/alfresco/alfresco-audit-storage - tag: 1.0.0 + tag: latest messageBroker: existingConfigMap: # -- Name of the configmap which holds the message broker URL @@ -614,13 +620,15 @@ alfresco-audit-storage: existingSecret: name: *aas_elasticsearch_secretName keys: - username: AUDIT_ELASTICSEARCH_USERNAME - password: AUDIT_ELASTICSEARCH_PASSWORD + username: username + password: password kibana-audit: enabled: false healthCheckPath: "/kibana/app/kibana" # -- Makes sure there is no default elasticsearch hosts defined - elasticsearchHosts: "" + elasticsearchHosts: ${ELASTICSEARCH_HOSTS} + elasticsearchCertificateSecret: elasticsearch-aas-master-certs + elasticsearchCredentialSecret: *aas_elasticsearch_secretName # All of the values has to be set there to escape the issue with overriding the values extraEnvs: - name: SERVER_BASEPATH @@ -637,16 +645,6 @@ kibana-audit: configMapKeyRef: name: *infrastructure_cmName key: AUDIT_SERVER_PUBLICBASEURL - - name: ELASTICSEARCH_USERNAME - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_USERNAME - - name: ELASTICSEARCH_PASSWORD - valueFrom: - secretKeyRef: - name: *aas_elasticsearch_secretName - key: AUDIT_ELASTICSEARCH_PASSWORD ingress: enabled: true hosts: @@ -681,9 +679,9 @@ dtas: installed: true adw: base_path: "/workspace" - # aas: - # audit_host: http://acs-alfresco-audit-storage:8081 - # elasticsearch_host: http://elasticsearch-aas-master:9200 + aas: + audit_host: http://acs-alfresco-audit-storage:8081 + elasticsearch_host: http://elasticsearch-aas-master:9200 keda: # -- The list of components that will be scaled by KEDA (chart names) components: []