No longer setting certs and keys for proxied calls to Elasticsearch (#17804)

src/core_plugins/console/server/__tests__/elasticsearch_proxy_config.js

@@ -99,22 +99,22 @@ describe('plugins/console', function () {
         expect(agent.options.ca).to.contain('test ca certificate\n');
       });
 
-      it(`sets cert and key when certificate and key paths are specified`, function () {
+      it(`doesn't set cert and key when certificate and key paths are specified`, function () {
         setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
         setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
 
         const { agent } = getElasticsearchProxyConfig(server);
-        expect(agent.options.cert).to.be('test certificate\n');
-        expect(agent.options.key).to.be('test key\n');
+        expect(agent.options.cert).to.be(undefined);
+        expect(agent.options.key).to.be(undefined);
       });
 
-      it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () {
+      it(`doesn't set passphrase when certificate, key and keyPassphrase are specified`, function () {
         setElasticsearchConfig('ssl.certificate', __dirname + '/fixtures/cert.crt');
         setElasticsearchConfig('ssl.key', __dirname + '/fixtures/cert.key');
         setElasticsearchConfig('ssl.keyPassphrase', 'secret');
 
         const { agent } = getElasticsearchProxyConfig(server);
-        expect(agent.options.passphrase).to.be('secret');
+        expect(agent.options.passphrase).to.be(undefined);
       });
     });
   });

src/core_plugins/console/server/elasticsearch_proxy_config.js

@@ -36,13 +36,6 @@ const createAgent = (server) => {
     agentOptions.ca = config.get('elasticsearch.ssl.certificateAuthorities').map(readFile);
   }
 
-  // Add client certificate and key if required by elasticsearch
-  if (config.get('elasticsearch.ssl.certificate') && config.get('elasticsearch.ssl.key')) {
-    agentOptions.cert = readFile(config.get('elasticsearch.ssl.certificate'));
-    agentOptions.key = readFile(config.get('elasticsearch.ssl.key'));
-    agentOptions.passphrase = config.get('elasticsearch.ssl.keyPassphrase');
-  }
-
   return new https.Agent(agentOptions);
 };
 

src/core_plugins/elasticsearch/lib/__tests__/parse_config.js

@@ -69,7 +69,7 @@ describe('plugins/elasticsearch', function () {
         expect(config.ssl.ca).to.contain('test ca certificate\n');
       });
 
-      it(`sets cert and key when certificate and key paths are specified`, function () {
+      it(`by default sets cert and key when certificate and key paths are specified`, function () {
         serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt';
         serverConfig.ssl.key = __dirname + '/fixtures/cert.key';
 
@@ -78,7 +78,7 @@ describe('plugins/elasticsearch', function () {
         expect(config.ssl.key).to.be('test key\n');
       });
 
-      it(`sets passphrase when certificate, key and keyPassphrase are specified`, function () {
+      it(`by default sets passphrase when certificate, key and keyPassphrase are specified`, function () {
         serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt';
         serverConfig.ssl.key = __dirname + '/fixtures/cert.key';
         serverConfig.ssl.keyPassphrase = 'secret';
@@ -86,6 +86,24 @@ describe('plugins/elasticsearch', function () {
         const config = parseConfig(serverConfig);
         expect(config.ssl.passphrase).to.be('secret');
       });
+
+      it(`doesn't set cert and key when ignoreCertAndKey is true`, function () {
+        serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt';
+        serverConfig.ssl.key = __dirname + '/fixtures/cert.key';
+
+        const config = parseConfig(serverConfig, { ignoreCertAndKey: true });
+        expect(config.ssl.cert).to.be(undefined);
+        expect(config.ssl.key).to.be(undefined);
+      });
+
+      it(`by default sets passphrase when ignoreCertAndKey is true`, function () {
+        serverConfig.ssl.certificate = __dirname + '/fixtures/cert.crt';
+        serverConfig.ssl.key = __dirname + '/fixtures/cert.key';
+        serverConfig.ssl.keyPassphrase = 'secret';
+
+        const config = parseConfig(serverConfig, { ignoreCertAndKey: true });
+        expect(config.ssl.passphrase).to.be(undefined);
+      });
     });
   });
 });

src/core_plugins/elasticsearch/lib/cluster.js

@@ -15,7 +15,7 @@ export class Cluster {
 
     this._clients = new Set();
     this._client = this.createClient();
-    this._noAuthClient = this.createClient({ auth: false });
+    this._noAuthClient = this.createClient({ auth: false }, { ignoreCertAndKey: true });
 
     return this;
   }
@@ -53,13 +53,13 @@ export class Cluster {
     this._clients.clear();
   }
 
-  createClient = configOverrides => {
+  createClient = (configOverrides, parseOptions) => {
     const config = {
       ...this._getClientConfig(),
       ...configOverrides
     };
 
-    const client = new elasticsearch.Client(parseConfig(config));
+    const client = new elasticsearch.Client(parseConfig(config, parseOptions));
     this._clients.add(client);
     return client;
   }

src/core_plugins/elasticsearch/lib/create_agent.js

@@ -10,5 +10,5 @@ export default function (config) {
 
   if (!/^https/.test(target.protocol)) return new http.Agent();
 
-  return new https.Agent(parseConfig(config).ssl);
+  return new https.Agent(parseConfig(config, { ignoreCertAndKey: true }).ssl);
 }

src/core_plugins/elasticsearch/lib/parse_config.js

@@ -6,7 +6,7 @@ import Bluebird from 'bluebird';
 
 const readFile = (file) => readFileSync(file, 'utf8');
 
-export function parseConfig(serverConfig = {}) {
+export function parseConfig(serverConfig = {}, { ignoreCertAndKey = false } = {}) {
   const config = {
     keepAlive: true,
     ...pick(serverConfig, [
@@ -56,7 +56,7 @@ export function parseConfig(serverConfig = {}) {
   }
 
   // Add client certificate and key if required by elasticsearch
-  if (get(serverConfig, 'ssl.certificate') && get(serverConfig, 'ssl.key')) {
+  if (!ignoreCertAndKey && get(serverConfig, 'ssl.certificate') && get(serverConfig, 'ssl.key')) {
     config.ssl.cert = readFile(serverConfig.ssl.certificate);
     config.ssl.key = readFile(serverConfig.ssl.key);
     config.ssl.passphrase = serverConfig.ssl.keyPassphrase;