root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
elasticsearch/qa/remote-clusters/build.gradle

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

102 lines
3.3 KiB
Groovy
Raw Normal View History

Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
/*
Update sources with new SSPL+Elastic-2.0 license headers As per the new licensing change for Elasticsearch and Kibana this commit moves existing Apache 2.0 licensed source code to the new dual license SSPL+Elastic license 2.0. In addition, existing x-pack code now uses the new version 2.0 of the Elastic license. Full changes include: - Updating LICENSE and NOTICE files throughout the code base, as well as those packaged in our published artifacts - Update IDE integration to now use the new license header on newly created source files - Remove references to the "OSS" distribution from our documentation - Update build time verification checks to no longer allow Apache 2.0 license header in Elasticsearch source code - Replace all existing Apache 2.0 license headers for non-xpack code with updated header (vendored code with Apache 2.0 headers obviously remains the same). - Replace all Elastic license 1.0 headers with new 2.0 header in xpack.
2021-02-03 05:41:39 +08:00
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
Add AGPLv3 as a supported license
2024-09-14 04:28:03 +08:00
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
*/
Define aarch64 packaging test tasks (#55073) We added tasks to build an ARM distribution and Docker image, but didn't provide any way to run packaging tests against them. Add extra loops on the possible Architecture values, and skip tasks that can't be run on the current Architecture.
2020-04-15 19:12:07 +08:00
import org.elasticsearch.gradle.Architecture
Remove internal build logic from public build tool plugins (#72470) Extract usage of internal API from TestClustersPlugin and PluginBuildPlugin and related plugins and build logic This includes a refactoring of ElasticsearchDistribution to handle types better in a way we can differentiate between supported Elasticsearch Distribution types supported in TestCkustersPlugin and types only supported in internal plugins. It also introduces a set of internal versions of public plugins. As part of this we also generate the plugin descriptors now. As a follow up on this we can actually move these public used classes into an extra project (declared as included build) We keep LoggedExec and VersionProperties effectively public And workaround for RestTestBase
2021-05-06 20:02:35 +08:00
import org.elasticsearch.gradle.VersionProperties
Restructure build tools java packages (#72030) Related to #71593 we move all build logic that is for elasticsearch build only into the org.elasticsearch.gradle.internal* packages This makes it clearer if build logic is considered to be used by external projects Ultimately we want to only expose TestCluster and PluginBuildPlugin logic to third party plugin authors. This is a very first step towards that direction.
2021-04-26 20:53:55 +08:00
import org.elasticsearch.gradle.internal.testfixtures.TestFixturesPlugin
Remove internal build logic from public build tool plugins (#72470) Extract usage of internal API from TestClustersPlugin and PluginBuildPlugin and related plugins and build logic This includes a refactoring of ElasticsearchDistribution to handle types better in a way we can differentiate between supported Elasticsearch Distribution types supported in TestCkustersPlugin and types only supported in internal plugins. It also introduces a set of internal versions of public plugins. As part of this we also generate the plugin descriptors now. As a follow up on this we can actually move these public used classes into an extra project (declared as included build) We keep LoggedExec and VersionProperties effectively public And workaround for RestTestBase
2021-05-06 20:02:35 +08:00
import static org.elasticsearch.gradle.internal.distribution.InternalElasticsearchDistributionTypes.DOCKER;
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
apply plugin: 'elasticsearch.standalone-rest-test'
apply plugin: 'elasticsearch.test.fixtures'
Split internal distribution handling into separate internal plugin (#57869) * Split internal distribution logic into separate plugin * Remove moved func test from DistributionDownloadPluginIT * Assert internal plugin is only appied on internal build * Extract common abstract test specification for plugin func tests * Provide proper failure if unexpected non jdk bundled bwc version is requested
2020-07-27 22:37:12 +08:00
apply plugin: 'elasticsearch.internal-distribution-download'
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
Ensure CI is run in FIPS 140 approved only mode (#64024) We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved only mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode in CI and adds tests to ensure that we will be running with BCFIPS in approved only mode when we expect to. It also sets xpack.security.fips_mode.enabled to true for all test clusters used in fips mode and sets the distribution to the default one. It adds a password to the elasticsearch keystore for all test clusters that run in fips mode. Moreover, it changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage. It also addresses a number of tests that would fail in approved only mode Mainly: Tests that use PBKDF2 with a password less than 112 bits (14char). We elected to change the passwords used everywhere to be at least 14 characters long instead of mandating the use of pbkdf2_stretch because both pbkdf2 and pbkdf2_stretch are supported and allowed in fips mode and it makes sense to test with both. We could possibly figure out the password algorithm used for each test and adjust password length accordingly only for pbkdf2 but there is little value in that. It's good practice to use strong passwords so if our docs and tests use longer passwords, then it's for the best. The approach is brittle as there is no guarantee that the next test that will be added won't use a short password, so we add some testing documentation too. This leaves us with a possible coverage gap since we do support passwords as short as 6 characters but we only test with > 14 chars but the validation itself was not tested even before. Tests can be added in a followup, outside of fips related context. Tests that use a PKCS12 keystore and were not already muted. Tests that depend on running test clusters with a basic license or using the OSS distribution as FIPS 140 support is not available in neither of these. Finally, it adds some information around FIPS 140 testing in our testing documentation reference so that developers can hopefully keep in mind fips 140 related intricacies when writing/changing docs.
2020-12-24 03:00:49 +08:00
tasks.register("copyNodeKeyMaterial", Sync) {
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
from project(':x-pack:plugin:core')
Ensure CI is run in FIPS 140 approved only mode (#64024) We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved only mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode in CI and adds tests to ensure that we will be running with BCFIPS in approved only mode when we expect to. It also sets xpack.security.fips_mode.enabled to true for all test clusters used in fips mode and sets the distribution to the default one. It adds a password to the elasticsearch keystore for all test clusters that run in fips mode. Moreover, it changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage. It also addresses a number of tests that would fail in approved only mode Mainly: Tests that use PBKDF2 with a password less than 112 bits (14char). We elected to change the passwords used everywhere to be at least 14 characters long instead of mandating the use of pbkdf2_stretch because both pbkdf2 and pbkdf2_stretch are supported and allowed in fips mode and it makes sense to test with both. We could possibly figure out the password algorithm used for each test and adjust password length accordingly only for pbkdf2 but there is little value in that. It's good practice to use strong passwords so if our docs and tests use longer passwords, then it's for the best. The approach is brittle as there is no guarantee that the next test that will be added won't use a short password, so we add some testing documentation too. This leaves us with a possible coverage gap since we do support passwords as short as 6 characters but we only test with > 14 chars but the validation itself was not tested even before. Tests can be added in a followup, outside of fips related context. Tests that use a PKCS12 keystore and were not already muted. Tests that depend on running test clusters with a basic license or using the OSS distribution as FIPS 140 support is not available in neither of these. Finally, it adds some information around FIPS 140 testing in our testing documentation reference so that developers can hopefully keep in mind fips 140 related intricacies when writing/changing docs.
2020-12-24 03:00:49 +08:00
.files(
'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem',
'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt'
)
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
into "${buildDir}/certs"
doLast {
file("${buildDir}/certs").setReadable(true, false)
Ensure CI is run in FIPS 140 approved only mode (#64024) We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved only mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode in CI and adds tests to ensure that we will be running with BCFIPS in approved only mode when we expect to. It also sets xpack.security.fips_mode.enabled to true for all test clusters used in fips mode and sets the distribution to the default one. It adds a password to the elasticsearch keystore for all test clusters that run in fips mode. Moreover, it changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage. It also addresses a number of tests that would fail in approved only mode Mainly: Tests that use PBKDF2 with a password less than 112 bits (14char). We elected to change the passwords used everywhere to be at least 14 characters long instead of mandating the use of pbkdf2_stretch because both pbkdf2 and pbkdf2_stretch are supported and allowed in fips mode and it makes sense to test with both. We could possibly figure out the password algorithm used for each test and adjust password length accordingly only for pbkdf2 but there is little value in that. It's good practice to use strong passwords so if our docs and tests use longer passwords, then it's for the best. The approach is brittle as there is no guarantee that the next test that will be added won't use a short password, so we add some testing documentation too. This leaves us with a possible coverage gap since we do support passwords as short as 6 characters but we only test with > 14 chars but the validation itself was not tested even before. Tests can be added in a followup, outside of fips related context. Tests that use a PKCS12 keystore and were not already muted. Tests that depend on running test clusters with a basic license or using the OSS distribution as FIPS 140 support is not available in neither of these. Finally, it adds some information around FIPS 140 testing in our testing documentation reference so that developers can hopefully keep in mind fips 140 related intricacies when writing/changing docs.
2020-12-24 03:00:49 +08:00
file("${buildDir}/certs/testnode.pem").setReadable(true, false)
file("${buildDir}/certs/testnode.crt").setReadable(true, false)
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
}
}
Consolidate docker availability build logic (#52548)
2020-02-22 00:11:50 +08:00
elasticsearch_distributions {
docker {
Remove internal build logic from public build tool plugins (#72470) Extract usage of internal API from TestClustersPlugin and PluginBuildPlugin and related plugins and build logic This includes a refactoring of ElasticsearchDistribution to handle types better in a way we can differentiate between supported Elasticsearch Distribution types supported in TestCkustersPlugin and types only supported in internal plugins. It also introduces a set of internal versions of public plugins. As part of this we also generate the plugin descriptors now. As a follow up on this we can actually move these public used classes into an extra project (declared as included build) We keep LoggedExec and VersionProperties effectively public And workaround for RestTestBase
2021-05-06 20:02:35 +08:00
type = DOCKER
Define aarch64 packaging test tasks (#55073) We added tasks to build an ARM distribution and Docker image, but didn't provide any way to run packaging tests against them. Add extra loops on the possible Architecture values, and skip tasks that can't be run on the current Architecture.
2020-04-15 19:12:07 +08:00
architecture = Architecture.current()
Consolidate docker availability build logic (#52548)
2020-02-22 00:11:50 +08:00
version = VersionProperties.getElasticsearch()
failIfUnavailable = false // This ensures we skip this testing if Docker is unavailable
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
}
Consolidate docker availability build logic (#52548)
2020-02-22 00:11:50 +08:00
}
Update Gradle wrapper to 8.12 (#118683) This updates the gradle wrapper to 8.12 We addressed deprecation warnings due to the update that includes: - Fix change in TestOutputEvent api - Fix deprecation in groovy syntax - Use latest ospackage plugin containing our fix - Remove project usages at execution time - Fix deprecated project references in repository-old-versions
2024-12-30 22:34:24 +08:00
interface Injected {
@Inject
FileSystemOperations getFs()
}
Avoid tasks materialized during configuration phase (#65922) * Avoid tasks materialized during configuration phase * Fix RestTestFromSnippet testRoot setup
2020-12-12 23:14:17 +08:00
tasks.named("preProcessFixture").configure {
Ensure CI is run in FIPS 140 approved only mode (#64024) We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved only mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode in CI and adds tests to ensure that we will be running with BCFIPS in approved only mode when we expect to. It also sets xpack.security.fips_mode.enabled to true for all test clusters used in fips mode and sets the distribution to the default one. It adds a password to the elasticsearch keystore for all test clusters that run in fips mode. Moreover, it changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage. It also addresses a number of tests that would fail in approved only mode Mainly: Tests that use PBKDF2 with a password less than 112 bits (14char). We elected to change the passwords used everywhere to be at least 14 characters long instead of mandating the use of pbkdf2_stretch because both pbkdf2 and pbkdf2_stretch are supported and allowed in fips mode and it makes sense to test with both. We could possibly figure out the password algorithm used for each test and adjust password length accordingly only for pbkdf2 but there is little value in that. It's good practice to use strong passwords so if our docs and tests use longer passwords, then it's for the best. The approach is brittle as there is no guarantee that the next test that will be added won't use a short password, so we add some testing documentation too. This leaves us with a possible coverage gap since we do support passwords as short as 6 characters but we only test with > 14 chars but the validation itself was not tested even before. Tests can be added in a followup, outside of fips related context. Tests that use a PKCS12 keystore and were not already muted. Tests that depend on running test clusters with a basic license or using the OSS distribution as FIPS 140 support is not available in neither of these. Finally, it adds some information around FIPS 140 testing in our testing documentation reference so that developers can hopefully keep in mind fips 140 related intricacies when writing/changing docs.
2020-12-24 03:00:49 +08:00
dependsOn "copyNodeKeyMaterial", elasticsearch_distributions.docker
Update Gradle wrapper to 8.12 (#118683) This updates the gradle wrapper to 8.12 We addressed deprecation warnings due to the update that includes: - Fix change in TestOutputEvent api - Fix deprecation in groovy syntax - Use latest ospackage plugin containing our fix - Remove project usages at execution time - Fix deprecated project references in repository-old-versions
2024-12-30 22:34:24 +08:00
def injected = project.objects.newInstance(Injected)
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
doLast {
// tests expect to have an empty repo
Update Gradle wrapper to 8.12 (#118683) This updates the gradle wrapper to 8.12 We addressed deprecation warnings due to the update that includes: - Fix change in TestOutputEvent api - Fix deprecation in groovy syntax - Use latest ospackage plugin containing our fix - Remove project usages at execution time - Fix deprecated project references in repository-old-versions
2024-12-30 22:34:24 +08:00
injected.fs.delete {
it.delete("${testFixturesDir}/repo")
it.delete("${testFixturesDir}/oss-repo")
}
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
createAndSetWritable(
Ensure docker test fixture preProcess task is always executed (#78421)
2021-09-29 23:07:50 +08:00
"${testFixturesDir}/repo",
"${testFixturesDir}/oss-repo",
"${testFixturesDir}/logs/default-1",
"${testFixturesDir}/logs/default-2",
"${testFixturesDir}/logs/oss-1",
"${testFixturesDir}/logs/oss-2"
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
)
}
}
Consolidate docker availability build logic (#52548)
2020-02-22 00:11:50 +08:00
dockerCompose {
tcpPortsToIgnoreWhenWaiting = [9600, 9601]
Remove usage of deprecated Provider#forUseAtConfigurationTime (#83932) Remove gradle api usage that has been deprecated with Gradle 7.4
2022-02-15 21:06:22 +08:00
if ('default'.equalsIgnoreCase(providers.systemProperty('tests.distribution').getOrElse('default'))) {
Consolidate docker availability build logic (#52548)
2020-02-22 00:11:50 +08:00
useComposeFiles = ['docker-compose.yml']
} else {
useComposeFiles = ['docker-compose-oss.yml']
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
}
}
def createAndSetWritable(Object... locations) {
locations.each { location ->
Update Gradle wrapper to 8.12 (#118683) This updates the gradle wrapper to 8.12 We addressed deprecation warnings due to the update that includes: - Fix change in TestOutputEvent api - Fix deprecation in groovy syntax - Use latest ospackage plugin containing our fix - Remove project usages at execution time - Fix deprecated project references in repository-old-versions
2024-12-30 22:34:24 +08:00
println "location = $location"
File file = new File(location)
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
file.mkdirs()
file.setWritable(true, false)
}
}
Replace immediate task creations by using task avoidance api (#60071) - Replace immediate task creations by using task avoidance api - One step closer to #56610 - Still many tasks are created during configuration phase. Tackled in separate steps
2020-07-31 17:29:14 +08:00
tasks.named("processTestResources").configure {
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
from project(':x-pack:plugin:core')
Ensure CI is run in FIPS 140 approved only mode (#64024) We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved only mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode in CI and adds tests to ensure that we will be running with BCFIPS in approved only mode when we expect to. It also sets xpack.security.fips_mode.enabled to true for all test clusters used in fips mode and sets the distribution to the default one. It adds a password to the elasticsearch keystore for all test clusters that run in fips mode. Moreover, it changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage. It also addresses a number of tests that would fail in approved only mode Mainly: Tests that use PBKDF2 with a password less than 112 bits (14char). We elected to change the passwords used everywhere to be at least 14 characters long instead of mandating the use of pbkdf2_stretch because both pbkdf2 and pbkdf2_stretch are supported and allowed in fips mode and it makes sense to test with both. We could possibly figure out the password algorithm used for each test and adjust password length accordingly only for pbkdf2 but there is little value in that. It's good practice to use strong passwords so if our docs and tests use longer passwords, then it's for the best. The approach is brittle as there is no guarantee that the next test that will be added won't use a short password, so we add some testing documentation too. This leaves us with a possible coverage gap since we do support passwords as short as 6 characters but we only test with > 14 chars but the validation itself was not tested even before. Tests can be added in a followup, outside of fips related context. Tests that use a PKCS12 keystore and were not already muted. Tests that depend on running test clusters with a basic license or using the OSS distribution as FIPS 140 support is not available in neither of these. Finally, it adds some information around FIPS 140 testing in our testing documentation reference so that developers can hopefully keep in mind fips 140 related intricacies when writing/changing docs.
2020-12-24 03:00:49 +08:00
.files(
'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem',
'src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt'
)
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
}
Replace immediate task creations by using task avoidance api (#60071) - Replace immediate task creations by using task avoidance api - One step closer to #56610 - Still many tasks are created during configuration phase. Tackled in separate steps
2020-07-31 17:29:14 +08:00
tasks.register("integTest", Test) {
Add Docker-based tests for proxy connection mode (#51658) Adds more tests for the new "proxy" remote cluster connection mode, using a Docker-based setup, as well as testing SNI-based routing using HAProxy. - Checks that the new proxy mode can work in situations where the publish host of the nodes in the remote cluster are not routable. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy. - Checks that the new proxy mode can work with clusters where nodes are hidden behind HAProxy, using SNI to identify the nodes/cluster behind HAProxy. Relates #49067
2020-02-03 16:44:55 +08:00
outputs.doNotCacheIf('Build cache is disabled for Docker tests') { true }
maxParallelForks = '1'
include '**/*IT.class'
}
Replace immediate task creations by using task avoidance api (#60071) - Replace immediate task creations by using task avoidance api - One step closer to #56610 - Still many tasks are created during configuration phase. Tackled in separate steps
2020-07-31 17:29:14 +08:00
tasks.named("check").configure { dependsOn "integTest" }