helm-charts
helm-charts copied to clipboard
temporalio
[Feature Request] Allow setting "insecure" option for curls made by store setup initContainer
Is your feature request related to a problem? Please describe.
We are trying to connect Temporal to ES as visibility storage, however, the ES endpoint requires HTTPS. Setting scheme to https (as shown below) is available. However, initContainer setup-{{ $store }}-store in server-job.yaml template will fail due to curl: (60) SSL certificate problem: unable to get local issuer certificate if we are using certificates issued by custom CA. I'd like to ignore the certificate - one use case might be that I'm just testing if we can deploy the Temporal instance to a new environment and connect to ES from within the new environment.
Describe the solution you'd like
I'm not sure if it's the best solution, but it would be nice if we had an insecure option in the valuesfile. An example:
elasticsearch:
enabled: false
external: true
...
scheme: "https"
# Set to true if you would like to, for example, disable certificate verification
insecure: false
...
This value would be used in the server-job.yaml, like this:
- name: setup-{{ $store }}-store
image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
...
{{- else if eq $driver "elasticsearch" }}
command: ['sh', '-c']
args:
- 'curl {{ if $.Values.elasticsearch.insecure -}}--insecure {{ end -}} -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 &&
curl {{ if $.Values.elasticsearch.insecure -}}--insecure {{ end -}} --head --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1 ||
curl {{ if $.Values.elasticsearch.insecure -}}--insecure {{ end -}} -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1'
{{- end }}
The result would look like this if insecure: true:
- name: setup-visibility-store
image: "temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.1"
imagePullPolicy: IfNotPresent
command: ['sh', '-c']
args:
- 'curl --insecure -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 &&
curl --insecure --head --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1 ||
curl --insecure -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1'
...
The result would look like this if insecure: false:
- name: setup-visibility-store
image: "temporalio/admin-tools:1.25.2-tctl-1.18.1-cli-1.1.1"
imagePullPolicy: IfNotPresent
command: ['sh', '-c']
args:
- 'curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 &&
curl --head --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1 ||
curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1'
Additional context
cURL manpage for insecure option: https://curl.se/docs/manpage.html#-k
Values for elasticsearch:
elasticsearch:
enabled: false
external: true
host: "elasticsearch-cluster-headless.elasticsearch.svc.cluster.local"
port: "9200"
version: "v7"
scheme: "https"
insecure: true|false
logLevel: "info"
...some more values...
Experiencing the same issue. Is there a known workaround or a way to add additional trusted certificates?
