Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Quote ES credentials #505

Merged
merged 1 commit into from
Jun 19, 2024

Conversation

VLZZZ
Copy link
Contributor

@VLZZZ VLZZZ commented Jun 18, 2024

What was changed

Elasticsearch plaintext credentials are now escaped to respect password which contains special characters

Why?

Without this change it's impossible to use password with specials characters which might be obligatory for some 3rd party managed Elasticsearch solutions.
E.g. - When using AWS Opensearch you're obliged to use special symbols if using master password istead of IAM auth.

Checklist

  1. Closes [Bug] Can't use specials character in password with the Elasticsearch visibility storage #504

  2. How was this tested:
    We're using custom fork with this change already.

  3. Any docs updates needed?
    No

@VLZZZ VLZZZ requested a review from a team as a code owner June 18, 2024 21:50
@robholland robholland changed the title fix: Escape ES credentials Fix: Quote ES credentials Jun 19, 2024
@robholland robholland merged commit aca7017 into temporalio:master Jun 19, 2024
2 checks passed
mihaelabalas84 added a commit to fairmoney/temporal-helm-charts that referenced this pull request Aug 16, 2024
* update ui image to 2.25.0 (temporalio#478)

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>

* Allow forcing a specific chart version. (temporalio#479)

This is useful for patch releases on older release lines.

* Update Chart to 0.37.0, Temporal v1.23.1

* Ensure appVersion is used by default as the server image tag. (temporalio#488)

* Bumps server version to the specified appVersion
* Use chart.appversion instead of image.tag from values in deployment spec
* Allow overriding deployment spec with image.tag

---------

Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai>

* Update Chart to 0.38.1, Temporal v1.23.1

* [Bug] Allow and document configuring Web UI via values.yaml (temporalio#394)

1. remove web ui config in values.yaml
2. remove web config volume in web-deployment.yaml
3. remove web-config config map
4. remove line 280 since the install bash didn't configure web ui auth
5. update the document for web ui configuration with env variable

Co-authored-by: Rob Holland <rob.holland@gmail.com>

* fix(imageTag): Fix default type in values for imageTag (temporalio#489)

* Update Chart to 0.39.0, Temporal v1.24.0

* Update README.md

* Update Chart to 0.39.1, Temporal v1.24.1

* Switch to devrel.

* Support new admintools image tag format (temporalio#493)

* Require tags for server, admintools and ui.

Don't use server tag for admintools, it's versioned separately now.

* Update Chart to 0.40.0.

* fix: add support for pre upgrade. (temporalio#476)

* adding missing ImagePullSecrets section to web deployment

* Whitespace.

* fix: Use visibility server when defining visibility config (temporalio#436)

Co-authored-by: Rob Holland <rob@temporal.io>

* fix: sidecarContainers should be an array, not a dict

* Use tplvalues.render for templating inside values (temporalio#492)

Allow templated values inside the values.yaml for web annotations

* Apply security context regardless of persistence engine. (temporalio#494)

Replaces temporalio#308.

* Update Chart to 0.40.1.

* Allow to skip database creation (temporalio#480)

Signed-off-by: Valentin Zayash <valioozz@gmail.com>

* Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485)

* Update Cassandra host URLs to remove the ".cluster.local" suffix

* Configure SQL TLS environment variables in server-job (temporalio#411)

* Configure SQL_TLS environment variables in server-job

* Update Chart to 0.41.0.

* Fix weird helm lint false alarm. Fixes temporalio#284.

* Helm 2 compat. Fixes temporalio#187.

* Update codeowners.

* Revert "Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485)" (temporalio#500)

This reverts commit b25c4fc.

* Update Chart to 0.41.1.

* Adds a PodDisruptionBudget and topologySpreadConstraints to web (temporalio#409)

* Adds a PodDisruptionBudget and topologySpreadConstraints to web

* fixing type on topologySpreadConstraints
topologySpreadConstraints should be a list instead of map

* Update Chart to 0.42.0.

* Update README to mention you cannot do Cassandra only anymore. (temporalio#499)

Related: temporalio#470.

* Remove invalid line. (temporalio#502)

Fixes temporalio#426

* Service account should be set when present, even if not creating. (temporalio#498)

Fixes temporalio#403.

* Correct outdated port config. (temporalio#497)

Fixes temporalio#333 and temporalio#149.

Context: temporalio/temporal#650

* Update Chart to 0.43.0.

* ElasticSearch -> Elasticsearch

* fix: Escape ES credentials (temporalio#505)

* feat: updated grafana and prometheus helm dependencies (temporalio#424)

* feat: bump grafana and prometheus charts versions

Signed-off-by: David Calvert <david@0xdc.me>

* Remove hard coded cluster.local references. (temporalio#501)

Switch check-cassandra-service init container to use nc. nslookup in recent
busybox images is broken and doesn't obey resolv.conf, meaning it won't check
k8s search domains.

* Enable HTTP API for Nexus (temporalio#511)

* Enable HTTP API for Nexus

* Update charts/temporal/templates/server-service.yaml

* Add FE Ingress (temporalio#435)

* Add ingress for frontend

* Add CONTRIBUTING.

* Note contributing in README.

* Note slack channel.

* Use a shared config map for all services. (temporalio#514)

Remove helpers in favour of defaults via values file.
Remove unused Elasticsearch environment variables.
Stop switching between es-visibility and visibility for store names.

* Pass `ct lint`

* Lint chart on PR.

* Setup for `ci install`. (temporalio#522)

* Setup for `ci install`.

Adds a test so that `helm test` now checks that the cluster is healthy after
the system is deployed.

Refactors server-job to remove the use of helm hooks which cause lot of users
pain and don't work with --wait, or the mechanism that helm test uses.

Improve the handling of elasticsearch by treating it just like the other drivers.

Correctly handle the schema.createDatabase setting which previously had edge cases.

* Secret key fixes.

* Fix missed ES quoting issue.

* Add postgres-es test.

* Fix branch reference.

* Update Chart to 0.44.0.

* Update README to use repo. (temporalio#531)

* Update README to use repo.

Fixes temporalio#458

---------

Co-authored-by: Alex Garnett <axfelix@gmail.com>

* Check for pgx driver as well as plain postgres. (temporalio#546)

Fixes temporalio#532

* Templatize resourceLabels for standardization (temporalio#539)

* Templatize resourceLabels for standardization

---------

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>
Signed-off-by: Valentin Zayash <valioozz@gmail.com>
Signed-off-by: David Calvert <david@0xdc.me>
Co-authored-by: Tihomir Surdilovic <tihomir@temporal.io>
Co-authored-by: Rob Holland <rob.holland@gmail.com>
Co-authored-by: Temporal Data <commander-data@temporal.io>
Co-authored-by: Kshitij Tulsyan <ktulsyan1990@gmail.com>
Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai>
Co-authored-by: Jingyu <56581242+washanhanzi@users.noreply.github.com>
Co-authored-by: Theo REY <account@reyth.dev>
Co-authored-by: Alex Shtin <alex@shtin.com>
Co-authored-by: Rob Holland <rob@temporal.io>
Co-authored-by: Punit Kulal <punitkulal1996@gmail.com>
Co-authored-by: Gerardo Enrique Mora Salazar <gerardo@ibm.com>
Co-authored-by: Giovanny Gutiérrez <giovanny.gutierrez@commure.com>
Co-authored-by: vogre <334187+vogre@users.noreply.github.com>
Co-authored-by: Valentin Zayash <VLZZZ@users.noreply.github.com>
Co-authored-by: Chris Taylor <taylor.cj@gmail.com>
Co-authored-by: Grzegorz Kołakowski <grzegorz8@gmail.com>
Co-authored-by: Prathyush PV <prathyushpv@gmail.com>
Co-authored-by: sringel <903498+sringel@users.noreply.github.com>
Co-authored-by: Alex Shtin <alex@temporal.io>
Co-authored-by: David Calvert <david@0xdc.me>
Co-authored-by: Roey Berman <roey@temporal.io>
Co-authored-by: Rahul Kumar <rahulcomp24@gmail.com>
Co-authored-by: Alex Garnett <axfelix@gmail.com>
Co-authored-by: Sahil Vazirani <sahilvv@gmail.com>
mihaelabalas84 added a commit to fairmoney/temporal-helm-charts that referenced this pull request Oct 2, 2024
* update ui image to 2.25.0 (temporalio#478)

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>

* Allow forcing a specific chart version. (temporalio#479)

This is useful for patch releases on older release lines.

* Update Chart to 0.37.0, Temporal v1.23.1

* Ensure appVersion is used by default as the server image tag. (temporalio#488)

* Bumps server version to the specified appVersion
* Use chart.appversion instead of image.tag from values in deployment spec
* Allow overriding deployment spec with image.tag

---------

Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai>

* Update Chart to 0.38.1, Temporal v1.23.1

* [Bug] Allow and document configuring Web UI via values.yaml (temporalio#394)

1. remove web ui config in values.yaml
2. remove web config volume in web-deployment.yaml
3. remove web-config config map
4. remove line 280 since the install bash didn't configure web ui auth
5. update the document for web ui configuration with env variable

Co-authored-by: Rob Holland <rob.holland@gmail.com>

* fix(imageTag): Fix default type in values for imageTag (temporalio#489)

* Update Chart to 0.39.0, Temporal v1.24.0

* Update README.md

* Update Chart to 0.39.1, Temporal v1.24.1

* Switch to devrel.

* Support new admintools image tag format (temporalio#493)

* Require tags for server, admintools and ui.

Don't use server tag for admintools, it's versioned separately now.

* Update Chart to 0.40.0.

* fix: add support for pre upgrade. (temporalio#476)

* adding missing ImagePullSecrets section to web deployment

* Whitespace.

* fix: Use visibility server when defining visibility config (temporalio#436)

Co-authored-by: Rob Holland <rob@temporal.io>

* fix: sidecarContainers should be an array, not a dict

* Use tplvalues.render for templating inside values (temporalio#492)

Allow templated values inside the values.yaml for web annotations

* Apply security context regardless of persistence engine. (temporalio#494)

Replaces temporalio#308.

* Update Chart to 0.40.1.

* Allow to skip database creation (temporalio#480)

Signed-off-by: Valentin Zayash <valioozz@gmail.com>

* Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485)

* Update Cassandra host URLs to remove the ".cluster.local" suffix

* Configure SQL TLS environment variables in server-job (temporalio#411)

* Configure SQL_TLS environment variables in server-job

* Update Chart to 0.41.0.

* Fix weird helm lint false alarm. Fixes temporalio#284.

* Helm 2 compat. Fixes temporalio#187.

* Update codeowners.

* Revert "Update Cassandra host URLs to remove the ".cluster.local" suffix (temporalio#485)" (temporalio#500)

This reverts commit b25c4fc.

* Update Chart to 0.41.1.

* Adds a PodDisruptionBudget and topologySpreadConstraints to web (temporalio#409)

* Adds a PodDisruptionBudget and topologySpreadConstraints to web

* fixing type on topologySpreadConstraints
topologySpreadConstraints should be a list instead of map

* Update Chart to 0.42.0.

* Update README to mention you cannot do Cassandra only anymore. (temporalio#499)

Related: temporalio#470.

* Remove invalid line. (temporalio#502)

Fixes temporalio#426

* Service account should be set when present, even if not creating. (temporalio#498)

Fixes temporalio#403.

* Correct outdated port config. (temporalio#497)

Fixes temporalio#333 and temporalio#149.

Context: temporalio/temporal#650

* Update Chart to 0.43.0.

* ElasticSearch -> Elasticsearch

* fix: Escape ES credentials (temporalio#505)

* feat: updated grafana and prometheus helm dependencies (temporalio#424)

* feat: bump grafana and prometheus charts versions

Signed-off-by: David Calvert <david@0xdc.me>

* Remove hard coded cluster.local references. (temporalio#501)

Switch check-cassandra-service init container to use nc. nslookup in recent
busybox images is broken and doesn't obey resolv.conf, meaning it won't check
k8s search domains.

* Enable HTTP API for Nexus (temporalio#511)

* Enable HTTP API for Nexus

* Update charts/temporal/templates/server-service.yaml

* Add FE Ingress (temporalio#435)

* Add ingress for frontend

* Add CONTRIBUTING.

* Note contributing in README.

* Note slack channel.

* Use a shared config map for all services. (temporalio#514)

Remove helpers in favour of defaults via values file.
Remove unused Elasticsearch environment variables.
Stop switching between es-visibility and visibility for store names.

* Pass `ct lint`

* Lint chart on PR.

* Setup for `ci install`. (temporalio#522)

* Setup for `ci install`.

Adds a test so that `helm test` now checks that the cluster is healthy after
the system is deployed.

Refactors server-job to remove the use of helm hooks which cause lot of users
pain and don't work with --wait, or the mechanism that helm test uses.

Improve the handling of elasticsearch by treating it just like the other drivers.

Correctly handle the schema.createDatabase setting which previously had edge cases.

* Secret key fixes.

* Fix missed ES quoting issue.

* Add postgres-es test.

* Fix branch reference.

* Update Chart to 0.44.0.

* Update README to use repo. (temporalio#531)

* Update README to use repo.

Fixes temporalio#458

---------

Co-authored-by: Alex Garnett <axfelix@gmail.com>

* Check for pgx driver as well as plain postgres. (temporalio#546)

Fixes temporalio#532

* Templatize resourceLabels for standardization (temporalio#539)

* Templatize resourceLabels for standardization

* Feat add authorization options (temporalio#542)

Server authorization config.

* Quote sql password for default store in the same way as the visibility store (temporalio#551)

* Update Chart to 0.45.0.

* Update Chart to 0.45.1.

* Update UI version description (temporalio#556)

* Use admintools-env and secret for ES password consistent with e.g. jobs (temporalio#530)

* Provide option to create default namespace (temporalio#550)

* Provide option to create default namespace
* Create multiple namespaces with optional retention
---------

Co-authored-by: Manan Mangal <mmangal@paloaltonetworks.com>

* add Job annotations and labels (temporalio#536)

* add job labels and annotations

Signed-off-by: André Bauer <andre.bauer@staffbase.com>
Co-authored-by: Rob Holland <rob.holland@gmail.com>

---------

Signed-off-by: André Bauer <andre.bauer@staffbase.com>
Co-authored-by: Rob Holland <rob.holland@gmail.com>

* Config to specify tags to be excluded in prometheus metrics (temporalio#566)

* Config to specify tags to be excluded in prometheus metrics

---------

Co-authored-by: Rob Holland <rob@temporal.io>

* Update Chart to 0.46.0.

* Ensure we use global for includes. (temporalio#568)

Some call sites used . which was sometimes not the global context.

* Update Chart to 0.46.1.

* Update _helpers.tpl to avoid nested custom resource label (temporalio#576)

* Update Chart to 0.46.2.

* fix identation

---------

Signed-off-by: Tihomir Surdilovic <tihomir@temporal.io>
Signed-off-by: Valentin Zayash <valioozz@gmail.com>
Signed-off-by: David Calvert <david@0xdc.me>
Signed-off-by: André Bauer <andre.bauer@staffbase.com>
Co-authored-by: Tihomir Surdilovic <tihomir@temporal.io>
Co-authored-by: Rob Holland <rob.holland@gmail.com>
Co-authored-by: Temporal Data <commander-data@temporal.io>
Co-authored-by: Kshitij Tulsyan <ktulsyan1990@gmail.com>
Co-authored-by: Kshitij <kshitij.tulsyan@observe.ai>
Co-authored-by: Jingyu <56581242+washanhanzi@users.noreply.github.com>
Co-authored-by: Theo REY <account@reyth.dev>
Co-authored-by: Alex Shtin <alex@shtin.com>
Co-authored-by: Rob Holland <rob@temporal.io>
Co-authored-by: Punit Kulal <punitkulal1996@gmail.com>
Co-authored-by: Gerardo Enrique Mora Salazar <gerardo@ibm.com>
Co-authored-by: Giovanny Gutiérrez <giovanny.gutierrez@commure.com>
Co-authored-by: vogre <334187+vogre@users.noreply.github.com>
Co-authored-by: Valentin Zayash <VLZZZ@users.noreply.github.com>
Co-authored-by: Chris Taylor <taylor.cj@gmail.com>
Co-authored-by: Grzegorz Kołakowski <grzegorz8@gmail.com>
Co-authored-by: Prathyush PV <prathyushpv@gmail.com>
Co-authored-by: sringel <903498+sringel@users.noreply.github.com>
Co-authored-by: Alex Shtin <alex@temporal.io>
Co-authored-by: David Calvert <david@0xdc.me>
Co-authored-by: Roey Berman <roey@temporal.io>
Co-authored-by: Rahul Kumar <rahulcomp24@gmail.com>
Co-authored-by: Alex Garnett <axfelix@gmail.com>
Co-authored-by: Sahil Vazirani <sahilvv@gmail.com>
Co-authored-by: Quinn <116631861+qs-synth@users.noreply.github.com>
Co-authored-by: Kristian Nordman <kristian@limber.no>
Co-authored-by: Alex Tideman <alex.tideman@gmail.com>
Co-authored-by: Csaba Tűz <124735422+csabatuz-chess@users.noreply.github.com>
Co-authored-by: Manan Mangal <mananmangal@gmail.com>
Co-authored-by: Manan Mangal <mmangal@paloaltonetworks.com>
Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug] Can't use specials character in password with the Elasticsearch visibility storage
2 participants