chore(build): revise and harden TLS for cl-es

Use Docker `secrets` to distribute certificates and keys for `cl-es`. - Remove unsafe default for `ELASTICSEARCH_CA_CERT`. - Create `ELASTICSEARCH_VERIFY_CERT` and verify certificates in development.
cweider · Oct 22, 2024 · 7db874f · 7db874f
1 parent 4de9412
commit 7db874f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/cl/settings/third_party/elasticsearch.py b/cl/settings/third_party/elasticsearch.py
@@ -53,9 +53,13 @@
     "ELASTICSEARCH_PASSWORD",
     default="password",
 )
+ELASTICSEARCH_VERIFY_CERT = env(
+    "ELASTICSEARCH_VERIFY_CERT",
+    default=False,
+)
 ELASTICSEARCH_CA_CERT = env(
     "ELASTICSEARCH_CA_CERT",
-    default="/opt/courtlistener/docker/elastic/ca.crt",
+    default="",
 )
 ELASTICSEARCH_TIMEOUT = env("ELASTICSEARCH_TIMEOUT", default=3500)
 ELASTICSEARCH_FAST_QUERIES_TIMEOUT = env(
@@ -64,7 +68,7 @@
 base_connection_params = {
     "hosts": ELASTICSEARCH_DSL_HOST,
     "http_auth": (ELASTICSEARCH_USER, ELASTICSEARCH_PASSWORD),
-    "verify_certs": False,
+    "verify_certs": ELASTICSEARCH_VERIFY_CERT,
     "ca_certs": ELASTICSEARCH_CA_CERT,
     "timeout": ELASTICSEARCH_TIMEOUT,
 }

diff --git a/docker/courtlistener/docker-compose.yml b/docker/courtlistener/docker-compose.yml
@@ -81,6 +81,7 @@ services:
       - ${CL_POSTGRES_RUN_DIR:-/var/run/postgresql}:/var/run/postgresql
       - ${CL_BASE_DIR:-../../}:/opt/courtlistener
       - ${CL_BASE_DIR:-../../}/docker/postgresql/cl-postgres.crt:/root/.postgresql/root.crt
+      - ${CL_BASE_DIR:-../../}/docker/elastic/cl-es.crt:/run/secrets/cl-es.crt
     networks:
       - cl_net_overlay
     env_file:
@@ -90,6 +91,8 @@ services:
         - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
         - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
         - DB_SSL_MODE=verify-full
+        - ELASTICSEARCH_VERIFY_CERT=True
+        - ELASTICSEARCH_CA_CERT=/run/secrets/cl-es.crt
 
   cl-django:
     container_name: cl-django
@@ -115,6 +118,7 @@ services:
       - ${CL_POSTGRES_RUN_DIR:-/var/run/postgresql}:/var/run/postgresql
       - ${CL_BASE_DIR:-../../}:/opt/courtlistener
       - ${CL_BASE_DIR:-../../}/docker/postgresql/cl-postgres.crt:/root/.postgresql/root.crt
+      - ${CL_BASE_DIR:-../../}/docker/elastic/cl-es.crt:/run/secrets/cl-es.crt
     networks:
       - cl_net_overlay
     env_file:
@@ -124,6 +128,8 @@ services:
         - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
         - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
         - DB_SSL_MODE=verify-full
+        - ELASTICSEARCH_VERIFY_CERT=True
+        - ELASTICSEARCH_CA_CERT=/run/secrets/cl-es.crt
 
   cl-selenium:
     container_name: cl-selenium