feat: configure elasticsearch to authenticate with an apiKey

Author: pleary

.github/workflows/CI-build-test.yml

@@ -37,12 +37,38 @@ jobs:
       uses: elastic/elastic-github-actions/elasticsearch@master
       with:
         stack-version: 8.15.3
-        security-enabled: false
+        security-enabled: true
+        elasticsearch_password: elasticsearch-password
         plugins: analysis-kuromoji
 
     - name: Elasticsearch is reachable
       run: |
-        curl --verbose --show-error http://localhost:9200
+        curl --verbose --show-error --fail -k -u elastic:elasticsearch-password http://localhost:9200
+
+    - name: Create Elasticsearch API Key
+      id: create_key
+      run: |
+        API_KEY_CREATE_RESPONSE=$(
+          curl -u "elastic:elasticsearch-password" \
+          -X POST "http://localhost:9200/_security/api_key" \
+          -H "Content-Type: application/json" \
+          -d '{
+            "name": "main-key",
+            "expiration": "1825d",
+            "role_descriptors": {
+              "main-role": {
+                "cluster": ["monitor"],
+                "indices": [
+                  {
+                    "names": ["test_*"],
+                    "privileges": ["write", "read", "manage"]
+                  }
+                ]
+              }
+            }
+          }')
+        ENCODED_KEY=$(echo $API_KEY_CREATE_RESPONSE | jq -r '.encoded')
+        echo "INAT_ES_API_KEY=$ENCODED_KEY" >> $GITHUB_ENV
 
     - name: Copy config
       run: |

config.js.ci

@@ -1,8 +1,13 @@
+const {
+  INAT_ES_API_KEY
+} = process.env;
+
 module.exports = {
   apiURL: "http://localhost:3000",
   currentVersionURL: "http://localhost:4000/v1",
   elasticsearch: {
-    host: "http://localhost:9200"
+    host: "http://localhost:9200",
+    apiKey: INAT_ES_API_KEY
   },
   database: {
     user: "postgres",

config_example.js

@@ -5,6 +5,7 @@ const {
   INAT_DB_USER,
   INAT_DB_PASS,
   INAT_ES_HOST,
+  INAT_ES_API_KEY,
   INAT_REDIS_HOST,
   INAT_RAILS_URL
 } = process.env;
@@ -17,7 +18,8 @@ module.exports = {
   apiHostSSL: false,
   writeHostSSL: false,
   elasticsearch: {
-    host: INAT_ES_HOST ? `http://${INAT_ES_HOST}:9200` : "http://localhost:9200"
+    host: INAT_ES_HOST ? `http://${INAT_ES_HOST}:9200` : "http://localhost:9200",
+    apiKey: INAT_ES_API_KEY || "apiKey"
   },
   // Note that the database name will be inferred from the NODE_ENV
   // environment variable, e.g. `inaturalist_${process.env.NODE_ENV}`, or it

lib/es_client.js

@@ -6,7 +6,7 @@ const config = require( "../config" );
 const util = require( "./util" );
 
 const esClient = { connection: null };
-const { host, hosts } = config.elasticsearch;
+const { host, hosts, apiKey } = config.elasticsearch;
 
 esClient.connect = ( ) => {
   if ( esClient.connection ) { return esClient.connection; }
@@ -21,6 +21,7 @@ esClient.connect = ( ) => {
   clientConfig.nodeSelector = "random";
   clientConfig.requestTimeout = 60000;
   clientConfig.maxRetries = 1;
+  clientConfig.auth = { apiKey };
   esClient.connection = new Client( clientConfig );
 
   esClient.connection.diagnostic.on( "response", ( err, result ) => {