Skip to content

Add TLS configuration support for Elasticsearch visibility store#862

Merged
robholland merged 2 commits intotemporalio:mainfrom
adamovittorio:add-es-tls-env-vars
Mar 25, 2026
Merged

Add TLS configuration support for Elasticsearch visibility store#862
robholland merged 2 commits intotemporalio:mainfrom
adamovittorio:add-es-tls-env-vars

Conversation

@adamovittorio
Copy link
Copy Markdown
Contributor

@adamovittorio adamovittorio commented Mar 16, 2026

Summary

The temporal-elasticsearch-tool binary supports a full set of TLS environment variables (ES_TLS, ES_TLS_CA_FILE, ES_TLS_CERT_FILE, ES_TLS_KEY_FILE, ES_TLS_SERVER_NAME, ES_TLS_DISABLE_HOST_VERIFICATION), but the chart's _admintools-env.yaml helper never sets them for the Elasticsearch driver. Both Cassandra and SQL drivers already have full TLS support in this helper.

This causes init containers (check-elasticsearch-index, setup-visibility-store) to fail with x509: certificate signed by unknown authority errors when connecting to Elasticsearch clusters with self-signed or custom CA certificates.

Changes

  • _admintools-env.yaml: Added tls config block to the Elasticsearch section, following the same pattern as SQL:
    • tls.enabledES_TLS
    • tls.caFileES_TLS_CA_FILE
    • tls.certFile / tls.keyFileES_TLS_CERT_FILE / ES_TLS_KEY_FILE
    • tls.serverNameES_TLS_SERVER_NAME
    • tls.enableHostVerificationES_TLS_DISABLE_HOST_VERIFICATION (inverted, consistent with Cassandra/SQL)
  • values.yaml: Added commented TLS example to the Elasticsearch configuration block
  • values/values.elasticsearch.yaml: Added commented TLS example

Example usage

server:
  config:
    persistence:
      datastores:
        visibility:
          elasticsearch:
            version: v7
            url:
              scheme: https
              host: "elasticsearch:9200"
            tls:
              enabled: true
              enableHostVerification: false
              # caFile: /path/to/ca.crt
              # certFile: /path/to/client.crt
              # keyFile: /path/to/client.key
              # serverName: elasticsearch.internal

Related

Made with Cursor

@adamovittorio
Add TLS configuration support for Elasticsearch visibility store
49d364b 
The `temporal-elasticsearch-tool` binary supports TLS env vars
(ES_TLS, ES_TLS_CA_FILE, ES_TLS_CERT_FILE, ES_TLS_KEY_FILE,
ES_TLS_SERVER_NAME, ES_TLS_DISABLE_HOST_VERIFICATION) but the
chart never sets them, unlike the Cassandra and SQL drivers which
already have full TLS support in _admintools-env.yaml.

This causes init containers (check-elasticsearch-index,
setup-visibility-store) to fail with x509 certificate errors
when connecting to Elasticsearch clusters with self-signed or
custom CA certificates.

This commit adds the same tls config block pattern used by
Cassandra and SQL to the Elasticsearch section, mapping:
  tls.enabled -> ES_TLS
  tls.caFile -> ES_TLS_CA_FILE
  tls.certFile -> ES_TLS_CERT_FILE
  tls.keyFile -> ES_TLS_KEY_FILE
  tls.serverName -> ES_TLS_SERVER_NAME
  tls.enableHostVerification -> ES_TLS_DISABLE_HOST_VERIFICATION (inverted)

Made-with: Cursor
@adamovittorio adamovittorio requested a review from a team as a code owner March 16, 2026 11:46
@yux0 yux0 self-assigned this Mar 23, 2026
@yux0
Copy link
Copy Markdown
Contributor

yux0 commented Mar 23, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

@yux0
Copy link
Copy Markdown
Contributor

yux0 commented Mar 23, 2026

This changes make sense to me. Could you add some tests under charts/temporal/tests/admintools_deployment_test.yaml?

@adamovittorio
Add unit tests for Elasticsearch TLS environment variables
d5a3ca3 
Tests verify that ES TLS env vars (ES_TLS, ES_TLS_CA_FILE,
ES_TLS_CERT_FILE, ES_TLS_KEY_FILE, ES_TLS_SERVER_NAME,
ES_TLS_DISABLE_HOST_VERIFICATION) are correctly rendered in
the server-job init containers via _admintools-env.yaml.

Covers full TLS config, minimal config (enabled only), and
enableHostVerification boolean inversion logic.

Made-with: Cursor
@adamovittorio
Copy link
Copy Markdown
Contributor Author

adamovittorio commented Mar 24, 2026

@yux0 added the tests for server_job_test that uses the admintools-env helper.

@yux0
Copy link
Copy Markdown
Contributor

yux0 commented Mar 25, 2026

@adamovittorio Stamped the changes. Thank you very much for the contribution!

@adamovittorio
Copy link
Copy Markdown
Contributor Author

adamovittorio commented Mar 25, 2026

I'm unable to merge the changes, and a workflow is waiting for a maintainer's approval. Thank you @yux0 🙏

@robholland robholland merged commit 8277818 into temporalio:main Mar 25, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yux0 yux0 yux0 approved these changes

Assignees

@yux0 yux0

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adamovittorio @yux0 @robholland