fix: enable elasticsearch security to require authentication for all API access

- Enable xpack.security in Elasticsearch (was explicitly disabled) - Add ELASTIC_PASSWORD env var so the built-in elastic user gets the password - Disable HTTP SSL to keep plain HTTP while still enforcing basic auth - Disable transport SSL (single-node setup) - Update healthcheck to authenticate with elastic credentials
2026-05-28 06:20:14 +00:00 · 2026-05-27 09:42:02 +00:00
parent 2082fb6bbc
commit fd101a88f8
4 changed files with 15 additions and 3 deletions
--- a/Containers/fulltextsearch/healthcheck.sh
+++ b/Containers/fulltextsearch/healthcheck.sh
@@ -4,4 +4,4 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi

-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+curl -fs -u "elastic:$FULLTEXTSEARCH_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -455,7 +455,10 @@ services:
      - discovery.type=single-node
      - http.port=9200
      - xpack.license.self_generated.type=basic
-      - xpack.security.enabled=false
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=false
+      - xpack.security.transport.ssl.enabled=false
+      - ELASTIC_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
      - indices.fielddata.cache.size=20%
      - indices.memory.index_buffer_size=20%
      - thread_pool.write.queue_size=1000
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
@@ -59,7 +59,13 @@ spec:
            - name: xpack.license.self_generated.type
              value: basic
            - name: xpack.security.enabled
+              value: "true"
+            - name: xpack.security.http.ssl.enabled
              value: "false"
+            - name: xpack.security.transport.ssl.enabled
+              value: "false"
+            - name: ELASTIC_PASSWORD
+              value: "{{ .Values.FULLTEXTSEARCH_PASSWORD }}"
          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260515_145717
          readinessProbe:
            exec:
--- a/php/containers.json
+++ b/php/containers.json
@@ -828,7 +828,10 @@
        "discovery.type=single-node",
        "http.port=9200",
        "xpack.license.self_generated.type=basic",
-        "xpack.security.enabled=false",
+        "xpack.security.enabled=true",
+        "xpack.security.http.ssl.enabled=false",
+        "xpack.security.transport.ssl.enabled=false",
+        "ELASTIC_PASSWORD=%FULLTEXTSEARCH_PASSWORD%",
        "indices.fielddata.cache.size=20%",
        "indices.memory.index_buffer_size=20%",
        "thread_pool.write.queue_size=1000",