From 6d4191c1e64cba16d7df229c62c341384b023fa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mike=20C=C3=B4t=C3=A9?= <mikecote@users.noreply.github.com>
Date: Thu, 8 Aug 2019 19:47:52 -0400
Subject: [PATCH] Connect to Elasticsearch via SSL when starting kibana with
 `--ssl` (#42840)

* Initial work

* Add check for elasticsearch.hosts

* Make --ssl apply default config values only

* Move @kbn/dev-utils to devDependencies

* Check elasticsearch url for localhost

* Cleanup

* elasticsearch.hosts can be string too
---
 package.json           |  1 +
 src/cli/serve/serve.js | 32 +++++++++++++++++++++++++++++---
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index aceb03b8d22e3..95708106c01e2 100644
--- a/package.json
+++ b/package.json
@@ -267,6 +267,7 @@
     "@elastic/eslint-config-kibana": "0.15.0",
     "@elastic/github-checks-reporter": "0.0.20b3",
     "@elastic/makelogs": "^4.4.0",
+    "@kbn/dev-utils": "1.0.0",
     "@kbn/es": "1.0.0",
     "@kbn/eslint-import-resolver-kibana": "2.0.0",
     "@kbn/eslint-plugin-eslint": "1.0.0",
diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js
index 5bb50b55269db..7f479a7e118e0 100644
--- a/src/cli/serve/serve.js
+++ b/src/cli/serve/serve.js
@@ -20,6 +20,7 @@
 import _ from 'lodash';
 import { statSync } from 'fs';
 import { resolve } from 'path';
+import url from 'url';
 
 import { fromRoot, IS_KIBANA_DISTRIBUTABLE } from '../../legacy/utils';
 import { getConfig } from '../../legacy/server/path';
@@ -87,12 +88,37 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
     }
 
     if (opts.ssl) {
-      set('server.ssl.enabled', true);
-    }
+      // @kbn/dev-utils is part of devDependencies
+      const { CA_CERT_PATH } = require('@kbn/dev-utils');
+      const customElasticsearchHosts = opts.elasticsearch
+        ? opts.elasticsearch.split(',')
+        : [].concat(get('elasticsearch.hosts') || []);
+
+      function ensureNotDefined(path) {
+        if (has(path)) {
+          throw new Error(`Can't use --ssl when "${path}" configuration is already defined.`);
+        }
+      }
+      ensureNotDefined('server.ssl.certificate');
+      ensureNotDefined('server.ssl.key');
+      ensureNotDefined('elasticsearch.ssl.certificateAuthorities');
+
+      const elasticsearchHosts = (
+        (customElasticsearchHosts.length > 0 && customElasticsearchHosts) ||
+        ['https://localhost:9200']
+      ).map(hostUrl => {
+        const parsedUrl = url.parse(hostUrl);
+        if (parsedUrl.hostname !== 'localhost') {
+          throw new Error(`Hostname "${parsedUrl.hostname}" can't be used with --ssl. Must be "localhost" to work with certificates.`);
+        }
+        return `https://localhost:${parsedUrl.port}`;
+      });
 
-    if (opts.ssl && !has('server.ssl.certificate') && !has('server.ssl.key')) {
+      set('server.ssl.enabled', true);
       set('server.ssl.certificate', DEV_SSL_CERT_PATH);
       set('server.ssl.key', DEV_SSL_KEY_PATH);
+      set('elasticsearch.hosts', elasticsearchHosts);
+      set('elasticsearch.ssl.certificateAuthorities', CA_CERT_PATH);
     }
   }