Allow to use TLS with ES basic auth

[pavolloffay]

Resolves #1327

Signed-off-by: Pavol Loffay ploffay@redhat.com

[yurishkuro]

I don't follow the use case. If you are using username/password, you only need to talk over https. If you use a cert, your identity is already encoded in it, why pass pwd too?

[pavolloffay]

I think @jpkrohling can explain this well.

The basic header is used for authentication, whereas provided CA cert will enable TLS for secure communication.

[codecov]

Codecov Report

Merging #1388 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff           @@
##           master   #1388   +/-   ##
======================================
  Coverage     100%    100%           
======================================
  Files         164     164           
  Lines        7453    7460    +7     
======================================
+ Hits         7453    7460    +7

Impacted Files	Coverage Δ
plugin/storage/es/options.go	100% <100%> (ø)	⬆️
plugin/storage/es/dependencystore/storage.go	100% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d8ab694...4bc92be. Read the comment docs.

[jpkrohling]

If you use a cert, your identity is already encoded in it, why pass pwd too?

From what I understand from this PR, this is not about enabling client cert auth, but rather, configuring the client to trust a CA, so that the server's cert is trusted.

[pavolloffay]

configuring the client to trust a CA, so that the server's cert is trusted.

That makes sense. Is my hypothesis correct that it will use TLS and basic auth is used to verify the identity?

@jpkrohling so does this PR makes sense. It should resolve #1327

[jpkrohling]

It certainly makes sense, especially for platforms like Kubernetes where a CA generates certs for services. The cert for this (root) CA should then be trusted by all services running in the platform, as opposed to trusting each service's cert individually.

[yurishkuro]

ok. My only concern is that the CLI options are now misleading, since it's natural to expect that -tls- options would only be considered if -tls-enabled flag is set, which is not the case here anymore.

[pavolloffay]

We allow CA also with token, I will change the flag message.

[pavolloffay]

My only concern is that the CLI options are now misleading, since it's natural to expect that -tls- options would only be considered if -tls-enabled flag is set, which is not the case here anymore

I have changed flag messages saying that es.tls enables tls with client certs.

[yurishkuro]

Lgtm