Introduce ssl settings to reindex from remote

[tvernum]

Adds reindex.ssl.* settings for reindex from remote.

This uses the ssl-config/ internal library to parse and load SSL
configuration and files. This SSL configuration is applied to the
low level rest client when connecting to a remote ES node.

Relates: #37287
Resolves: #29755

[elasticmachine]

Pinging @elastic/es-security

[elasticmachine]

Pinging @elastic/es-distributed

[tvernum]

@elastic/es-distributed I'm not sure who is the reindex from remote expert these days. Can someone volunteer to review?

[tvernum]

I have 2 follow up PRs after this one

1. To switch the reindex-with-security QA tests to use SSL
2. Another to update docs.

[tvernum]

The introduction of the Action as a generic type parameter and field (mainAction below) is an attempt to solve the problems that come from the way AbstractAsyncBulkByScrollAction calls buildScrollableResultSource from its constructor.
Because the call is made from the superclass's constructor, it means that TransportReindexAction.AsyncIndexBySearchAction.buildScrollableResultSource (and by extension buildRestClient) can't make use of any fields in the subclass.
But buildRestClient needs access to the ReindexSslConfig instance, so we either need to push that up into the base class, or come up with a different approach.
By pushing a generic mainAction up into the base class, we can access fields from the Action without needing to duplicate them in AbstractAsyncBulkByScrollAction. This allows us to also remove scriptService from this class.

[ywelsch]

Thanks @tvernum. I've left two initial comments. I'm not super familiar with the SSL work though.

[ywelsch]

register the ssl-config project in the top-level build.gradle under projectSubstitutions, and then you can use compile "org.elasticsearch:elasticsearch-ssl-config:${version}"
Also check if the ssl-config is properly published through the release manager

[tvernum]

Thanks @ywelsch, will do.

[tvernum]

The build.gradle change has been pushed, and there is an open PR for release manager.

[tvernum]

Actually @ywelsch Is there a reason you think this should be in release-manager? I don't think we publish any reindex jars that would need this.
As an example we don't publish the grok libs that are used in ingest modules.

[ywelsch]

you're right. No need for that.

[ywelsch]

In addition to this test here, can you also add a reindex test to x-pack? This will provide us a full end-to-end test.

[tvernum]

There's an existing reindex-with-security test in x-pack/qa.
I have a change prepared to switch it to use SSL. I left it out of this change so that this PR could be limited to the parts that needed reviews from the distributed team.
I'll open that PR now (the test will fail until this is PR is merged, but it will be available for review)

[tvernum]

I opened #37600 with that test change.

[tvernum]

Ping @jkakavas

[ywelsch]

LGTM

[jkakavas]

LGTM Tim, sorry for the delay

[tvernum]

@elasticmachine test this please

[tvernum]

02:45:53   1> [2019-01-29T08:45:53,368][INFO ][o.e.u.FullClusterRestartIT] [testRecovery] after test
02:45:53 FAILURE 0.09s | FullClusterRestartIT.testRecovery <<< FAILURES!
02:45:53    > Throwable #1: java.lang.AssertionError: expected version to be one of [8.0.0,7.6.0] but was p 0 testrecovery 7.7.0
02:45:53    > 	at __randomizedtesting.SeedInfo.seed([AAC6A07A621C65D0:6B36D9D64F4CAF77]:0)
02:45:53    > 	at org.elasticsearch.upgrades.FullClusterRestartIT.testRecovery(FullClusterRestartIT.java:842)
02:45:53    > 	at java.lang.Thread.run(Thread.java:748)
02:45:53 Completed [3/3] in 5.04s, 13 tests, 1 failure, 1 skipped <<< FAILURES!

@elasticmachine run elasticsearch-ci/default-distro

[tvernum]

@elasticmachine run elasticsearch-ci/1

[tvernum]

@elasticmachine
run elasticsearch-ci/1
run elasticsearch-ci/default-distro