Support secured connection to Elasticsearch

[lukas-vlcek]

When communicating with Elasticsearch in secured environment we need to support security appropriately. For example it is possible to create an external Elasticsearch route with OpenShift Logging and the communication then requires proper handling of security certificates.

• [x] Add security related options
• [x] Install and configure SearchGuard plugin to Elasticsearch instance in CI tests
• [x] Use secured elasticsearch-py client connection
• [x] Document how to install and configure SG plugin for local tests

[lukas-vlcek]

@richm I think I ran out of ideas why security is not working 😢 Even on Linux this is not working (both my local Fedora 23 or Ubuntu 12.04.5 LTS on Travis ). cURL with certificates is working in testing scripts but no luck with elasticsearch-py client tests using the same certificates. The error message does not help me much.

Do you think you could run your eyes over this? All the code is in branch 1. All the ES client config happens in base.py.

I documented how to test it locally with all the security install and setup, see https://github.com/ViaQ/watches-cli/blob/1/tests/Testing.md#testing-manually.

If you just want to run python tests against local non-secured ES node, then skip SG stuff and just change this True to False.

[richm]

The problem is that searchguard generates its certificates with the X509v3 Subject Alternative Name extension with the value Registered ID:1.2.3.4.5.5. python ssl doesn't like this. origin-aggregated-logging had to disable this extension in externally facing certs: https://github.com/openshift/origin-aggregated-logging/blob/master/deployer/scripts/util.sh#L17 I think we have to do the same.

openssl bug: https://bugzilla.redhat.com/show_bug.cgi?id=1402153

python bug: https://bugzilla.redhat.com/show_bug.cgi?id=1402154