HTTPS on elasticsearch helm chart

8/10/2020

i am trying to setup basic authentication on elasticsearch. i found it's required to setup SSL certificate also.

Following this article : https://pimwiddershoven.nl/entry/deploy-a-secure-instance-of-elasticsearch-on-kubernetes

Cluster is up and running on Kubernetes using helm

But when sending

curl -H "Authorization: Basic ZWxsdfasdfiojoijQw==" https://localhost:9200

it's giving error like

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

but when sending request using curl insecure mode or with -k it's working fine and can see cluster health

it's due to self sign certificate. am i missing anything ?

Official helm chart also suggest same way to generate certificate and add into cluster.

https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/security

Update :

Elastic.yaml

protocol: https

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.authc.realms.native.local.order: 0

extraEnvs:
  - name: ELASTIC_PASSWORD
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: password
  - name: ELASTIC_USERNAME
    valueFrom:
      secretKeyRef:
        name: elastic-credentials
        key: username

secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs
-- chagan
elasticsearch
google-kubernetes-engine
kubernetes
kubernetes-helm

1 Answer

8/10/2020

If you are trying to set HTTPS on Kubernetes svc and using it as DNS it won't work without curl -k or --insecure

Unless and until you don't have proper DNS to and domain name to resolve it won't work you have to use insecure mode only.

use the proper domain name and generate a certificate it will work like charm.

However, for verification you can also do:

curl --cacert $path_to_certificate https://host_ip:9200

Easy Workaround

You can use nginx in front of ES cluster and terminate SSL there and send HTTP request to ES. While your domain till nginx will have HTTPS SSL/TLS.

If you just want basic auth (username/password) with HTTP only

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
-- Harsh Manvar
Source: StackOverflow