I have a self hosted Elasticsearch cluster running in AWS EKS and I'd like to setup oidc authentication. I followed the instruction: https://www.elastic.co/guide/en/cloud/current/ec-secure-clusters-oidc.html#ec-oidc-client-secret
In the client-secret
setting, it mentions
You’ll need to add the client secret to the keystore
so I launched the ES cluster with basic authentication and added the secret to keystore by using the command elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret
.
After that I update the ES yaml file to include the configuration:
xpack:
security:
authc:
realms:
oidc:
oidc-realm-name:
order: 2
rp.client_id: "client-id"
rp.response_type: "code"
rp.redirect_uri: "<KIBANA_ENDPOINT_URL>/api/security/v1/oidc"
op.issuer: "<check with your OpenID Connect Provider>"
op.authorization_endpoint: "<check with your OpenID Connect Provider>"
op.token_endpoint: "<check with your OpenID Connect Provider>"
op.userinfo_endpoint: "<check with your OpenID Connect Provider>"
op.jwkset_path: "<check with your OpenID Connect Provider>"
claims.principal: sub
claims.groups: "http://example.info/claims/groups"
then I run rollout restart
to restart the pod but I got below error when launching the Elasticsearch cluster:
java.lang.IllegalStateException: security initialization failed
Likely root cause: SettingsException[The configuration setting [xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret] is required]
it seems that ES doesn't find the secret I added in Keystore.
Then I realise that it lost the keystore when I run rollout restart
to apply the oidc configuration. so my question is what is the right way to add the OIDC on Elasticsearch in K8S?
If you're using Helm for your deployment, the best way is to add it in the values of the chart. You'll need to create a secret in your cluster, that will be added to the keystore by an InitContainer. More details on the Helm chart README