How can I add oidc client secret on Elasticsearch keystore when it is running in K8S?

4/10/2021

I have a self hosted Elasticsearch cluster running in AWS EKS and I'd like to setup oidc authentication. I followed the instruction: https://www.elastic.co/guide/en/cloud/current/ec-secure-clusters-oidc.html#ec-oidc-client-secret

In the client-secret setting, it mentions

You’ll need to add the client secret to the keystore

so I launched the ES cluster with basic authentication and added the secret to keystore by using the command elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret.

After that I update the ES yaml file to include the configuration:

xpack:
  security:
    authc:
      realms:
        oidc:
          oidc-realm-name: 
            order: 2 
            rp.client_id: "client-id" 
            rp.response_type: "code"
            rp.redirect_uri: "<KIBANA_ENDPOINT_URL>/api/security/v1/oidc" 
            op.issuer: "<check with your OpenID Connect Provider>" 
            op.authorization_endpoint: "<check with your OpenID Connect Provider>" 
            op.token_endpoint: "<check with your OpenID Connect Provider>" 
            op.userinfo_endpoint: "<check with your OpenID Connect Provider>" 
            op.jwkset_path: "<check with your OpenID Connect Provider>" 
            claims.principal: sub 
            claims.groups: "http://example.info/claims/groups" 

then I run rollout restart to restart the pod but I got below error when launching the Elasticsearch cluster:

java.lang.IllegalStateException: security initialization failed
Likely root cause: SettingsException[The configuration setting [xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret] is required]

it seems that ES doesn't find the secret I added in Keystore.

Then I realise that it lost the keystore when I run rollout restart to apply the oidc configuration. so my question is what is the right way to add the OIDC on Elasticsearch in K8S?

-- Joey Yi Zhao
elasticsearch
kubernetes

1 Answer

6/11/2021

If you're using Helm for your deployment, the best way is to add it in the values of the chart. You'll need to create a secret in your cluster, that will be added to the keystore by an InitContainer. More details on the Helm chart README

-- Moss
Source: StackOverflow