K
Q

How to use the "bin/elasticsearch-certutil ca" with K8S?

12/7/2021

I have a problem, I'm creating Elasticsearch as StatefulSet, and I need to use x-pack. For that, I know I need to configure the security properties below:

  - name: xpack.license.self_generated.type
    value: "basic"
  - name: xpack.security.enabled
    value: 'true'
  - name: xpack.security.transport.ssl.enabled
    value: 'true'
  - name: xpack.security.transport.ssl.verification_mode
    value: 'certificate'
  - name: xpack.security.transport.ssl.keystore.path
    value: '/usr/share/elasticsearch/elastic-certificates.p12'
  - name: xpack.security.transport.ssl.truststore.path
    value: '/usr/share/elasticsearch/elastic-certificates.p12'

About Transport TLS/SSL encryption, I know I should use "bin/elasticsearch-certutil ca" to generate the certificate.

What's my problem? when I apply YAML to my cluster, the certificate does not yet exist.

When I try to access bash, the pod is no longer available.

What would be the best strategy for this type of deployment?

*Error: 

ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - access to read truststore file [/usr/share/elasticsearch/elastic-certificates.p12] is blocked; SSL resources should be placed in the [/usr/share/elasticsearch/config] directory]; nested: AccessControlException[access denied ("java.io.FilePermission" "/usr/share/elasticsearch/elastic-certificates.p12" "read")];
Likely root cause: java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/elasticsearch/elastic-certificates.p12" "read")
-- Pablo Andrei
elasticsearch
kubernetes
ssl
statefulset

Similar Questions

How do I deploy a Pod initializer without deadlocking?
Navigate to a specific path through Nodeport
REST-based services running as pods on Kubernetes in Azure with intermittent timeouts
Error from server (BadRequest): pod kubia-zgxn9 does not have a host assigned
Kubernetes rolling update not working

1 Answer

3/21/2022

I hope it is not too late.

Apparently, the issue comes from the fact that the group and maybe the permission to the certificate file is different.

Check the certificate permission and group by ls -al. It should be as follows:

-rw-rw---- 1 root elasticsearch 3596 Mar 21 16:04 elastic-certificates.p12
-rw-rw---- 1 root elasticsearch 2672 Mar 21 16:04 elastic-stack-ca.p12

If it is different, use the following commands to fix the issue:

# change the group to `elasticsearch`
chgrp elasticsearch ./elastic-*.p12

# change the permission of the file to 660
chmod 660 ./elastic-*.p12
-- Alin
Source: StackOverflow