0

I have installed elasticsearch on kubernetes using the helm chart . I need to enable xpack security for that I need to create a certificate using elasticsearch-certutil. I can't find it's location on kubernetes.

the error I am getting now 

2019-06-25T10:20:56.882057213Z "Caused by:
org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory",
I 2019-06-25T10:20:56.882063036Z "atorg.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:61) ~[?:?]",
I 2019-06-25T10:20:56.882068596Z "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:382) ~[?:?]",
I 2019-06-25T10:20:56.882074256Z "at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]",
I 2019-06-25T10:20:56.882079897Z "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]",
I 2019-06-25T10:20:56.882085280Z "at java.util.HashMap.forEach(HashMap.java:1333) ~[?:?]",
I 2019-06-25T10:20:56.882120138Z "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:423) ~[?:?]",
I 2019-06-25T10:20:56.882136977Z "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:119) ~[?:?]",
I 2019-06-25T10:20:56.882143717Z "at org.elasticsearch.xpack.core.XPackPlugin.<init>(XPackPlugin.java:144) ~[?:?]",
I 2019-06-25T10:20:56.882149641Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]",
I 2019-06-25T10:20:56.882155163Z "at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]",
I 2019-06-25T10:20:56.882168785Z "at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]",
I 2019-06-25T10:20:56.882175111Z "at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]",
I 2019-06-25T10:20:56.882181018Z "at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]",
I 2019-06-25T10:20:56.882228253Z "at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882234700Z "at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882240443Z "at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882246040Z "at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882251927Z "at org.elasticsearch.node.Node.<init>(Node.java:308) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882257697Z "at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882263355Z "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882271710Z "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882318705Z "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.1.1.jar:7.1.1]",
I 2019-06-25T10:20:56.882344091Z "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.1.1.jar:7.1.1]",

this is my configuration esConfig:

elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsea/config/certs/ca.p12

xpack.security.http.ssl.enabled: true xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/ca.p12 xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/ca.p12

I used kubectl exec -it elasticsearch-master-0 -- /bin/bash to enter the container and generate certificate in the exact path /usr/share/elasticsearch/certs

M.Bou
  • 43
  • 1
  • 7
  • Are you checking for `/bin/elasticsearch` inside the elasticsearch pods? – Crou Jun 24 '19 at 07:58
  • I want to create the elasticsearch certificate the only ay mentioned in elasticsearch officiel documents is using bin/elasticsearch so yes I am looking to dounf bin/elasticsearch – M.Bou Jun 24 '19 at 12:14
  • Can you provide output of `kubectl get pods --all-namespaces`? – Crou Jun 24 '19 at 12:35
  • NAMESPACE NAME READY STATUS RESTARTS AGE default elasticsearch-master-0 2/2 Running 0 41h default elasticsearch-master-1 2/2 Running 0 3d22h default elasticsearch-master-2 1/2 CrashLoopBackOff 152 14h default kibana-kibana-679655c849-qmqjs 0/1 Running 0 14h – M.Bou Jun 24 '19 at 12:40
  • there is a path mentioned on kubernetes /usr/share/elasticsearch/config but I can't access it on the shell can you pklease help with that – M.Bou Jun 24 '19 at 13:09

1 Answers1

0

Because you are using helm charts you need to set all those things inside your template.

First you should make yourself familiar with https://github.com/helm/charts/tree/master/stable/elasticsearch

Second you will need to check what is wrong with one of your pods elasticsearch-master-2 because it's CrashLoopBackOff. You can do that using kubectl describe pods elasticsearch-master-2 and check events at the bottom.

As for Xpack and Enabling elasticsearch interal monitoring:

Requires version 6.3+ and standard non oss repository defined. Starting with 6.3 Xpack is partially free and enabled by default. You need to set a new config to enable the collection of these internal metrics. (https://www.elastic.co/guide/en/elasticsearch/reference/6.3/monitoring-settings.html)

To do this through this helm chart override with the three following changes:

image.repository: docker.elastic.co/elasticsearch/elasticsearch
cluster.xpackEnable: true
cluster.env.XPACK_MONITORING_ENABLED: true

Note: to see these changes you will need to update your kibana repo to image.repository: docker.elastic.co/kibana/kibana instead of the oss version

You should also read Get a Shell to a Running Container, which explains you can connect to a pod.

In Your example using kubectl exec -it elasticsearch-master-0 -- /bin/bash

Crou
  • 10,232
  • 2
  • 26
  • 31
  • thank you very much sir I am trying now to create a certification usinf the bin/esaticsearch – M.Bou Jun 24 '19 at 14:51
  • Please edit your question and post the errors you are getting. – Crou Jun 24 '19 at 14:59
  • I added the changes I needed I creates the certificate and then once I upgrade elasticsearch with the new values it gaves me "Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/certs/elastic-certificates.p12", – M.Bou Jun 24 '19 at 23:52
  • xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 – M.Bou Jun 25 '19 at 00:10
  • esConfig: elasticsearch.yml: | xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 xpack.security.http.ssl.enabled: true – M.Bou Jun 25 '19 at 00:11
  • xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12 these are the line I added to the values file – M.Bou Jun 25 '19 at 00:13
  • @M.Bou please edit the "top" part which is the initial question you asked and add those errors there. – Crou Jun 25 '19 at 07:50
  • thank you crou for your help, I used a different helm chart now I reinstalled the elasticsearch using the helm chart you proposed and it's version 6.7 I want to have version 7.1.1 so I made changes on the values file : `appVersion: "7.1.1"` , `image: repository: "docker.elastic.co/elasticsearch/elasticsearch" tag: "7.1.1"` , and of course I have enabled xpack as you recommanded but I am getting this **the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured** – M.Bou Jun 26 '19 at 17:56