You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 4, 2023. It is now read-only.
It should be possible to easily enable TLS on an Elasticsearch cluster.
Initially, an implementation that relies upon cert-manager for signing certificates in its simplest form (e.g. a Certificate resource is created per replica) will be the target:
API Changes
We will need to add a new field structure to elasticsearchclusters.spec.tls
create an Issuer to sign certificates from this CA
pass the issuerRef as a CLI arg to each Pilot
Pilot changes
if tls is enabled:
create/retrieve Certificate resource for this pilot
grab generated Secret resource containing keypair
inject them into FS and appropriately configure node for serving
Open questions
(may be more of a general cert-manager problem): should each Pilot be generating its own private key and then creating a CSR for this, instead of storing the private key in the k8s apiserver? This provides a stronger auth model. We'll need to investigate how we can make cert-manager support this.
certificate rotation should be handled by Pilot too
TLS requires x-pack. How do we more generally support x-pack only features in ES? ref Support X-Pack security #200
@munnerz LGTM - except I don't think issuerRef should appear as a field on the ElasticsearchCluster resource as it leans towards a specific implementation. The tls stanza should only have an enabled field - perhaps an annotation would be the best way for users to set the method for certificate creation (e.g. cert-manager/self-signed) and the name of the Issuer to use/create if cert-manager is to be used
It should be possible to easily enable TLS on an Elasticsearch cluster.
Initially, an implementation that relies upon cert-manager for signing certificates in its simplest form (e.g. a Certificate resource is created per replica) will be the target:
API Changes
We will need to add a new field structure to
elasticsearchclusters.spec.tls
Initially, only the 'CA' based cert-manager issuer will be supported: https://github.com/jetstack/cert-manager/blob/master/docs/user-guides/ca-based-issuer.md
This may change in future once discussion around generalising the Certificate resource type has been resolved: cert-manager/cert-manager#265
Controller changes
navigator-controller will need updating to:
Pilot changes
if tls is enabled:
Open questions
(may be more of a general cert-manager problem): should each Pilot be generating its own private key and then creating a CSR for this, instead of storing the private key in the k8s apiserver? This provides a stronger auth model. We'll need to investigate how we can make cert-manager support this.
certificate rotation should be handled by Pilot too
TLS requires x-pack. How do we more generally support x-pack only features in ES? ref Support X-Pack security #200
/kind feature
/cc @mattbates @wallrj
The text was updated successfully, but these errors were encountered: