Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[elasticsearch] Set secureSettings only for a specific nodeSet #7263

Closed
ebuildy opened this issue Oct 25, 2023 · 1 comment
Closed

[elasticsearch] Set secureSettings only for a specific nodeSet #7263

ebuildy opened this issue Oct 25, 2023 · 1 comment
Labels
triage

Comments

@ebuildy
Copy link

ebuildy commented Oct 25, 2023
edited
Loading

Proposal

Use case. Why is this important?

Architecture is a 3 node-sets clusters: master / data / client nodes. I want enable azureAD auth only on client nodes (because only client nodes are accessible). Auth OIDC requires HTTPS and specific secureSettings.

ECK operator take Elasticsearch CRD config to deploy a StatefulSet by nodeSet, who share secureSettings.

Feature

We must be able to add secureSettings by nodeSet.

Workaround

We can add an init container to add some secrets (inside Elasticsearch node spec):

initContainers:
   - name: post-elastic-internal-init-keystore
      image: docker.elastic.co/elasticsearch/elasticsearch:8.8.1
      command:
        - /usr/bin/env
        - bash
        - '-c'
      args:
      - |
          # add all existing secret entries into it
          for filename in /mnt/elastic-internal/secure-settings/*; do
            [[ -e "$filename" ]] || continue # glob does not match
            key=$(basename "$filename")
            echo "Adding "$key" to the keystore."
            /usr/share/elasticsearch/bin/elasticsearch-keystore add-file "$key" "$filename"
          done
      resources:
        limits:
          cpu: 500m
          memory: 196Mi
        requests:
          cpu: 500m
          memory: 196Mi
      volumeMounts:
      - name: auth-azuread-secure-settings
        mountPath: /mnt/elastic-internal/secure-settings
        readOnly: true
      - name: elastic-internal-elasticsearch-config-local
        mountPath: /usr/share/elasticsearch/config
      - name: elastic-internal-elasticsearch-config
        readOnly: true
        mountPath: /mnt/elastic-internal/elasticsearch-config
volumes:
   - name: auth-azuread-secure-settings
      secret:
        secretName: auth-azuread-secure-settings
        defaultMode: 420
        optional: false

(btw: I am not comfortable with ECK operator reading my secrets ...)
@botelastic botelastic bot added the triage label Oct 25, 2023
@pebrc
Copy link
Collaborator

pebrc commented Nov 26, 2024

Any security related configuration should alwasy be applied to all nodes in the cluster. If you want to restric external access to the coordinating-only nodes you should do this via other means (e.g. ingress)

Please use our discuss forum at https://discuss.elastic.co/c/eck for any further questions around this.

@pebrc pebrc closed this as completed Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pebrc @ebuildy