Configure transport layer security (TLS/SSL) for an elasticsearch cluster, deployed with helm on kubernetes
Using official elastic Helm chart, and cert-manager, I am gonna to share my experience to setup elasticsearch security, this mean setup inter-nodes TLS communication and some users.
As we love security, we want a hostname verification, this mean we must generate 1 certificate and private key per elasticsearch node. Of course as we use containers, this must be fully automatic.
The idea
First, we need a Certifcate Authority , stored as a kubernetes secret. Then we gonna use the awesome tool https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-cert to generate the node certificate.
Since this must be automatic per node, we use https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ to run our code before the app container.
cert-manager
cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
We use it to have a Certifcate Authority as a kubernetes secret.
This give us a secret “my-ca-cert” with tls.crt and tls.key.
elasticsearch configuration
As per documentation at https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html, this is pretty easy:
Generate cert and key
Pretty straightforward, for IP/DNS, this is required for hostname validation. Here we put container name, service and headless service (see Helm chart below).
elasticsearch helm chart
Let’s put all together
Replace XXXXXX by the service name .
