Currently, I am trying to install Elasticsearch and Kibana in OpenShift. So far, I have been successful without any security, but with the latest version, it is now required to set up security. I have begun this process, but I am encountering an error. I have Elasticsearch based on a Red Hat image with 3 nodes in a StatefulSet, and Kibana in a deployment. Each Elasticsearch node has a PVC mounted in /usr/share/elasticsearch/data. I have generated the elastic-stack-ca.p12 and the elastic-stack-ca.p12, and I have copied them into /usr/share/elasticsearch/data where my volume is mounted.
In the environment variable, I have set it up them like this:
env:
- name: ingest.geoip.downloader.enabled
value: 'false'
- name: xpack.security.enabled
value: 'true'
- name: elasticsearch-xpack
value: disabled
- name: cluster.name
value: Trafic-Cluster-Uat-Openshift
- name: discovery.seed_hosts
value: >-
elasticsearch-0.elasticsearch-discovery,elasticsearch-1.elasticsearch-discovery
- name: cluster.initial_master_nodes
value: 'elasticsearch-0,elasticsearch-1'
- name: xpack.monitoring.collection.enabled
value: 'true'
- name: xpack.security.transport.ssl.enabled
value: 'false'
- name: xpack.security.enrollment.enabled
value: 'true'
- name: xpack.security.transport.ssl.verification_mode
value: certificate
- name: xpack.security.transport.ssl.client_authentication
value: required
- name: xpack.security.transport.ssl.keystore.path
value: /usr/share/elasticsearch/data/elastic-certificates.p12
- name: xpack.security.transport.ssl.truststore.path
value: /usr/share/elasticsearch/data/elastic-certificates.p12
now the problem that i'm facing is that i added the password in the keystore but when the pods are reloading all is gone because of the Ephemeral and i m getting a crashloopback and an error saying :
"error.message":"failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/share/elasticsearch/data/elastic-certificates.p12] - this is usually caused by an incorrect password; (no password was provided)","error.stack_trace":"org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/share/elasticsearch/data/elastic-certificates.p12] - this is usually caused by an incorrect password; (no password was provided)\n\tat [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:605)\n\tat java.base/java.util.HashMap.forEach(HashMap.java:1421)\n\tat java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)\n\tat [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601)\n\tat [email protected]/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156)\n\tat [email protected]/org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:463)\n\tat `
I also tried to set the password in the secret of openshift but i got another error saying :
"Setting [xpack.security.transport.ssl.keystore.secure_password] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml
can someone told me the best approch how to setup this ?