Hi there!
I've been trying out and experimenting with the ECK Quickstart project and the Node.js SDK for a while and it's been really nice this far. However, I've only done so with certificate verification turned off, and it seems I'm running into some issues when turning it on.
The relevant code in my Node service looks something like this (I’ve changed the name “quickstart” to “elastic”):
const client = new Client({
node: 'https://elastic-es-http.default.svc.cluster.local:9200',
maxRetries: 5,
requestTimeout: 60000,
sniffOnStart: true,
auth: {
username: 'elastic',
password: process.env.ELASTIC_PASSWORD,
},
ssl: {
ca: fs.readFileSync('/etc/ssl/elastic/ca.crt'),
rejectUnauthorized: true,
},
})
My service deployment is configured with the relevant parts as follows,:
spec:
template:
spec:
containers:
- name: servicename
env:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-es-elastic-user
key: elastic
volumeMounts:
- name: elastic-certs
mountPath: /etc/ssl/elastic/ca.crt
readOnly: true
subPath: ca.crt
volumes:
- name: elastic-certs
secret:
secretName: elastic-es-http-certs-public
I’ve also configured the Elastic cluster to add the address I’m trying to use as a SAN:
spec:
version: 7.7.0
http:
tls:
selfSignedCertificate:
subjectAltNames:
- dns: elastic-es-http.default.svc.cluster.local
I’m executing the service with NODE_EXTRA_CA_CERTS=/etc/ssl/elastic/ca.crt node ./run.js
For the life of me I can’t get this working though, since the IP of the Elastic cluster is not in the certificate’s alt names:
ConnectionError: Hostname/IP does not match certificate's altnames: IP: 10.12.1.2 is not in the cert's list:
Of course, it does work if I add the IP to the SANs of the certificate, but this feels error-prone since this IP is bound to change if I’d be using another environment.
It feels like I’m probably just missing something simple here, but I'd greatly appreciate getting any pointers on what it is I'm missing. 