Cannot configure Open ID Connect - cant store key in elastic keystore for persistent usage

I am trying to configure OIDC according to documentation. According to instructions, I have to store xpack.security.authc.realms.oidc.oidc1.rp.client_secret into keystore.

bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret

This works fine, except, when I restart my elasticsearch I will lost my secret stored in keystore.

I google little bit, and find this issue. According to solution, which was already merged, I should be able to add values to keystore via ELASTICSEARCH_KEYS variable. I tested it on elastic 7.8.1, 7.9.1 and 7.9.2, none of them works properly. Env variable ELASTICSEARCH_KEYS is present with right values.

Right now, I am running Elasticsearch 7.8.1 in Kubernetes, and my tests I performed locally runs in docker.

How can I settle up OIDC right now, what are my options?
Why ELASTICSEARCH_KEYS variable does not work? From comments, they fixed it for versions 7.X.

Thank you.

See https://www.elastic.co/guide/en/elasticsearch/reference/master/docker.html#docker-keystore-bind-mount, you can pre-create the elasticsearch keystore, add the client_secret to it and then bind mount it to your container.

I solved it by using helm chart. For Elasticsearch, there is section How to use the keystore.

@ikakavas thank you for you reply. I did not try your solution, because I fix it with helm value keystore. But this should works too.

1 Like