Hi all, I'm trying to configure TLS connection for elasticsearch using helm package, here is current configuration:
protocol: https
secretMounts:
- name: certall
secretName: certall
path: /usr/share/elasticsearch/config/certs
defaultMode: 0755
masterService: "elasticsearch-master"
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/certall.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/certall.crt
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
I create kubernetes secret using this commands:
kubectl create secret generic certall --from-file=cert.pem
The lets encrypt certification folder has 2 files that I need: fullchain.pem and privkey.pem, so basically what I've done is to copy the content of those both files into the file named cert.pem as you can see. Then mount it as a secret to pod.
The problem that I keep running into is
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: ElasticsearchException[failed to initialize SSL KeyManager - certificate file [/usr/share/elasticsearch/config/certs/certall.crt] does not exist]; nested: NoSuchFileException[/usr/share/elasticsearch/config/certs/certall.crt];
Likely root cause: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/certs/cert-chain.crt at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) at java.base/java.nio.file.Files.newByteChannel(Files.java:375) at java.base/java.nio.file.Files.newByteChannel(Files.java:426) at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) at java.base/java.nio.file.Files.newInputStream(Files.java:160) at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:97) at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.getCertificateChain(PEMKeyConfig.java:80) at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createTrustManager(PEMKeyConfig.java:128) at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.lambda$createTrustManager$0(TrustConfig.java:168) at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) at
I'm not sure if there is any wrong with it, it's obvious that I mounted it into the pod with the correct path, but it said the cert file didnt exist. I also created 2 secrets corresponding to 2 files fullchain.pem and privkey.pem and change the path but no luck, it can't find the files.
Any help would be appreciated. Thanks a lot!