Does ECK supports cert manger

knagasri · June 10, 2021, 12:00pm

Instead of operator generator certificates, Can we use cert manager to take care of certificates. I was following the below documentation
Custom HTTP certificate | Elastic Cloud on Kubernetes [1.6] | Elastic.

I have tried some thing like this

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: <cluster-name>-es-cert
spec:
  commonName: crt-mgr.do-elastic-cert-mgr-1.svc
  isCA: true
  duration: 1h00m5s
  renewBefore: 55m
  dnsNames:
    - <cluster-name>-es-http
  
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  secretName: <cluster-name>-es-http-certs-internal

First, I am creating issuer and certificate and then deploying elastic operator(1.3.0) and elasticsearch (7.9.0) in the same namespace in a GKE Cluster. But when I checked the certs, they were operator generated certificates only. It was not matching with cert-manager .

Can anyone correct me if I need to do any changes

legoguy1000 · June 11, 2021, 11:05am

Yes u can, we do. Did u sweet elastic and kibana with the below setting to reference the certificate you created?

spec:
  http:
    tls:
      certificate:
        secretName: <cluster-name>-es-http-certs-internal

knagasri · June 11, 2021, 4:12pm

Thanks for the reply. I tried by passing the secret name as you mentioned above. But pods went to error state due to unknown issuer. I was refering issuer in the certificate file. But I am not able to see the issuer when describing the certificate. I am also getting the below error in elasticsearch pods

"at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:658) ~[?:?]",
"at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[?:?]",
"at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1840) ~[?:?]",
"at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:192) ~[?:?]",
"at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476) ~[?:?]",
"at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361) ~[?:?]",
"at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:98) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:90) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:51) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:437) ~[?:?]",
"at java.util.HashMap.computeIfAbsent(HashMap.java:1225) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:526) ~[?:?]",
"at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]",
"at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:524) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:411) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:274) ~[?:?]",
"at org.elasticsearch.node.Node.lambda$new$14(Node.java:522) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
"at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1624) ~[?:?]",
"at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
"at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
"at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
"at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
"at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
"at org.elasticsearch.node.Node.<init>(Node.java:526) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.node.Node.<init>(Node.java:277) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.9.0.jar:7.9.0]",
"... 6 more"] }
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.http.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: CertificateParsingException[Empty issuer DN not allowed in X509Certificates];
Likely root cause: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

Using the same files that were mentioned above for creating issuer and certificate.
Is there anything else that I need to do.

legoguy1000 · June 11, 2021, 4:35pm

I would say its because your selfsigned Issuer CA doesn't have any properties. We use a cert/key pair that we generate and ad as a secret to our Issuer as opposed to the selfSigned one. The error is saying

system · July 9, 2021, 4:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.