Does ECK supports cert manger

Instead of operator generator certificates, Can we use cert manager to take care of certificates. I was following the below documentation
Custom HTTP certificate | Elastic Cloud on Kubernetes [1.6] | Elastic.

I have tried some thing like this

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: <cluster-name>-es-cert
spec:
  commonName: crt-mgr.do-elastic-cert-mgr-1.svc
  isCA: true
  duration: 1h00m5s
  renewBefore: 55m
  dnsNames:
    - <cluster-name>-es-http
  
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  secretName: <cluster-name>-es-http-certs-internal

First, I am creating issuer and certificate and then deploying elastic operator(1.3.0) and elasticsearch (7.9.0) in the same namespace in a GKE Cluster. But when I checked the certs, they were operator generated certificates only. It was not matching with cert-manager .

Can anyone correct me if I need to do any changes

Yes u can, we do. Did u sweet elastic and kibana with the below setting to reference the certificate you created?

spec:
  http:
    tls:
      certificate:
        secretName: <cluster-name>-es-http-certs-internal

Thanks for the reply. I tried by passing the secret name as you mentioned above. But pods went to error state due to unknown issuer. I was refering issuer in the certificate file. But I am not able to see the issuer when describing the certificate. I am also getting the below error in elasticsearch pods

"at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:658) ~[?:?]",
"at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[?:?]",
"at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1840) ~[?:?]",
"at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:192) ~[?:?]",
"at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476) ~[?:?]",
"at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:361) ~[?:?]",
"at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:98) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:90) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:51) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:437) ~[?:?]",
"at java.util.HashMap.computeIfAbsent(HashMap.java:1225) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:526) ~[?:?]",
"at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]",
"at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:524) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:411) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:274) ~[?:?]",
"at org.elasticsearch.node.Node.lambda$new$14(Node.java:522) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
"at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1624) ~[?:?]",
"at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
"at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
"at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
"at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
"at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
"at org.elasticsearch.node.Node.<init>(Node.java:526) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.node.Node.<init>(Node.java:277) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.9.0.jar:7.9.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.9.0.jar:7.9.0]",
"... 6 more"] }
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.http.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: CertificateParsingException[Empty issuer DN not allowed in X509Certificates];
Likely root cause: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

Using the same files that were mentioned above for creating issuer and certificate.
Is there anything else that I need to do.

I would say its because your selfsigned Issuer CA doesn't have any properties. We use a cert/key pair that we generate and ad as a secret to our Issuer as opposed to the selfSigned one. The error is saying

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.