How to add basic user/pass authentication to elastic.yaml

yattaes · December 4, 2020, 2:21pm

Hi,
I am using the yaml file below to deploy ElasticSearch to Azure Kubernetes.

I can reach the Elasticsearch with port forwarding "localhost:9200" without authentication.
How can I add a basic user/pass authentication in this file? I would be appreciated if you provide a code sample

Thanks!

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: elastic
spec:
  http:
    service:
      metadata:
        annotations:
          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
      spec:
        loadbalancerIP: 10.10.10.10
        type: LoadBalancer
    tls:
      selfSignedCertificate:
        disabled: true
        subjectAltNames:
        - ip: 10.10.10.10
  nodeSets:
  - config:
      node.data: true
      node.ingest: false
      node.master: true
      node.ml: false
      node.store.allow_mmap: false
      xpack.security.authc:
        anonymous:
          authz_exception: true
          roles: superuser
          username: anonymous
    count: 1
    name: masters
    podTemplate:
      metadata: {}
      spec:
        containers:
        - env:
          - name: ES_JAVA_OPTS
            value: -Xms150m -Xmx150m
          name: elasticsearch
          resources:
            limits:
              memory: 3Gi
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
        storageClassName: elastic-storageclass
  - config:
      indices.memory.index_buffer_size: 40%
      node.data: true
      node.ingest: true
      node.master: false
      node.ml: true
      node.store.allow_mmap: false
      xpack.security.authc:
        anonymous:
          authz_exception: false
          roles: superuser
          username: anonymous
    count: 1
    name: data
    podTemplate:
      metadata: {}
      spec:
        containers:
        - env:
          - name: ES_JAVA_OPTS
            value: -Xms150m -Xmx150m
          name: elasticsearch
          resources:
            limits:
              memory: 3Gi
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
        storageClassName: elastic-storageclass
  version: 7.5.1
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: elastic-storageclass
parameters:
  kind: Managed
  storageaccounttype: Premium_LRS
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
volumeBindingMode: Immediate

thiago · December 6, 2020, 5:53pm

You need to:

Enable security with xpack.security.enabled: true
Configure a security realm
Probably also remove the anonymous configuration (otherwise any unauthenticated request will be accepted as superuser role)

Read configuring security Elasticsearch for more information.

TimV · December 7, 2020, 1:07am

If you are using the Elastic provided K8s operator ("ECK") as it appears you are, then you should have authentication enabled by default.

What response do you get at that endpoint?

system · January 4, 2021, 1:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.