Inconsistency in Security setup notes for Kubernetes (TLS), autogenerated keys missing?

Hi All,

Elastic 7.17.3 via Helm Chart

I have trouble with the following:
This Helm chart can generate a [Kubernetes Secret] or use an existing one to setup Elastic credentials.

This chart is setting TLS and creating a certificate by default, but you can also provide your own certs as a K8S secret. An example of configuration for providing existing certificates can be found in examples/security.

The chart has this setting:
createCert: true

Good and fine, but the example provided, has createCert: false, and is mounting own certs via secrets.

I just want to use the autogenerated certs, but any xpack.security configuration needs to set the path to the certs explicitly. With createCert: true, I don't see any certs being created, or I have no clue where they are.

My example config:

ingress:
  annotations: {}
  enabled: true
  hosts:
    - host: elastic.apps.local.com
      paths:
        - path: /
  tls: null
maxUnavailable: 1
minimumMasterNodes: 1
replicas: 1
clusterHealthCheckParams: 'wait_for_status=yellow&timeout=2s'
createCert: true
protocol: https

  
# Allows you to add any config files in /usr/share/elasticsearch/config/
# such as elasticsearch.yml and log4j2.properties
esConfig:
  elasticsearch.yml: |
          #CVE-2014-3120
          script.allowed_types: inline
          xpack.monitoring.collection.enabled: true
          xpack.security.enabled: true
          xpack.security.transport.ssl.enabled: true
          xpack.security.transport.ssl.keystore.path: ?????
          xpack.security.transport.ssl.truststore.path: ????

resources:
  limits:
    cpu: 1000m
    memory: 2Gi
volumeClaimTemplate:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
  storageClassName: longhorn

I have just realized this is a new feature for version 8.x which is not live yet. For 7.17 you have to supply your own cert store and certs .. :frowning:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.