KEYSTORE_PASSWORD_FILE

Running Elasticsearch as docker container with
--env KEYSTORE_PASSWORD_FILE=/run/secrets/keystore_password

does not setup password for elasticsearch keystore. Although I am successfull with Elasticsearch password itself
--env ELASTIC_PASSWORD_FILE=/run/secrets/bootstrap_password \

I cannot get keystore password protected from the start. Permissions for secrets are 400.
I noticed in logs it looks ok but does not work

Setting ELASTIC_PASSWORD from ELASTIC_PASSWORD_FILE at /run/secrets/bootstrap_password
Setting KEYSTORE_PASSWORD from KEYSTORE_PASSWORD_FILE at /run/secrets/bootstrap_password
Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore

Tried also variables without _FILE suffix and same result - working as elastic bootstrap password but does not as keystore. Any idea guys?

I think the docs might have been unclear. The KEYSTORE_PASSSWORD or its file variation is used to provide password to an already encrypted password. It does not create a new keystore with it. The keystore is always created with no password. Quote from the docs

If you’ve already created the keystore and don’t need to update it, you can bind-mount the elasticsearch.keystore file directly. You can use the KEYSTORE_PASSWORD environment variable to provide the keystore password to the container at startup

Indeed documentation is confusing

You can use the contents of a file to set the value of the ELASTIC_PASSWORD or KEYSTORE_PASSWORD environment variables, by suffixing the environment variable name with _FILE. This is useful for passing secrets such as passwords to Elasticsearch without specifying them directly.

So the only solution is the precreate keystore using custom startup script. and then use KEYSTORE_PASSWORD_FILE for further accessing that keystore. Is it right?

Tried workaround with precreated keystore but does not work. I think this is bug. Created entry for it

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.