Running Elasticsearch as docker container with --env KEYSTORE_PASSWORD_FILE=/run/secrets/keystore_password
does not setup password for elasticsearch keystore. Although I am successfull with Elasticsearch password itself --env ELASTIC_PASSWORD_FILE=/run/secrets/bootstrap_password \
I cannot get keystore password protected from the start. Permissions for secrets are 400.
I noticed in logs it looks ok but does not work
Setting ELASTIC_PASSWORD from ELASTIC_PASSWORD_FILE at /run/secrets/bootstrap_password
Setting KEYSTORE_PASSWORD from KEYSTORE_PASSWORD_FILE at /run/secrets/bootstrap_password
Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore
Tried also variables without _FILE suffix and same result - working as elastic bootstrap password but does not as keystore. Any idea guys?
I think the docs might have been unclear. The KEYSTORE_PASSSWORD or its file variation is used to provide password to an already encrypted password. It does not create a new keystore with it. The keystore is always created with no password. Quote from the docs
If you’ve already created the keystore and don’t need to update it, you can bind-mount the elasticsearch.keystore file directly. You can use the KEYSTORE_PASSWORD environment variable to provide the keystore password to the container at startup
You can use the contents of a file to set the value of the ELASTIC_PASSWORD or KEYSTORE_PASSWORD environment variables, by suffixing the environment variable name with _FILE. This is useful for passing secrets such as passwords to Elasticsearch without specifying them directly.
So the only solution is the precreate keystore using custom startup script. and then use KEYSTORE_PASSWORD_FILE for further accessing that keystore. Is it right?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.