Permanent password for elasticsearch on kubernetes

hi,
problem: I create secret.yml, I want Kibana and Elastic to use it. but Elasticsearch can not apply the password from secret.yml and i have to set password whit elasticsearch-setup-password interactive. so each time that pod will be recreate i lost password and i havto to set password manually. how can i setup password permanently?

more info:
when pods created, i run bellow command on Elasticsearch console And displays the variables that were set in secret.yml:

sh-5.0# echo $ELASTIC_PASSWORD
123456

but when i curl elastic:9200 on kibana console give an error message Kibana server is not ready yet

so i have to using elasticsearch-setup-password interactive to set password manually and after that all thing works well until pod recreate.

secret.yml

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  password: 123456
stringData:
  username: kibana_system

kibana.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kibana
  name: kibana
spec:
  Strategy:
    type: Recreate
  selector:
    matchLabels:
      app: kibana
  replicas: 1
  template:
    metadata:
      labels:
        app: kibana
    spec:
      containers:
      - image: docker.elastic.co/kibana/kibana:7.16.3
        env:
        - name: "server.publicBaseUrl"
          value: http://mon.bzg-srv.ir/
        - name: "setup.dashboards.enabled"
          value: "true"
        - name: ELASTICSEARCH_HOSTS
          value: "http://elastic-0.elastic:9200"
        - name: ELASTICSEARCH_USERNAME
          valueFrom:
            secretKeyRef:
              key: username
              name: db-secret
        - name: ELASTICSEARCH_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: db-secret
        imagePullPolicy: IfNotPresent
        name: kibana
        ports:
        - containerPort: 5601
          name: http
        resources:
          limits:
            cpu: '1'
            ephemeral-storage: 2G
            memory: 2G
          requests:
            cpu: '1'
            ephemeral-storage: 2G
            memory: 2G
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
    dnsPolicy: ClusterFirst
    restartPolicy: Always

Elasticsearch.yml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: elastic
  name: elastic
spec:
  selector:
    matchLabels:
      app: elastic
  serviceName: "elastic"
  replicas: 1
  template:
    metadata:
      labels:
        app: elastic
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: elastic
        env:
        - name: "pod_name"
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: "node.name"
          value: "$(pod_name).elastic"
        - name: "cluster.name"
          value: "arvan-cluster"
        - name: ES_JAVA_OPTS
          value: "-Xms2048m -Xmx2048m"
        - name: "node.data"
          value: "true"
        - name: "cluster.initial_master_nodes"
          value: "elastic-0.elastic"
        - name: "discovery.seed_hosts"
          value: "elastic-0.elastic"
        - name: "node.master"
          value: "true"
        - name: "discovery.zen.minimum_master_nodes"
          value: "1"
        - name: "xpack.security.enabled"
          value: "true"
        - name: "xpack.monitoring.collection.enabled"
          value: "true"
        - name: ELASTIC_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: db-secret
       # - name: APM_SYSTEM_PASSWORD
       #   valueFrom:
       #     secretKeyRef:
       #       key: password
       #       name: db-secret
       # - name: KIBANA_PASSWORD
       #    valueFrom:
       #     secretKeyRef:
       #       key: password
       #       name: db-secret
        - name: KIBANA_SYSTEM_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: db-secret
       # - name: LOGSTASH_SYSTEM_PASSWORD
       #   valueFrom:
       #     secretKeyRef:
       #       key: password
       #       name: db-secret
       # - name: BEATS_SYSTEM_PASSWORD
       #   valueFrom:
       #     secretKeyRef:
       #       key: password
       #       name: db-secret
       # - name: REMOTE_MONITORING_USER_PASSWORD
       #   valueFrom:
       #     secretKeyRef:
       #       key: password
       #       name: db-secret
        image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3
        ports:
        - containerPort: 9200
          name: db
        - containerPort: 9300
          name: transport
        resources:
          limits:
            cpu: '2'
            ephemeral-storage: 4G
            memory: 4G
          requests:
            cpu: '2'
            ephemeral-storage: 4G
            memory: 4G
        volumeMounts:
        - name: elastic-data
          mountPath: /data
        - name: elastic-config
          mountPath: /config
  volumeClaimTemplates:
  - metadata:
      name: elastic-data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "standard"
      resources:
        requests:
          storage: 10Gi
  - metadata:
      name: elastic-config
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "standard"
      resources:
        requests:
          storage: 1Gi

Have you considered using our Kubernetes operator to deploy Elasticsearch and Kibana instead?

It sets up a password for you automatically.

1 Like

When I executed the command on this link , I got the following error

Unfortunately, my service provider said it would not allow RBAC and CDR capabilities.
Is there no other solution?

No idea?

You could take a look that the Elasticsearch Helm chart which does not require CRDs or an operator but has less capabilities when it comes to orchestrating Elasticsearch clusters helm-charts/elasticsearch at main · elastic/helm-charts · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.