Set metricbeat password from file in kubernetes, is it possible?

TomH · March 4, 2025, 10:07am

Setting elastic password via environment variable is not particularly secure so we want to
set it via file. The file is provided by kubernetes CSI driver.

The suggestion for metricbeat on kubernetes that I found so far is to change from the env variant:

output.elasticsearch:
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}

To this

output.elasticsearch:
username: ${ELASTICSEARCH_USERNAME}
password: ${file:/mnt/secrets-volume/elkPassword}

There is a file in /mnt/secrets-volume/ called elkPassword that
contains the password. This file is mounted dynamically at pod-creation by the CSI driver.

Any ideas why this does not work?

Is the syntax incorrect or is it just impossible to read
a password from a file?

RainTown · March 4, 2025, 1:17pm

You might be interested in this section of the docs:

I don't personally recognize the password: ${file:/path/to-/a/file/with/the/password} syntax? Did you get this syntax from some sort of documentaiton?

TomH · March 5, 2025, 7:31am

Yeah, using the keystore was my workaround. At the startup of the pod
I run some commands that create the keystore and adds the password as ES_PWD
which is then picked up by metricbeat. A bit clunky but it sort of works.

It looks like this if anyone is interested:

Set up output.elasticsearch as normal:

output.elasticsearch:
username: ${ELASTICSEARCH_USERNAME}
password: ${ES_PWD}

and then I added to my Daemonset in the containers section:

containers: [
{
    lifecycle: {
    postStart: {
        exec: {
            command: ["/bin/sh", "-c", "metricbeat keystore create; cat /mnt/secrets-volume/elkPassword | metricbeat keystore add ES_PWD --stdin --force"]
        }
    }
},                    
name: "metricbeat",
...

Note that this requires the file to be mounted at the /mnt/... path using
volumes and volumeMount and actually injecting the file at runtime (using a CSI driver for example).

Regarding the ${file:/mnt/... syntax, I cannot find it again, done some extensive searching, very possible it was dreamed up by an attempt to
get some info from an AI

Thanks for looking at this!

Topic		Replies	Views
Filebeat for Kubernetes Beats filebeat	5	1666	October 10, 2018
Metricbeat encrypt passwords in configuration file Elasticsearch beats-module	3	861	June 8, 2020
Problems to deploy Metricbeat in Kubernetes Beats metricbeat	9	922	December 14, 2018
What all credentials should be configured in metricbeat, and how, while working with secure elasticsearch having https and built in user roles? Beats elastic-stack-security , metricbeat	1	267	December 17, 2020
Automating Metricbeats Installation Beats	3	512	August 1, 2019

Set metricbeat password from file in kubernetes, is it possible?

Related topics