Hello,
I'm trying to implement basic security for my elasticsearch in openshift using a statefulset. The problem I have encountered is that when I deploy my statefulset and try to test my elasticsearch, it gives me the following error: "unable to authenticate user [elastic] for REST request [/]". Even though it's set up in my environment, I need to enter the pod to either set up or reset the password. Additionally, if I restart the pods, all the passwords are lost.
I'm using this redaht image :
https://catalog.redhat.com/software/containers/elastic/elasticsearch/5fac2d6dac3db90370a224c7
Please help me with my statefulset. I have been stuck for a week.
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: elasticsearch
namespace: newelk-uat-nat
spec:
replicas: 0
selector:
matchLabels:
app: elasticsearch
template:
metadata:
creationTimestamp: null
labels:
app: elasticsearch
spec:
volumes:
- name: elasticsearch-certs-p12
secret:
secretName: elasticsearch-certs-p12
defaultMode: 420
- name: elasticsearch-user-password
secret:
secretName: elasticsearch-user-password
defaultMode: 420
containers:
- resources:
limits:
cpu: '1'
memory: 3Gi
requests:
cpu: 500m
memory: 1Gi
terminationMessagePath: /dev/termination-log
name: elasticsearch
env:
- name: ingest.geoip.downloader.enabled
value: 'false'
- name: xpack.security.enabled
value: 'true'
- name: elasticsearch-xpack
value: disabled
- name: cluster.name
value: Trafic-Cluster-Uat-Openshift
- name: discovery.seed_hosts
value: >-
elasticsearch-0.elasticsearch-discovery,elasticsearch-1.elasticsearch-discovery
- name: cluster.initial_master_nodes
value: 'elasticsearch-0,elasticsearch-1'
- name: xpack.monitoring.collection.enabled
value: 'true'
- name: xpack.security.transport.ssl.enabled
value: 'true'
- name: xpack.security.transport.ssl.verification_mode
value: certificate
- name: xpack.security.transport.ssl.client_authentication
value: required
- name: xpack.security.transport.ssl.keystore.path
value: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
- name: xpack.security.transport.ssl.truststore.path
value: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-user-password
key: elasticsearch-user-password
ports:
- name: rest
containerPort: 9200
protocol: TCP
- name: inter-node
containerPort: 9300
protocol: TCP
imagePullPolicy: Always
volumeMounts:
- name: elasticsearch-certs-p12
mountPath: /usr/share/elasticsearch/config/certs
terminationMessagePolicy: File
image: >-
openshift/elastic/elasticsearch:7.17.19
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
volumeClaimTemplates:
- kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: elasticsearch-storage
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
status:
phase: Pending
serviceName: elasticsearch-discovery
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 0
revisionHistoryLimit: 10
status:
observedGeneration: 496
replicas: 0
currentRevision: elasticsearch-74d9765c98
updateRevision: elasticsearch-74d9765c98
collisionCount: 0
availableReplicas: 0
also when i do oc exec -it elasticsearch-0 -- env | grep elasticsearch
i see my password :
elasticsearch-password=mypassowrd