Hello,
I have Elasticsearch based on a Red Hat image with 3 nodes in a StatefulSet, and Kibana in a deployment. Each Elasticsearch node has a PVC mounted in /usr/share/elasticsearch/data. I have generated the elastic-stack-ca.p12 and the elastic-stack-ca.p12 , I have copied them into /usr/share/elasticsearch/data where my volume is mounted.
but when i try to add the password in the keystore i lost it when the pod restarted and i got this error :
"Setting [xpack.security.transport.ssl.keystore.secure_password] is a secure setting and must be stored inside the Elasticsearch keystore, but was found inside elasticsearch.yml"
then pod is in a crash loop back-off
this is my statefullSet :
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: elasticsearch
namespace:
uid:
resourceVersion:
generation: 315
spec:
replicas: 1
selector:
matchLabels:
app: elasticsearch
template:
metadata:
creationTimestamp: null
labels:
app: elasticsearch
spec:
volumes:
- name: elastic-storage
persistentVolumeClaim:
claimName: elastic-storage
containers:
- resources:
limits:
cpu: '3'
memory: 3Gi
requests:
cpu: 500m
memory: 1Gi
terminationMessagePath: /dev/termination-log
lifecycle:
postStart:
exec:
command:
- /bin/sh
- '-c'
- >
cp /usr/share/elasticsearch/data/elastic-certificates.p12
/usr/share/elasticsearch/config/
cp /usr/share/elasticsearch/data/elastic-stack-ca.p12
/usr/share/elasticsearch/config/
name: elasticsearch
env:
- name: ingest.geoip.downloader.enabled
value: 'false'
- name: xpack.security.enabled
value: 'true'
- name: elasticsearch-xpack
value: disabled
- name: cluster.name
value: Trafic-Cluster-Uat-Openshift
- name: discovery.seed_hosts
value: >-
elasticsearch-0.elasticsearch-discovery,elasticsearch-1.elasticsearch-discovery
- name: cluster.initial_master_nodes
value: 'elasticsearch-0,elasticsearch-1'
- name: xpack.monitoring.collection.enabled
value: 'true'
- name: xpack.security.transport.ssl.enabled
value: 'false'
- name: xpack.security.enrollment.enabled
value: 'true'
- name: xpack.security.transport.ssl.verification_mode
value: certificate
- name: xpack.security.transport.ssl.client_authentication
value: required
- name: xpack.security.transport.ssl.keystore.path
value: /usr/share/elasticsearch/config/elastic-certificates.p12
- name: xpack.security.transport.ssl.truststore.path
value: /usr/share/elasticsearch/config/elastic-certificates.p12
ports:
- name: rest
containerPort: 9200
protocol: TCP
- name: inter-node
containerPort: 9300
protocol: TCP
imagePullPolicy: Always
volumeMounts:
- name: elasticsearch-storage
mountPath: /usr/share/elasticsearch/data
terminationMessagePolicy: File
envFrom:
- secretRef:
name: truststore-password
- secretRef:
name: keystore-password
image: >-
openshift...com/elastic/elasticsearch:latest
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
schedulerName: default-scheduler
volumeClaimTemplates:
- kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: elasticsearch-storage
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
status:
phase: Pending
serviceName: elasticsearch-discovery
podManagementPolicy: OrderedReady
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 0
revisionHistoryLimit: 10