Setup security on elasticsearch based on redhat image in openshift

Closed. This question is not about programming or software development. It is not currently accepting answers.


This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. You can edit the question so it's on-topic or see if it can be answered on another Stack Exchange site, but be sure to read the on-topic page for a site before posting there.

Closed 44 secs ago.

Edit questionDelete question

Currently, I am trying to install Elasticsearch and Kibana in OpenShift. So far, I have been successful without any security, but with the latest version, it is now required to set up security. I have begun this process, but I am encountering an error. I have Elasticsearch based on a Red Hat image with 3 nodes in a StatefulSet, and Kibana in a deployment. Each Elasticsearch node has a PVC mounted in /usr/share/elasticsearch/data. I have generated the elastic-stack-ca.p12 and the elastic-stack-ca.p12, and I have copied them into /usr/share/elasticsearch/data where my volume is mounted.

In the environment variable, I have set it up them like this:

   env:
            - name: ingest.geoip.downloader.enabled
              value: 'false'
            - name: xpack.security.enabled
              value: 'true'
            - name: elasticsearch-xpack
              value: disabled
            - name: cluster.name
              value: Trafic-Cluster-Uat-Openshift
            - name: discovery.seed_hosts
              value: >-
                elasticsearch-0.elasticsearch-discovery,elasticsearch-1.elasticsearch-discovery
            - name: cluster.initial_master_nodes
              value: 'elasticsearch-0,elasticsearch-1'
            - name: xpack.monitoring.collection.enabled
              value: 'true'
            - name: xpack.security.transport.ssl.enabled
              value: 'false'
            - name: xpack.security.enrollment.enabled
              value: 'true'
            - name: xpack.security.transport.ssl.verification_mode
              value: certificate
            - name: xpack.security.transport.ssl.client_authentication
              value: required
            - name: xpack.security.transport.ssl.keystore.path
              value: /usr/share/elasticsearch/data/elastic-certificates.p12
            - name: xpack.security.transport.ssl.truststore.path
              value: /usr/share/elasticsearch/data/elastic-certificates.p12

now the problem that i'm facing is that i added the password in the keystore but when the pods are reloading all is gone because of the Ephemeral and i m getting a crashloopback and an error saying :

"error.message":"failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/share/elasticsearch/data/elastic-certificates.p12] - this is usually caused by an incorrect password; (no password was provided)","error.stack_trace":"org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/share/elasticsearch/data/elastic-certificates.p12] - this is usually caused by an incorrect password; (no password was provided)\n\tat org.elasticsearch.xcore@8.4.3/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:605)\n\tat java.base/java.util.HashMap.forEach(HashMap.java:1421)\n\tat java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553)\n\tat org.elasticsearch.xcore@8.4.3/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:601)\n\tat org.elasticsearch.xcore@8.4.3/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:156)\n\tat org.elasticsearch.xcore@8.4.3/org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:463)\n\tat `

I also tried to set the password in the secret of openshift but i got another error saying :

"Setting [xpack.security.transport.ssl.keystore.secure_password] is a secure setting 

What's the solution