Unable to set xpack.security.authc.realms.oidc.oidc1.rp.client_secret property through yml file

Hello,
I want to deploy elasticsearch with OpenId connect authentication . I am using keycloack as my open id connect provider. I have done all my configuration as per documentations. Below is my elasticsearch.yml file.

cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc"
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1"
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
connect/certs"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/"
claims.principal: sub
claims.groups: "http://example.info/claims/group"

I want to add xpack.security.authc.realms.oidc.oidc1.rp.client_secret property from yml file .Is there any way to do so?

@viveknagar - I do not think you can define client_secret in elasticsearch.yml file. As documented here, this is a secure setting and as such is not defined in the realm configuration in elasticsearch.yml but added to the elasticsearch keystore. For example:

bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret
1 Like

But I am deploying elasticsearch through kubernetes .So I have to deploy it from yaml files. I have no other option for it other than deploying through files .

@viveknagar Could you tell us more how you are planning to deploy Elasticsearch on Kubernetes? Are you using Elastic Cloud on Kubernetes?

Thanks for quick response!!!

Below is my elasticsearch deployment file
here is my configmap file

apiVersion: v1
kind: ConfigMap
metadata:
name: es-config-sso
namespace: kube-system
data:
elasticsearch.yml: |
cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc"
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1"
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/"
claims.principal: sub
claims.groups: "http://example.info/claims/group"


Here is my deployment file

apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es-cluster-sso
namespace: kube-system
spec:
serviceName: elasticsearch-sso
replicas: 1
selector:
matchLabels:
app: elasticsearch-sso
template:
metadata:
labels:
app: elasticsearch-sso
spec:
containers:
- name: elasticsearch-sso
image: elasticsearch:7.2.0
command: ["sh", "-c", "echo 'y' | echo '26880c22-01a4-44c6-b675-7394fec008bf'| bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret"]
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 9200
name: rest
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
env:
- name: cluster.name
value: k8s-logs
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.seed_hosts
value: "es-cluster-0.elasticsearch"
- name: cluster.initial_master_nodes
value: "es-cluster-0"
- name: ES_JAVA_OPTS
value: "-Xms512m -Xmx512m"
- name: ELASTIC_PASSWORD
value: "vivek"
volumes:
- name: elasticsearch-config
configMap:
name: es-config-sso
defaultMode: 0777
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: increase-vm-max-map
image: busybox
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: busybox
command: ["sh", "-c", "ulimit -n 65536"]
securityContext:
privileged: true
volumeClaimTemplates:

  • metadata:
    name: data
    labels:
    app: elasticsearch-sso
    spec:
    accessModes: [ "ReadWriteOnce" ]
    storageClassName: do-block-storage
    resources:
    requests:
    storage: 10Gi

From this file, I am deploying my elasticsearch on Kubernetes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.