viveknagar
(vivek nagar)
February 5, 2020, 12:38pm
1
Hello,
I want to deploy elasticsearch with OpenId connect authentication . I am using keycloack as my open id connect provider. I have done all my configuration as per documentations. Below is my elasticsearch.yml file.
cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc "
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1 "
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth "
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token "
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
connect/certs"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo "
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout "
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/ "
claims.principal: sub
claims.groups: "http://example.info/claims/group "
I want to add xpack.security.authc.realms.oidc.oidc1.rp.client_secret property from yml file .Is there any way to do so?
ropc
(Romain Chanu)
February 5, 2020, 1:57pm
2
@viveknagar - I do not think you can define client_secret
in elasticsearch.yml
file. As documented here , this is a secure setting and as such is not defined in the realm configuration in elasticsearch.yml
but added to the elasticsearch keystore . For example:
bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret
1 Like
viveknagar
(vivek nagar)
February 5, 2020, 2:16pm
3
But I am deploying elasticsearch through kubernetes .So I have to deploy it from yaml files. I have no other option for it other than deploying through files .
ropc
(Romain Chanu)
February 6, 2020, 1:54am
4
@viveknagar Could you tell us more how you are planning to deploy Elasticsearch on Kubernetes? Are you using Elastic Cloud on Kubernetes ?
viveknagar
(vivek nagar)
February 6, 2020, 6:19am
5
Thanks for quick response!!!
Below is my elasticsearch deployment file
here is my configmap file
apiVersion: v1
kind: ConfigMap
metadata:
name: es-config-sso
namespace: kube-system
data:
elasticsearch.yml: |
cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc "
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1 "
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth "
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token "
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo "
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout "
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/ "
claims.principal: sub
claims.groups: "http://example.info/claims/group "
Here is my deployment file
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es-cluster-sso
namespace: kube-system
spec:
serviceName: elasticsearch-sso
replicas: 1
selector:
matchLabels:
app: elasticsearch-sso
template:
metadata:
labels:
app: elasticsearch-sso
spec:
containers:
- name: elasticsearch-sso
image: elasticsearch:7.2.0
command: ["sh", "-c", "echo 'y' | echo '26880c22-01a4-44c6-b675-7394fec008bf'| bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret"]
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 9200
name: rest
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
env:
- name: cluster.name
value: k8s-logs
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.seed_hosts
value: "es-cluster-0.elasticsearch"
- name: cluster.initial_master_nodes
value: "es-cluster-0"
- name: ES_JAVA_OPTS
value: "-Xms512m -Xmx512m"
- name: ELASTIC_PASSWORD
value: "vivek"
volumes:
- name: elasticsearch-config
configMap:
name: es-config-sso
defaultMode: 0777
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: increase-vm-max-map
image: busybox
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: busybox
command: ["sh", "-c", "ulimit -n 65536"]
securityContext:
privileged: true
volumeClaimTemplates:
metadata:
name: data
labels:
app: elasticsearch-sso
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: do-block-storage
resources:
requests:
storage: 10Gi
From this file, I am deploying my elasticsearch on Kubernetes
system
(system)
Closed
March 5, 2020, 6:19am
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.