Unable to set xpack.security.authc.realms.oidc.oidc1.rp.client_secret property through yml file

Elastic Stack Elasticsearch
1

Hello,
I want to deploy elasticsearch with OpenId connect authentication . I am using keycloack as my open id connect provider. I have done all my configuration as per documentations. Below is my elasticsearch.yml file.

cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc"
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1"
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
connect/certs"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/"
claims.principal: sub
claims.groups: "http://example.info/claims/group"

I want to add xpack.security.authc.realms.oidc.oidc1.rp.client_secret property from yml file .Is there any way to do so?

2

@viveknagar - I do not think you can define client_secret in elasticsearch.yml file. As documented here, this is a secure setting and as such is not defined in the realm configuration in elasticsearch.yml but added to the elasticsearch keystore. For example:

bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret
1 Like
3

But I am deploying elasticsearch through kubernetes .So I have to deploy it from yaml files. I have no other option for it other than deploying through files .

4

@viveknagar Could you tell us more how you are planning to deploy Elasticsearch on Kubernetes? Are you using Elastic Cloud on Kubernetes?

5

Thanks for quick response!!!

Below is my elasticsearch deployment file
here is my configmap file

apiVersion: v1
kind: ConfigMap
metadata:
name: es-config-sso
namespace: kube-system
data:
elasticsearch.yml: |
cluster.name: my-elastic-cluster
network.host: "0.0.0.0"
path.repo: ["/usr/share/elasticsearch/data/"]
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana"
rp.response_type: code
rp.redirect_uri: "http://10.98.245.1:5601/api/security/v1/oidc"
op.issuer: "http://34.85.46.112:30023/auth/realms/oidc1"
op.authorization_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "/usr/share/elasticsearch/config/jwkt"
op.userinfo_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/userinfo"
op.endsession_endpoint: "http://34.85.46.112:30023/auth/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "http://10.98.245.1:5601/"
claims.principal: sub
claims.groups: "http://example.info/claims/group"

Here is my deployment file

apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es-cluster-sso
namespace: kube-system
spec:
serviceName: elasticsearch-sso
replicas: 1
selector:
matchLabels:
app: elasticsearch-sso
template:
metadata:
labels:
app: elasticsearch-sso
spec:
containers:
- name: elasticsearch-sso
image: elasticsearch:7.2.0
command: ["sh", "-c", "echo 'y' | echo '26880c22-01a4-44c6-b675-7394fec008bf'| bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret"]
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 9200
name: rest
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: elasticsearch-config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
env:
- name: cluster.name
value: k8s-logs
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.seed_hosts
value: "es-cluster-0.elasticsearch"
- name: cluster.initial_master_nodes
value: "es-cluster-0"
- name: ES_JAVA_OPTS
value: "-Xms512m -Xmx512m"
- name: ELASTIC_PASSWORD
value: "vivek"
volumes:
- name: elasticsearch-config
configMap:
name: es-config-sso
defaultMode: 0777
initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: increase-vm-max-map
image: busybox
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: busybox
command: ["sh", "-c", "ulimit -n 65536"]
securityContext:
privileged: true
volumeClaimTemplates:

  • metadata:
    name: data
    labels:
    app: elasticsearch-sso
    spec:
    accessModes: [ "ReadWriteOnce" ]
    storageClassName: do-block-storage
    resources:
    requests:
    storage: 10Gi

From this file, I am deploying my elasticsearch on Kubernetes

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.