Hey folks!
I'd like to ask if using PKI for elastic cloud on k8S is possible or not. I want to authenticate without a password but using the key and cert file.
eck version 1.2
yaml:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
http:
tls:
certificate:
secretName: quickstart-es-cert
version: 7.9.3
nodeSets:
- name: default
count: 1
config:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc:
realms:
pki:
pki1:
order: 1
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: false
curl -k -v https://localhost:9200/_xpack/security/_authenticate?pretty --key /usr/share/elasticsearch/config/http-certs/tls.key --cert /usr/share/elasticsearch/config/http-certs/tls.crt --cacert /usr/share/elasticsearch/config/http-certs/ca.crt
returns 401
{ "error" : { "root_cause" : [ { "type" : "security_exception", "reason" : "missing authentication credentials for REST request [/_xpack/security/_authenticate?pretty]", "header" : { "WWW-Authenticate" : [ "Basic realm=\"security\" charset=\"UTF-8\"", "Bearer realm=\"security\"", "ApiKey" ] } } ], "type" : "security_exception", "reason" : "missing authentication credentials for REST request [/_xpack/security/_authenticate?pretty]", "header" : { "WWW-Authenticate" : [ "Basic realm=\"security\" charset=\"UTF-8\"", "Bearer realm=\"security\"", "ApiKey" ] } }, "status" : 401 }
Hey @boranx,
I tried a similar setup and it works fine. The PKI realm requires a GOLD+ license. Is that the case for your cluster?
I'm having the same error you get, but things work fine as soon as I apply a trial license to my ECK setup.
hey @sebgl
Thanks for the quick answer! Yep that was exactly the case. After I applied the trial license as you mentioned, it worked as expected.
Wish you a good week,
cheers
Elasticsearch issue to make that behaviour more easily discoverable: https://github.com/elastic/elasticsearch/issues/45728.