-
Notifications
You must be signed in to change notification settings - Fork 1.9k
[elasticsearch] use security by default #1384
Conversation
This commit update Elasticsearch chart to use security by default. - Adds a new Secret templates for Elasticsearch credentials with a randomized password if password value isn't defined. - Adds instructions to retrieve credentials in Elasticsearch chart deployment notes. The other charts will be updated in follow-up PRs to use the proper credentials Relates to elastic#1375
This commit updates apm-server values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates filebeat values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates kibana values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates logstash values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates metricbeat values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
@mark-vieira @jkakavas, FYI, this PR is addressing #1375 by handling credentials generation at Helm chart level instead of Elasticsearch level when no credentials are provided. This way we can have the credentials in a K8S secret then use it as an environment variable in the Elasticsearch pod for the health check script. The other Elastic charts will also need to be updated in follow-up PRs to be able to use this new secret when they are using some Elasticsearch output. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies my helm-foo is pretty weak. So we're not requiring folks to either explicitly enable or disable security, yes? And if enabled, they must also provide a username/password to get passed into the chart, or, provide an existing k8s secret from which to get this configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested it locally and everything worked as expected, I just put a comment on the ELASTIC_USER handling, we may consider handle it as a normal variable instead of secret as the user name doesn't seems to be a valid secret
secretKeyRef: | ||
name: multi-master-credentials | ||
key: password | ||
- name: ELASTIC_USERNAME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think here we can set the username instead of use pointing to the secret, as by default the user name is "elastic" I don't think it's a fit to be handle as a secret key.
- name: ELASTIC_USERNAME
value: elastic
What do you think?
secretKeyRef: | ||
name: multi-master-credentials | ||
key: password | ||
- name: ELASTIC_USERNAME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, I would suggest to not refer to the secret for the username:
I think here we can set the username instead of use pointing to the secret, as by default the user name is "elastic" I don't think it's a fit to be handle as a secret key.
- name: ELASTIC_USERNAME
value: elastic
secretKeyRef: | ||
name: {{ template "elasticsearch.uname" . }}-credentials | ||
key: password | ||
- name: ELASTIC_USERNAME |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
In the default config, we don't explicitly configure Passing an existing K8S secret created outside of the chart was already an option previously to define With this PR it is still possible to use an external secret but with the default behavior the Helm chart will create the secret and handle it as part of the chart using a password generated by Helm itself or defined by overriding
|
This commit remove the usage of ELASTIC_USERNAME and replace it by hardcoded "elastic" username. This is required because ELASTIC_USERNAME don't seem to be supported anymore supported by Elasticsearch (I couldn't find the exact version where support was stopped).
Indeed, changing the username via the @framsouza PTAL 🙏🏻 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks great now ;)
Merging as Elasticsearch chart tests are successful and the other charts will be fixed in follow-up PRs. |
This commit update Elasticsearch chart to use security by default. - Adds a new Secret template for Elasticsearch password with a randomized password if `secret.password` isn't defined. - Adds instructions to retrieve the password in Elasticsearch chart deployment notes. - Also, remove usage of `ELASTIC_USERNAME` variable because it don't seem to be supported anymore by Elasticsearch The other charts will be updated in follow-up PRs to use the proper credentials Relates to elastic#1375
This commit updates apm-server values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates filebeat values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates kibana values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit updates logstash values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375#
This commit updates metricbeat values to use the new Elasticsearch credentials from elastic#1384. Relates to elastic#1375
This commit update Elasticsearch chart to use security by default.
Adds a new Secret template for Elasticsearch password with a
randomized password if
secret.password
isn't defined.Adds instructions to retrieve the password in Elasticsearch chart
deployment notes.
Also, remove usage of
ELASTIC_USERNAME
variable because itdon't seem to be supported anymore by Elasticsearch
The other charts will be updated in follow-up PRs to use the proper
credentials
Relates to #1375