-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support providing just a CA and key for transport certs #2812
Comments
I'm having a poke around the code now and I think this looks doable. Full disclosure I'm not a developer in any way shape or form, but I'll see if I can put together something to start this. At this point I'm looking to update the transportSpec in elasticsearch and provide a SecretRef there to allow the transport certs to be signed with a predefined CA. This would allow a user administering multiple clusters to generate a single CA that would then be trusted for all their clusters; simplifying the work of setting up remote search. Something like this? dbason@1d53be2 |
Another way of handling this (not sure if better) is to use the established naming convention. More generally I don't know if this feature should be ECK's responsibility, vs. using something such as CertManager. Happy to hear other people thoughts about it. |
@sebgl the comment about CertManager seems fair, but there would still need to be a change to allow custom transport certs. At the moment there is only the option to provide custom http certs. I'll change the title and initial post to reflect that this is explicitly for transport certs |
This feature would be a great enhancement, if not to say necessity for one of our use-cases, in which we would need to link an external (kind of static) application to elasticsearch via the transport interface. |
is there any plan to support the same with http layer? |
|
Proposal
The operator should support the option to just provide a CA cert and key and then generate the self signed transport certs from that.
Use case. Why is this important?
This is primarily to support cross cluster connections. It would greatly simplify work of connecting up multiple clusters if we could provide a CA that would then be trusted by all of the clusters.
AFAIK the elasticsearch keygen tool supports this so hopefully it is just a matter of wiring this up?The text was updated successfully, but these errors were encountered: