Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support providing just a CA and key for transport certs #2812

Closed
dbason opened this issue Apr 2, 2020 · 7 comments · Fixed by #4053
Closed

Support providing just a CA and key for transport certs #2812

dbason opened this issue Apr 2, 2020 · 7 comments · Fixed by #4053
Assignees
Labels
>enhancement Enhancement of existing functionality

Comments

@dbason
Copy link

dbason commented Apr 2, 2020

Proposal

The operator should support the option to just provide a CA cert and key and then generate the self signed transport certs from that.
Use case. Why is this important?
This is primarily to support cross cluster connections. It would greatly simplify work of connecting up multiple clusters if we could provide a CA that would then be trusted by all of the clusters. AFAIK the elasticsearch keygen tool supports this so hopefully it is just a matter of wiring this up?

@botelastic botelastic bot added the triage label Apr 2, 2020
@dbason
Copy link
Author

dbason commented Apr 3, 2020

I'm having a poke around the code now and I think this looks doable. Full disclosure I'm not a developer in any way shape or form, but I'll see if I can put together something to start this.

At this point I'm looking to update the transportSpec in elasticsearch and provide a SecretRef there to allow the transport certs to be signed with a predefined CA. This would allow a user administering multiple clusters to generate a single CA that would then be trusted for all their clusters; simplifying the work of setting up remote search.

Something like this? dbason@1d53be2

@sebgl
Copy link
Contributor

sebgl commented Apr 6, 2020

Another way of handling this (not sure if better) is to use the established naming convention.
I think if you pre-create the <es-name>-es-transport-ca-internal secret, the operator will detect it's already there and, if valid, will use it to sign certificates.

More generally I don't know if this feature should be ECK's responsibility, vs. using something such as CertManager. Happy to hear other people thoughts about it.

@dbason
Copy link
Author

dbason commented Apr 6, 2020

@sebgl the comment about CertManager seems fair, but there would still need to be a change to allow custom transport certs. At the moment there is only the option to provide custom http certs.

I'll change the title and initial post to reflect that this is explicitly for transport certs

@dbason dbason changed the title Support providing just a CA and key Support providing just a CA and key for transport certs Apr 6, 2020
@david-kow david-kow added the >enhancement Enhancement of existing functionality label Apr 27, 2020
@botelastic botelastic bot removed the triage label Apr 27, 2020
@MHenn1g
Copy link

MHenn1g commented Dec 9, 2020

This feature would be a great enhancement, if not to say necessity for one of our use-cases, in which we would need to link an external (kind of static) application to elasticsearch via the transport interface.
Not only would it enhance the automation, but at the same time the stability of operations.
At the moment, we are able to link the software, however, if the operator handles the ca management, this connection may break if the operator decides to rotate the ca unexpectedly.
Therefore I would like to ask, if there is any update regarding this request?

@sebgl
Copy link
Contributor

sebgl commented Dec 11, 2020

@dbason @MHenn1g We discussed this with the team and decided we should do it. No release date we can give yet, however.

@deveshk0
Copy link

is there any plan to support the same with http layer?

@pebrc
Copy link
Collaborator

pebrc commented Feb 17, 2021

is there any plan to support the same with http layer?

Please see https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-tls-certificates.html#k8s-setting-up-your-own-certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement Enhancement of existing functionality
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants