cha*_*gan 0 elasticsearch kubernetes google-kubernetes-engine kubernetes-helm
我正在尝试在 Elasticsearch 上设置基本身份验证。我发现还需要设置 SSL 证书。
关注本文:https ://pimwiddershoven.nl/entry/deploy-a-secure-instance-of-elasticsearch-on-kubernetes
使用 helm 在 Kubernetes 上启动并运行集群
但是发送的时候
curl -H "Authorization: Basic ZWxsdfasdfiojoijQw==" https://localhost:9200
它给出了类似的错误
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
但是当使用curl insecure模式发送请求时或者-k它工作正常并且可以看到集群运行状况
这是由于自签名证书。我错过了什么吗?
官方 helm 图表还建议使用相同的方法来生成证书并添加到集群中。
https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/security
更新 :
Elastic.yaml
protocol: https
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.authc.realms.native.local.order: 0
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
如果您尝试在 Kubernetes svc 上设置 HTTPS 并将其用作 DNS,则如果没有curl -k或,它将无法工作--insecure
除非您没有正确的 DNS 和域名来解析它,否则您只能使用不安全模式。
使用正确的域名并生成一个证书,它将像魅力一样工作。
但是,为了进行验证,您也可以执行以下操作:
curl --cacert $path_to_certificate https://host_ip:9200
简单的解决方法
您可以在 ES 集群前面使用 nginx 并在那里终止 SSL 并向 ES 发送 HTTP 请求。而您的域名直到 nginx 将具有 HTTPS SSL/TLS。
如果您只想使用 HTTP 进行基本身份验证(用户名/密码)
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
| 归档时间: |
|
| 查看次数: |
7102 次 |
| 最近记录: |