Last time we talked about installing OpenDistro on Kubernetes using self-signed certificates, this can be a repetitive and boring task to do each time. Instead we can delegate the creation of certificates to a tool like cert-manager.
If you didn’t read the first part of this article you can find it here
cert-manager
cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
Deploying cert-manager
cert-manager is really simple to deploy, we’ll be using helm, to do so follow the next steps:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.4.0 \
--set installCRDs=true
It is as simple as that to install cert-manager on you’re cluster, next step is to configure the Issuer.
Issuers
An Issuer is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are :
- SelfSigned: Certificates will be signed by using the same private-key attached to the signed certificate.
- CA: Certificates are signed using an already imported certificate authority
- Vault: This will delegate the signing of certificate to vault, which can be configured a PKI.
- ACME: ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets encrypt.
Issuer Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer, which is the same as Issuer but it can be used on a cluster level.
Configure Issuers
In our case we’ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro.
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: opendistro
spec:
selfSigned: {}
Certificates
Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets
To create certificates that can be used by OpenDistro we need to pass special configuration options:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: es-transport-tls
namespace: opendistro
spec:
isCA: true
duration: 2160h # 90d 2160h
renewBefore: 168h # 7d 168h
commonName: es-client
dnsNames:
- es-client
privateKey:
algorithm: RSA
encoding: PKCS8
size: 4096
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: es-transport-tls
Don’t worry we’ll explain some of the options that are not self explicit:
- commonName: This needs to be the same as the value of node_dn in OpenDistro configuration.
- encoding: by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a PKCS8.
- secretName: the name of Kubernetes secret where the certificate and the private key will be stored.
OpenDistro configuration:
For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names.
......
elasticsearch:
......
tls:
existingCertSecret: es-transport-tls
existingCertSecretCertSubPath: tls.crt
existingCertSecretKeySubPath: tls.key
existingCertSecretRootCASubPath: ca.crt
.........
Since the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the same.
helm upgrade --install \
-n opendistro <release_name> -f values.yaml \
/opendistro-build/helm/opendistro-es
As always you can find all the configuration files on my GitHub.
I hope that you found this article useful and see you next time.
Bey !!!
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
User Popularity
15
Influence
483
Total Hits
1
Posts
Read, Learn, Know, Teach
Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!
Only registered users can post comments. Please, login or signup.