OpenDistro with cert-manager

Last time we talked about installing OpenDistro on Kubernetes using self-signed certificates, this can be a repetitive and boring task to do each time. Instead we can delegate the creation of certificates to a tool like cert-manager.

If you didn’t read the first part of this article you can find it here

cert-manager

cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.

Deploying cert-manager

cert-manager is really simple to deploy, we’ll be using helm, to do so follow the next steps:

                helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.4.0 \
  --set installCRDs=true
            

It is as simple as that to install cert-manager on you’re cluster, next step is to configure the Issuer.

Issuers

An Issuer is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are :

  • SelfSigned: Certificates will be signed by using the same private-key attached to the signed certificate.
  • CA: Certificates are signed using an already imported certificate authority
  • Vault: This will delegate the signing of certificate to vault, which can be configured a PKI.
  • ACME: ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets encrypt.

Issuer Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer, which is the same as Issuer but it can be used on a cluster level.

Configure Issuers

In our case we’ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro.

                apiVersion: cert-manager.io/v1alpha2                       
kind: Issuer                       
metadata:                         
  name: selfsigned-issuer                         
  namespace: opendistro                      
spec:                         
  selfSigned: {}
            

Certificates

Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets

To create certificates that can be used by OpenDistro we need to pass special configuration options:

                apiVersion: cert-manager.io/v1                       
kind: Certificate                       
metadata:                         
  name: es-transport-tls                         
  namespace: opendistro                       
spec:                         
  isCA: true                         
  duration: 2160h # 90d 2160h                         
  renewBefore: 168h # 7d 168h                         
  commonName: es-client                         
  dnsNames:                           
  - es-client                         
  privateKey:                           
    algorithm: RSA                           
    encoding: PKCS8                           
    size: 4096                         
  issuerRef:                          
    kind: Issuer                           
    name: selfsigned-issuer                         
  secretName: es-transport-tls
            

Don’t worry we’ll explain some of the options that are not self explicit:

  • commonName: This needs to be the same as the value of node_dn in OpenDistro configuration.
  • encoding: by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a PKCS8.
  • secretName: the name of Kubernetes secret where the certificate and the private key will be stored.

OpenDistro configuration:

For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names.

                ......
elasticsearch:
......
  tls:
    existingCertSecret: es-transport-tls
    existingCertSecretCertSubPath: tls.crt
    existingCertSecretKeySubPath: tls.key
    existingCertSecretRootCASubPath: ca.crt
.........
            

Since the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the same.

                helm upgrade --install \
     -n opendistro  <release_name>  -f values.yaml \
     /opendistro-build/helm/opendistro-es
            

As always you can find all the configuration files on my GitHub.

I hope that you found this article useful and see you next time.

Bey !!!


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!

Stats
13

Influence

218

Total Hits

1

Posts