navigator icon indicating copy to clipboard operation
navigator copied to clipboard
verified publisher icon jetstack

Elasticsearch: auto-TLS via cert-manager

Open munnerz opened this issue 8 years ago • 2 comments

It should be possible to easily enable TLS on an Elasticsearch cluster.

Initially, an implementation that relies upon cert-manager for signing certificates in its simplest form (e.g. a Certificate resource is created per replica) will be the target:

API Changes

We will need to add a new field structure to elasticsearchclusters.spec.tls

kind: ElasticsearchCluster
metadata:
  name: my-staging-cluster
...
spec:
  tls:
    enabled: true
    issuerRef:
      name: my-staging-cluster-ca
      kind: Issuer

Initially, only the 'CA' based cert-manager issuer will be supported: https://github.com/jetstack/cert-manager/blob/master/docs/user-guides/ca-based-issuer.md This may change in future once discussion around generalising the Certificate resource type has been resolved: https://github.com/jetstack/cert-manager/issues/265

Controller changes

navigator-controller will need updating to:

  1. generate a CA/signing keypair for each cluster
    • can be done in navigator-controller initially
    • eventually can be moved into a 'selfsigned' cert-manager Issuer: https://github.com/jetstack/cert-manager/issues/84 https://github.com/jetstack/cert-manager/issues/85
  2. create an Issuer to sign certificates from this CA
  3. pass the issuerRef as a CLI arg to each Pilot

Pilot changes

if tls is enabled:

  1. create/retrieve Certificate resource for this pilot
  2. grab generated Secret resource containing keypair
  3. inject them into FS and appropriately configure node for serving

Open questions

  1. (may be more of a general cert-manager problem): should each Pilot be generating its own private key and then creating a CSR for this, instead of storing the private key in the k8s apiserver? This provides a stronger auth model. We'll need to investigate how we can make cert-manager support this.

  2. certificate rotation should be handled by Pilot too

  3. TLS requires x-pack. How do we more generally support x-pack only features in ES? ref #200

/kind feature /cc @mattbates @wallrj

munnerz avatar Feb 05 '18 11:02 munnerz

@munnerz LGTM - except I don't think issuerRef should appear as a field on the ElasticsearchCluster resource as it leans towards a specific implementation. The tls stanza should only have an enabled field - perhaps an annotation would be the best way for users to set the method for certificate creation (e.g. cert-manager/self-signed) and the name of the Issuer to use/create if cert-manager is to be used

dippynark avatar Feb 06 '18 11:02 dippynark

Part of: https://github.com/jetstack/navigator/issues/362

wallrj avatar May 15 '18 15:05 wallrj