cert-manager<\/h3>\n
cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let\u2019s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self\u00a0signed.<\/p>\n
Deploying cert-manager<\/h4>\n
cert-manager is really simple to deploy, we\u2019ll be using helm, to do so follow the next\u00a0steps:<\/p>\n
helm repo add jetstack https:\/\/charts.jetstack.io<\/a>
helm repo update
helm install
cert-manager jetstack\/cert-manager
--namespace cert-manager
--create-namespace
--version v1.4.0
--set installCRDs=true<\/em><\/pre>\nIt is as simple as that to install cert-manager on you\u2019re cluster, next step is to configure the\u00a0Issuer.<\/p>\n
Issuers<\/h4>\n
An Issuer<\/strong> is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are\u00a0:<\/p>\n
\n
- SelfSigned:<\/strong> Certificates will be signed by using the same private-key attached to the signed certificate.<\/li>\n
- CA: <\/strong>Certificates are signed using an already imported certificate authority<\/li>\n
- Vault: <\/strong>This will delegate the signing of certificate to vault, which can be configured a\u00a0PKI.<\/li>\n
- ACME: <\/strong>ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets\u00a0encrypt<\/strong>.<\/li>\n<\/ul>\n
Issuer<\/strong> Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer<\/strong>, which is the same as Issuer but it can be used on a cluster\u00a0level.<\/p>\n
Configure Issuers<\/strong><\/p>\n
In our case we\u2019ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro.<\/p>\n
apiVersion: cert-manager.io\/v1alpha2
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: opendistro
spec:
selfSigned: {}<\/pre>\nCertificates<\/strong><\/p>\n
Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets<\/p>\n
To create certificates that can be used by OpenDistro we need to pass special configuration options:<\/p>\n
apiVersion: cert-manager.io\/v1
kind: Certificate
metadata:
name: es-transport-tls
namespace: opendistro
spec:
isCA: true
duration: 2160h # 90d 2160h
renewBefore: 168h # 7d 168h
commonName: es-client
dnsNames:
- es-client
privateKey:
algorithm: RSA
encoding: PKCS8
size: 4096
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: es-transport-tls<\/pre>\nDon\u2019t worry we\u2019ll explain some of the options that are not self explicit:<\/p>\n
\n
- commonName: <\/strong>This needs to be the same as the value of node_dn in OpenDistro configuration.<\/li>\n
- encoding: <\/strong>by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a\u00a0PKCS8.<\/li>\n
- secretName: <\/strong>the name of Kubernetes secret where the certificate and the private key will be\u00a0stored.<\/li>\n<\/ul>\n
OpenDistro configuration:<\/strong><\/h4>\n
For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names.<\/p>\n
......
elasticsearch:
......
tls:
existingCertSecret: es-transport-tls
existingCertSecretCertSubPath: tls.crt
existingCertSecretKeySubPath: tls.key
existingCertSecretRootCASubPath: ca.crt
.........<\/pre>\nSince the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the\u00a0same.<\/p>\n
helm upgrade --install
-n opendistro <release_name> -f values.yaml
\/opendistro-build\/helm\/opendistro-es<\/pre>\nAs always you can find all the configuration files on my\u00a0GitHub.<\/p>\n
I hope that you found this article useful and see you next\u00a0time.<\/p>\n
Bey\u00a0!!!<\/h3>\n
<\/p>","protected":false},"excerpt":{"rendered":"
Last time we talked about installing OpenDistro on Kubernetes using self-signed certificates, this can be a repetitive and boring task to do each time. Instead we can delegate the creation of certificates to a tool like cert-manager. If you didn\u2019t read the first part of this article you can find it\u00a0here OpenDistro with Keycloak cert-manager cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let\u2019s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self\u00a0signed. Deploying cert-manager cert-manager is really simple to deploy, we\u2019ll be using helm, to do so follow the next\u00a0steps: helm repo add jetstack https:\/\/charts.jetstack.iohelm repo updatehelm install cert-manager jetstack\/cert-manager –namespace cert-manager –create-namespace –version v1.4.0 –set installCRDs=true It is as simple as that to install cert-manager on you\u2019re cluster, next step is to configure the\u00a0Issuer. Issuers An Issuer is Kubernetes resources that represent certificate authorities (CAs) that are able to generate certificates, there are multiples types of issuers, the most important are\u00a0: SelfSigned: Certificates will be signed by using the same private-key attached to the signed certificate. CA: Certificates are signed using an already imported certificate authority Vault: This will delegate the signing of certificate to vault, which can be configured a\u00a0PKI. ACME: ACME stand for Automated Certificate Management Environment, some of the well know example for ACME is lets\u00a0encrypt. Issuer Kubernetes resources are namespaces, when creating an Issuer in a namespace it can only be used within the namespace, to declare an issuer for your hole cluster you can use ClusterIssuer, which is the same as Issuer but it can be used on a cluster\u00a0level. Configure Issuers In our case we\u2019ll be using self-signed certificates for cluster certificates, since they will be used only within the OpenDistro. apiVersion: cert-manager.io\/v1alpha2 kind: Issuer metadata: name: selfsigned-issuer namespace: opendistro spec: selfSigned: {} Certificates Certificates are also Kubernetes resources, this resource will base on an Issuer to create certificates that will be stored inside Kubernetes secrets To create certificates that can be used by OpenDistro we need to pass special configuration options: apiVersion: cert-manager.io\/v1 kind: Certificate metadata: name: es-transport-tls namespace: opendistro spec: isCA: true duration: 2160h # 90d 2160h renewBefore: 168h # 7d 168h commonName: es-client dnsNames: – es-client privateKey: algorithm: RSA encoding: PKCS8 size: 4096 issuerRef: kind: Issuer name: selfsigned-issuer secretName: es-transport-tls Don\u2019t worry we\u2019ll explain some of the options that are not self explicit: commonName: This needs to be the same as the value of node_dn in OpenDistro configuration. encoding: by default cert-manager generates privatekeys in PKCS11 format which is not supported by OpenDistro, so we need to change it to a\u00a0PKCS8. secretName: the name of Kubernetes secret where the certificate and the private key will be\u00a0stored. OpenDistro configuration: For OpenDistro most of the configuration will remain the same, but we need to change few options related to certificates names. ……elasticsearch:…… tls: existingCertSecret: es-transport-tls existingCertSecretCertSubPath: tls.crt existingCertSecretKeySubPath: tls.key existingCertSecretRootCASubPath: ca.crt……… Since the secret keys are changed we need to adapt the configuration. As for the rest of the installation it will remain the\u00a0same. helm upgrade –install -n opendistro <release_name> -f values.yaml \/opendistro-build\/helm\/opendistro-es As always you can find all the configuration files on my\u00a0GitHub. I hope that you found this article useful and see you next\u00a0time. Bey\u00a0!!!<\/p>\n","protected":false},"author":3,"featured_media":635,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-529","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-opendistro","entry","has-media"],"jetpack_featured_media_url":"https:\/\/cloudspert.com\/wp-content\/uploads\/2022\/02\/OPENDISTRO.webp","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=529"}],"version-history":[{"count":1,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/529\/revisions"}],"predecessor-version":[{"id":637,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/posts\/529\/revisions\/637"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=\/wp\/v2\/media\/635"}],"wp:attachment":[{"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudspert.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}