Testing custom certificate scenarios #3086
Comments
|
Hi Team, i have OCP 4.4 deployment and i need to use custom certificates generated from internal PKI (AD CS), are there any guidance on how i can deploy ECK on OCP with custom certificate for ES & Kibana? |
|
@ahalamir Please use our discuss forum at https://discuss.elastic.co/c/eck for any questions. The use of custom certificates is described in the documentation. |
|
An idea discussed how to address the difficulty of testing custom HTTP certificates issues by a well known issuer in our e2e test pipelines which often run in parallel and do not have access to a domain is to simulate the "well known issuer" by:
This approach is still tricky as it does not work on distroless images (if we go back to that for the operator we would need a custom Docker image) and the injection mechanism differs depending on the Elastic stack image under test and the corresponding base image (e.g. Elastic Agent recently change from CentOS to Ubuntu to name just one) |
When the user provides its own HTTP certificate at least two scenarios may be distinguished:
Custom HTTP certificate has been issued from a well known issuer
In this case no additional CA is needed and provided (or an empty CA in the case of Let's Encrypt):
Custom certificate has been issued by a custom, private, certificate authority
In this case users need to provide the CA as part of the Secret:
While fixing #2243 (PR) a regression as been introduced in ECK 1.1 affecting users using CA certs from a well known provider like Let's Encrypt.
After the upgrade Kibana was no able to connect to Elasticsearch (more details here).
This issue raises the question of how we could avoid such a regression in the future.
The text was updated successfully, but these errors were encountered: