New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elasticsearch API keys requires HTTP TLS to be switched on and conflicts with Istio #3213
Comments
@bytebilly mentioned that the Elasticsearch team does not want to relax the requirement en-masse, and would like for us to investigate if there is a way to detect Elasticsearch is running in a mesh.
|
This seems to be the same case when trying to configure a SAML realm which requires |
Yes, same scenario as API keys. The base concern is to send valid credentials (tokens) over insecure connections. |
Okay, so - I'm currently in the situation that I want to do exactly that: Running Elasticsearch and AppSearch/Enterprise-Search in an Istio-enabled cluster with mTLS enabled. Naturally, I deactivated elastic HTTPS. AppSearch/Enterprise-Search however only wants to connect to elasticsearch with API keys, and I cannot activate them because elasticsearch does not let me do that:
So, how should I configure AppSearch or Elasticsearch to get it running? I already do have another Kibana and Elasticsearch cluster running in the same cluster and they like each other just fine... |
This issue will be fixed by relaxing the TLS requirement in the API key service in the upcoming Elasticsearch releases 7.16.0/8.0.0 respectively elastic/elasticsearch#76801 |
@pebrc is this PR elastic/elasticsearch#76801 designed to prevent the bootstrap errors For example:
^ is this configuration now supported on k8s? |
The Elasticsearch API Keys service requires TLS to be enabled on the HTTP interface (
xpack.security.http.ssl.enabled: true
). Features that are built on top of the API keys service such as Kibana alerting have a hard requirement on this configuration.This poses a problem for users who want to run Stack applications in a service mesh. As the idea is to let the mesh handle transport security and deal with things such as mTLS, the common integration pattern is to disable TLS at the application level and offload that work to the mesh. In fact, when strict mTLS is enabled by the mesh control plane, having application-level TLS can cause things to break as the traffic gets encrypted twice.
Currently, I am not aware of a way to have Elasticsearch working in a mesh with TLS enabled. Attempting to do this results in TLS verification errors and clients are not able to communicate with the server over the mesh. Therefore, users who wish to deploy the Stack in a service mesh will have to choose between mesh-enforced strict TLS vs. API keys and alerting etc.
The text was updated successfully, but these errors were encountered: