I was thinking of using the docker entrypoint script for the elasticsearch image to create the node certificates. Would it be fine to use the same config every time? For example:
./sgtlstool.sh -c …/config/tlsconfig.yml -crt
dn: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com
dn: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com
dn: CN=esnode.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com
This way the same snippet would be appended to each node’s elasticsearch config
This is a configuration snippet for the node esnode
This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
If the config file already contains SearchGuard configuration, this needs to be replaced.
Furthermore, you need to copy the files referenced below into the same directory.
Also since sgadmin only needs to update the configuration index. If I pass in my custom sg_config files to the config before starting elasticsearch in my docker entrypoint will I still need to run sgadmin or will ES correctly configure both the ES config and SG config on startup?
On Tuesday, March 19, 2019 at 12:11:57 PM UTC-7, Search Guard wrote:
Am 19.03.2019 um 00:07 schrieb apt221 akash...@sysdig.com:
Elasticsearch Version: 5.6.14
Search Guard Version: 5.6.14-19.2
I am in the process of figuring out how to transfer from a single node elasticsearch cluster with SG installed to a multinode ES cluster (in kubernetes) and I would like some help understanding the process. I would like to automate the process of generating the certs required for the ES cluster. So far I have used the offline TLS tool to generate a root-ca and intermediate cert. These certs are shared to every node in the ES cluster via kubernetes secrets.
- How do I generate the required node certificates for the cluster?
If I had 50 nodes in my elasticsearch cluster, would that mean that in my tlsconfig.yml I would need 50 entries under the nodes config section or do I just need a minimum of 1 node certificate?
In the above mentioned helm chart we run the tls tool in an init container for every pod. In kubernetes you typically cannot generate them upfront because everything is dynamic.
- Is it fine to simply run the sgadmin script from one node and expect the rest of the cluster to have the updated configurations?
Yes. Run sgadmin from one node (or from outside the cluster) and all nodes will be updated with the new configs without restart.
Thats called hot reload. You only need to restart nodes if youmake changes in elasticsearch.yml or if you update Search Guard or Elasticsearch version.
The above mentioned helm will perform a rolling restart in that cases so (given thereare enough nodes in the cluster) that no downtime occurs.
I can’t seem to find the post right now but I remember reading in one of the SG posts a reply that stated that you would only need to update the SG indexes from one node and the changes would be updated in all nodes (I assume after you restart all these nodes).
No restart required
See https://docs.search-guard.com/latest/sgadmin#using-sgadmin-to-configure-search-guard and https://docs.search-guard.com/latest/main-concepts#the-search-guard-index
Please let me know if any more information is required. Thanks!
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/1a0f026b-df99-47d7-8d6d-1deff654afdb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.