How to use the ingress certificates in place of all the random generated certificates

Hi,

I am setting up searchguard elastic stack on kubernetes (Azure Kubernetes Service). Search guard version sg-sgadmin:7.1.0-35.0.0. I want to expose search guard kibana through ingress. How should I use the same ingress certificate as the Node, Admin, REST certificate? Is this possible? Please provide detailed answer on the steps that will help in achieving the same.

Regard,
Nitesh

I recommend to have a look how we do it in our helm charts: https://github.com/floragunncom/search-guard-helm

That said you can have the same certificates for nodes and REST but the admin certificvate needs to be a different one. If you update the certs you must restart the pod.

  1. Can you please help in understanding why do I need a different certificate for admin? I mean what different details do I need to pass while generating this admin certificate? Is there any specific set of values to be given for CN, OU, O etc. I generated my ingress certificate using Lets Encrypt certbot in which I just had to pass my desired DNS name.

  2. You said that I need to restart my pod on updating the secrets but wont the pod restart let to generation of new demo certificates and subsequent modification of my Prod secrets? Plz refer the below code in the link https://github.com/floragunncom/search-guard-helm/blob/master/sg-helm/templates/sgadmin-deployment.yaml here in Init container a new certificate will be generated. Is not it? ```` cat >"{{ template “fullname” . }}-root-ca.yml" <<EOL
    ca:
    root:
    dn: CN={{ template “fullname” . }}-root-ca,OU=CA,O=Example Com, Inc.,DC=example,DC=com
    keysize: 2048
    validityDays: 365
    pkPassword: none
    file: root-ca.pem
    EOL

             /root/tlstool/tools/sgtlstool.sh -ca -v -c "{{ template "fullname" . }}-root-ca.yml" -t /tmp/
    
             cat >"{{ template "fullname" . }}-root-ca-sec.yaml" <<EOL ````

Pls refer to the documentation where the various certificate types are explained:



And yes, in the helm charts we regenerate the node certificates because the hostname is different for every unique pod. The root-ca will only created once of course.

Hi,

Thanks for the response. I went through it but I am still unclear where and how should I put my generated certificates (generated from Lets encrypt certbot) so that they are picked up by kubernetes on helm install. I did not see any key in the values.yml file that hold certificates. 1. Are they to be placed in install_demo_configuration.sh, which then requires creating the docker image for elasticsearch+search guard elastic search plugin or 2. Should I edit the respective secrets and run sgadmin.sh or is there some other correct way of doing it ? Please help. Request you to be elaborative.

Regards,
Nitesh

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.