Using client certificate for a readiness check

Search Guard
1

Elasticsearch Version: 5.6.14
Search Guard Version: 5.6.14-19.2

I was not sure about how to use the client certificate to perform a health check for elasticsearch. In the SG Docs under Testing the installation they perform a curl request to check the SG config

curl --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

``

Is there a “secure” way to perform this with a client certificate (ex. spock.pem) and readall user to do a health check?

curl -X GET “localhost:9200/_cluster/health”

``

2

If you just want to perform a normal health check, for example because you have a load balancer in place, you can just use this SG healthcheck endpoint which does not require authentication:

https://docs.search-guard.com/latest/search-guard-installation#search-guard-health-check

Is there any particular reason you want to access the health check endpoint with a client certificate?

···

On Thursday, March 28, 2019 at 9:08:13 PM UTC+1, apt221 wrote:

Elasticsearch Version: 5.6.14
Search Guard Version: 5.6.14-19.2

I was not sure about how to use the client certificate to perform a health check for elasticsearch. In the SG Docs under Testing the installation they perform a curl request to check the SG config

curl --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

``

Is there a “secure” way to perform this with a client certificate (ex. spock.pem) and readall user to do a health check?

curl -X GET “localhost:9200/_cluster/health”

``

3

I did not know about this, is this available for version 5.6.14-19.2? Also I didn’t specifically need to use client certificates, but I couldn’t find any reasons for having them. Are there any examples that use client certificates on the docs? I can’t seem to find any.

The reason for the health check is just for the kubernetes cluster. The readiness probe will keep checking the health to see if we need to restart any pods

···

On Thursday, March 28, 2019 at 3:07:19 PM UTC-7, Jochen Kressin wrote:

If you just want to perform a normal health check, for example because you have a load balancer in place, you can just use this SG healthcheck endpoint which does not require authentication:

https://docs.search-guard.com/latest/search-guard-installation#search-guard-health-check

Is there any particular reason you want to access the health check endpoint with a client certificate?

On Thursday, March 28, 2019 at 9:08:13 PM UTC+1, apt221 wrote:

Elasticsearch Version: 5.6.14
Search Guard Version: 5.6.14-19.2

I was not sure about how to use the client certificate to perform a health check for elasticsearch. In the SG Docs under Testing the installation they perform a curl request to check the SG config

curl --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

``

Is there a “secure” way to perform this with a client certificate (ex. spock.pem) and readall user to do a health check?

curl -X GET “localhost:9200/_cluster/health”

``