Secure elasticsearch cluster

cert.yaml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-issuer
spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-ca-cert
spec:
  commonName: datahub
  isCA: true
  issuerRef:
    kind: Issuer
    name: my-issuer
  secretName: my-ca-cert
  subject:
    organizations:
      - Qwant
 

elasticsearch.yaml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
# full = IP/hostname verification
xpack.security.transport.ssl.verification_mode: full
# keystore.p12 will be generated by the pod it-self, at init phase
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
# dont care about user now
# so anonymous can access everything
xpack.security.authc:
  anonymous:
    username: anonymous 
    roles: superuser
    authz_exception: true 

generate.sh

elasticsearch-certutil cert \
      --name master-0 \
      --days 1000 \
      --ip ${POD_IP} \
      --dns master-0,master-svc,master-svc-headless,master-0.master-svc \
      --ca-cert /usr/share/elasticsearch/config/certs/tls.crt \
      --ca-key /usr/share/elasticsearch/config/certs/tls.key  \
      --ca-pass "" \
      --pass "" \
      --out /usr/share/elasticsearch/config/certs-gen/keystore.p12

values.yaml

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: full
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
    xpack.security.authc:
      anonymous:
        username: anonymous 
        roles: superuser
        authz_exception: true 

# share generated cert
extraVolumes:
- name: tls-certificates
  emptyDir: {}

# for the generated cert
extraVolumeMounts:
- name: tls-certificates
  mountPath: /usr/share/elasticsearch/config/certs-gen

# define container to build the cert
extraInitContainers:
- name: setup-tls-cert
  image: "docker.elastic.co/elasticsearch/elasticsearch:7.11.0"
  command:
  - sh
  - -c
  - |
    #!/usr/bin/env bash
    set -euo pipefail

    elasticsearch-certutil cert \
      --name ${NODE_NAME} \
      --days 1000 \
      --ip ${POD_IP} \
      --dns ${NODE_NAME},${POD_SERVICE_NAME},${POD_SERVICE_NAME_HEADLESS},${NODE_NAME}.${POD_SERVICE_NAME},${NODE_NAME}.${POD_SERVICE_NAME_HEADLESS} \
      --ca-cert /usr/share/elasticsearch/config/certs/tls.crt \
      --ca-key /usr/share/elasticsearch/config/certs/tls.key  \
      --ca-pass "" \
      --pass "" \
      --out /usr/share/elasticsearch/config/certs-gen/keystore.p12
  env:
  - name: NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: POD_IP
    valueFrom:
      fieldRef:
        fieldPath: status.podIP
  - name: POD_SERVICE_NAME
    value: "XXXXXXXX"
  - name: POD_SERVICE_NAME_HEADLESS
    value: "XXXXXXXXX-headless"
  volumeMounts:
  - name: elastic-certificates
    mountPath: /usr/share/elasticsearch/config/certs
  - name: tls-certificates
    mountPath: /usr/share/elasticsearch/config/certs-gen

# mount the CA from secret
secretMounts:
- name: elastic-certificates
  secretName: my-ca-cert
  path: /usr/share/elasticsearch/config/certs