Enabling Elasticsearch data encryption

To access the Elasticsearch cluster through an encrypted connection, you must set up RestHighLevelClient to trust the CA that signed the certificate that Elasticsearch uses. The CA certificate is available as a PEM encoded file. You also need to procure the credentials to authenticate the connection.

About this task

Important: If you do not want to set up SSL on Elasticsearch, set the value for the ssl_elasticsearch_disable property to true.

When SSL is enabled on Elasticsearch, you can access Elasticsearch by using Elasticsearch credentials. To create the Elasticsearch credential, use the following steps.

Procedure

  1. Enable SSL on Elasticsearch. For more information, see https://www.elastic.co/guide/en/elasticsearch/reference/7.10/configuring-tls-docker.html.
  2. Import the self-signed certificate, which you used to configure SSL on Elasticsearch, to the truststore by using the following keytool command. 
    keytool -import -trustcacerts -file <path to certificate> -alias <alias for certificate in trust store> -keystore < trust store name>
    The following arguments are used in the command line.
    • -alias is the name of the certificate to process.
    • -file is the name of the certificate to be imported.
    • -keystore is the name of the truststore.
    Note: If you already created truststore for self-signed certificate for Cassandra, provide the same truststore name here to import the certificate for Elasticsearch within the same truststore.
  3. Run the following command to create configmap for volume mounting the created truststore.
     
    kubectl create configmap <truststoreConfig> --from-file=<truststore_name> -n <namespace>
    The following arguments are used in the command line.
    • --from-file is the name of the truststore file.
    • -n is the name of the namespace.
  4. By default, ssl_elasticsearch_disable is set to false in the Operator. Use the information in the section to add the configurations and the properties to spec and secret. Set the truststore configMaps as volume mount inside the container by adding the following configuration in the spec.additionalMounts property, which resides in: 
    additionalMounts:
    configMaps:
      - mountPath: <path_to_store_truststore_file_in_container>
        name: <truststore_configmap_name>
        readOnly: <boolean>
        subPath: <truststore_file_name>

    For more information, see additionalMounts parameter.

  5. Add the contact points of Elasticsearch in the elasticsearch.contactPoints field as contactPoints: <contactpoints_of_elasticsearch>. For more information, see Elasticsearch properties.
  6. To access Elasticseach, create Order Service role in Elasticsearch cluster by using Elasticsearch API. Refer to the following sample code. 
    POST : _security/role/orderservice_role
{
 "cluster": [
 "manage_index_templates"
 ],
 "indices": [
  {
   "names": [
   "*order*"
   ],
   "privileges": [
   "create_index",
   "index", 
   "delete", 
   "maintenance", 
   "manage", 
   "manage_ilm", 
   "monitor", 
   "read"
  ],
  "allow_restricted_indices": 
  true
  }
 ]
}
  7. Create a user and set password for the Order Service role to be applied using Elasticsearch API. Use the same credentials to access Elasticsearch. Refer to the following sample code for creating a user and setting a password. 
    POST : _security/user/<user>
{
  "password" : "<password>",
  "roles" : [ "orderservice_role" ],
  "full_name" : "Order Service User"
}
  8. Set the truststore password, Elasticsearch username, and Elasticsearch password in the form of a key-value pair in the secret. 
    trustStorePassword: <password configured while creating the truststore>
es_username: <user name created in the previous step>
es_password: <password created in the previous step>

    For more information, see Creating a secret.