cloud-on-k8s
cloud-on-k8s copied to clipboard
elastic
Testing custom certificate scenarios
When the user provides its own HTTP certificate at least two scenarios may be distinguished:
Custom HTTP certificate has been issued from a well known issuer
In this case no additional CA is needed and provided (or an empty CA in the case of Let's Encrypt):
ca.crt: ""
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgISBLtQnFM+45Ej1gE9i8ISJJODMA0GCSqGSIb3DQEBCwUA
...
q6H2pqcVZmUmKs0gH7YTAgLt8Feg6w+16OqrreSNkZidHkY/I2AmiIoRh6q94E0A
3p7KsOod
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
....
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Custom certificate has been issued by a custom, private, certificate authority
In this case users need to provide the CA as part of the Secret:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIQLXakvamZh+rb9fCKQjeeBzANBgkqhkiG9w0BAQsFADAv
....
bmbqYLJOWQ2wZfsSwQaXXH4BHTGSklsrT8Q5lcprVOKKV8l0YqX3mA/AsLJLSg==
-----END CERTIFICATE-----
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgISBLtQnFM+45Ej1gE9i8ISJJODMA0GCSqGSIb3DQEBCwUA
...
q6H2pqcVZmUmKs0gH7YTAgLt8Feg6w+16OqrreSNkZidHkY/I2AmiIoRh6q94E0A
3p7KsOod
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
...
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
While fixing #2243 (PR) a regression as been introduced in ECK 1.1 affecting users using CA certs from a well known provider like Let's Encrypt. After the upgrade Kibana was no able to connect to Elasticsearch (more details here).
This issue raises the question of how we could avoid such a regression in the future.
Hi Team, i have OCP 4.4 deployment and i need to use custom certificates generated from internal PKI (AD CS), are there any guidance on how i can deploy ECK on OCP with custom certificate for ES & Kibana?
@ahalamir Please use our discuss forum at https://discuss.elastic.co/c/eck for any questions. The use of custom certificates is described in the documentation.
An idea discussed how to address the difficulty of testing custom HTTP certificates issues by a well known issuer in our e2e test pipelines which often run in parallel and do not have access to a domain is to simulate the "well known issuer" by:
- generating a certificate through the same means as in the "Custom certificate has been issued by a custom, private, certificate authority" case e.g. cert-manager
- inject the corresponding CA certificate into the trusted CAs in the containers
/usr/local/share/ca-certificates/on Ubuntu/Debian and also in the operator container
This approach is still tricky as it does not work on distroless images (if we go back to that for the operator we would need a custom Docker image) and the injection mechanism differs depending on the Elastic stack image under test and the corresponding base image (e.g. Elastic Agent recently change from CentOS to Ubuntu to name just one)
