opendistro-build
opendistro-build copied to clipboard
Not able to run Elasticsearch on http with helm install
I am trying to run elasticsearch on http with helm installer. I tried adding
--set opendistro_security.ssl.http.enabled=false --set elasticsearch.ssl.rest.enabled=false --set opendistro_security.allow_default_init_securityindex=true --set elasticsearch.securityConfig.enabled=true
but it still starts it on https!
I've even tried setting up config.yaml
but it was unable to change the default value from this script https://github.com/opendistro-for-elasticsearch/security/blob/dfc41db0d0123cd0965d40ee47d61266e560f7e6/tools/install_demo_configuration.sh#L365
or maybe from some other place.
Is there something that i am missing?
Thanks in advance.
@LohithChanda are you trying to enable the security feature in your cluster?
close the issue. feel free to reopen
@weicongs-amazon this is still a problem currently.
In the Helm chart, it's supposed to be disabled by default but it isn't.
Adding the following to a custom value.yaml
file does not work either:
elasticsearch:
ssl:
rest:
enabled: false
The /usr/share/elasticsearch/config/elasticsearch.yml
on one of the pods which seems to be like here but it's confusing because you would think elasticsearch.ssl.rest.enabled = false
would disable opendistro_security.ssl.http.enabled
.
cluster.name: "docker-cluster"
network.host: 0.0.0.0
# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# # Details: https://github.com/elastic/elasticsearch/pull/17288
# discovery.zen.minimum_master_nodes: 1
# # Breaking change in 7.0
# # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes
# cluster.initial_master_nodes:
# - elasticsearch1
# - docker-test-node-1
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########
@peterzhuamazon @gaiksaya could you help to take a look?
Any update on this? I can't figure out how to install the helm chart without https
Ping @sreekarjami
Hi @yardenshoham, I will try reproducing the issue and get back to you.
Thanks
Were you able to install the helm chart with security disabled?
Any progress on this?
Any progress on this.. I am as well looking for a solution. I tried manually modifying the elasticsearch.yml file, but when I do it and restart the pod it will initialize with the same configuration
Ok little addition to my last post:
- Editing the file directly in the container and restarting the pod or killing the processes does not work.
- Specifying a security config in the helm file via
configSecret: security-config
and a secret calledsecurity-config
does not work either.
I have no idea. Do you have any other idea how I can disable this?
I have the same issue. I want to disable SSL for client/rest, but can't make it work.