opendistro-build icon indicating copy to clipboard operation
opendistro-build copied to clipboard

Published 20 hours ago • verified publisher icon opendistro-for-elasticsearch

Not able to run Elasticsearch on http with helm install

Open LohithChanda opened this issue 4 years ago • 12 comments

I am trying to run elasticsearch on http with helm installer. I tried adding --set opendistro_security.ssl.http.enabled=false --set elasticsearch.ssl.rest.enabled=false --set opendistro_security.allow_default_init_securityindex=true --set elasticsearch.securityConfig.enabled=true but it still starts it on https!

I've even tried setting up config.yaml but it was unable to change the default value from this script https://github.com/opendistro-for-elasticsearch/security/blob/dfc41db0d0123cd0965d40ee47d61266e560f7e6/tools/install_demo_configuration.sh#L365 or maybe from some other place.

Is there something that i am missing?

Thanks in advance.

LohithChanda avatar May 28 '20 07:05 LohithChanda

@LohithChanda are you trying to enable the security feature in your cluster?

weicongs-amazon avatar Jun 03 '20 19:06 weicongs-amazon

close the issue. feel free to reopen

weicongs-amazon avatar Jun 15 '20 14:06 weicongs-amazon

@weicongs-amazon this is still a problem currently.

In the Helm chart, it's supposed to be disabled by default but it isn't.

Adding the following to a custom value.yaml file does not work either:

elasticsearch:
  ssl:
    rest:
      enabled: false

The /usr/share/elasticsearch/config/elasticsearch.yml on one of the pods which seems to be like here but it's confusing because you would think elasticsearch.ssl.rest.enabled = false would disable opendistro_security.ssl.http.enabled.

cluster.name: "docker-cluster"
network.host: 0.0.0.0

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# # Details: https://github.com/elastic/elasticsearch/pull/17288
# discovery.zen.minimum_master_nodes: 1

# # Breaking change in 7.0
# # https://www.elastic.co/guide/en/elasticsearch/reference/7.0/breaking-changes-7.0.html#breaking_70_discovery_changes
# cluster.initial_master_nodes:
#    - elasticsearch1
#    - docker-test-node-1
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
######## End OpenDistro for Elasticsearch Security Demo Configuration ########

alexferl avatar Feb 19 '21 18:02 alexferl

@peterzhuamazon @gaiksaya could you help to take a look?

weicongs-amazon avatar Feb 19 '21 23:02 weicongs-amazon

Any update on this? I can't figure out how to install the helm chart without https

yardenshoham avatar Apr 13 '21 10:04 yardenshoham

Ping @sreekarjami

yardenshoham avatar Apr 18 '21 08:04 yardenshoham

Hi @yardenshoham, I will try reproducing the issue and get back to you.

Thanks

sreekarjami avatar Apr 19 '21 16:04 sreekarjami

Were you able to install the helm chart with security disabled?

yardenshoham avatar Apr 22 '21 12:04 yardenshoham

Any progress on this?

yardenshoham avatar Apr 25 '21 11:04 yardenshoham

Any progress on this.. I am as well looking for a solution. I tried manually modifying the elasticsearch.yml file, but when I do it and restart the pod it will initialize with the same configuration

shibumi avatar May 04 '21 10:05 shibumi

Ok little addition to my last post:

  • Editing the file directly in the container and restarting the pod or killing the processes does not work.
  • Specifying a security config in the helm file via configSecret: security-config and a secret called security-config does not work either.

I have no idea. Do you have any other idea how I can disable this?

shibumi avatar May 04 '21 11:05 shibumi

I have the same issue. I want to disable SSL for client/rest, but can't make it work.

szymon3 avatar Jun 27 '21 08:06 szymon3