Open sratz opened 1 year ago
Consider the following situation:
ca.crt
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: logsearch namespace: logsearch-prod spec: version: 8.6.2 count: 1 elasticsearchRef: name: logsearch
* But now consider a simple [(self-)monitoring](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-stack-monitoring.html) setup:
monitoring: metrics: elasticsearchRefs:
The config.elasticsearch.ssl.certificateAuthorities option does not apply to the meticbeat and filebeat configuration.
config.elasticsearch.ssl.certificateAuthorities
The only way to get this set is:
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: logsearch namespace: logsearch-prod spec: version: 8.6.2 count: 1 elasticsearchRef: name: logsearch config: elasticsearch.ssl.certificateAuthorities: /mnt/rootcas/ca.crt podTemplate: spec: volumes: - name: rootcas secret: secretName: rootcas containers: - name: kibana volumeMounts: - name: rootcas mountPath: /mnt/rootcas + - name: filebeat + args: + - '-c' + - /etc/filebeat-config/filebeat.yml + - '-e' + - '-E' + - 'output.elasticsearch.ssl.certificate_authorities=["/mnt/rootcas/ca.crt"]' + - '-E' + - 'setup.kibana.ssl.certificate_authorities=["/mnt/rootcas/ca.crt"]' + volumeMounts: + - name: rootcas + mountPath: /mnt/rootcas + - name: metricbeat + args: + - '-c' + - /etc/metricbeat-config/metricbeat.yml + - '-e' + - '-E' + - 'output.elasticsearch.ssl.certificate_authorities=["/mnt/rootcas/ca.crt"]' + - '-E' + - 'metricbeat.modules.0.ssl.certificate_authorities=["/mnt/rootcas/ca.crt"]' + volumeMounts: + - name: rootcas + mountPath: /mnt/rootcas http: tls: certificate: secretName: elk-http-tls selfSignedCertificate: disabled: true monitoring: metrics: elasticsearchRefs: - name: logsearch logs: elasticsearchRefs: - name: logsearch
Overwriting args like this is quite error-prone. Alternatively, the whole filebeat.yml / elasticbeat.yml would have to be provided.
args
filebeat.yml
elasticbeat.yml
It would be better if this could be properly set via a dedicated configuration option just like config.elasticsearch.ssl.certificateAuthorities.
Environment
ECK version:
2.7.0
One thing we could potentially do is add section similar to what we did recently for transport:
http: tls: certificateAuthorities: configMapName: trust
and then have the operator ensure that:
Proposal
Consider the following situation:
ca.crt
.monitoring: metrics: elasticsearchRefs:
The
config.elasticsearch.ssl.certificateAuthorities
option does not apply to the meticbeat and filebeat configuration.The only way to get this set is:
Overwriting
args
like this is quite error-prone. Alternatively, the wholefilebeat.yml
/elasticbeat.yml
would have to be provided.It would be better if this could be properly set via a dedicated configuration option just like
config.elasticsearch.ssl.certificateAuthorities
.Environment
ECK version:
2.7.0