elasticsearchmachine
commented
2 years ago Pinging @elastic/es-security (Team:Security)
Open knechtionscoding opened 2 years ago
elasticsearchmachine
commented
2 years ago Pinging @elastic/es-security (Team:Security)
ywangd
commented
2 years ago This is a duplicate of https://github.com/elastic/elasticsearch/issues/81817. But I am going to close #81817 since this issue here is just for OAuth2 tokens while the other one has a mix of tokens and API keys and API keys no longer have the TLS restriction.
danielabbatt
commented
1 year ago Yes this would be very useful - I can't currently use Entra via OpenId Connect where the cluster is in kubernetes behind an haproxy which is TLS terminated. The pods inside the cluster are running just http so we don't have to deal with assigning certs for termination.
tomas-pritrsky
commented
11 months ago This is an issue.
landerz123
commented
11 months ago Is there any progress on that? @elasticsearchmachine
Anankke
commented
1 month ago Any updates on this?
jtele2
commented
2 weeks ago +1
spidaparthi
commented
4 days ago Any update on this, we have similar issue when trying to setup SAML on GKE with Istio STRICT mTLS.
Description
Background
Elasticsearch requires TLS connections in order to enable some security feature like Tokens for OIDC. This is important to guarantee that sensitive information is properly protected.
However, there are scenarios where encryption is managed outside of Elasticsearch. Notable examples are service mesh or reverse proxy software that are in front of the cluster, handling all incoming communication with the REST endpoint.
Description
Goal
Allow service mesh and reverse proxy environments to use Elasticsearch OIDC/Tokens in scenarios where a clear-text connection between the service and Elasticsearch is used.
Proposal
Allow to relax the TLS bootstrap checks to make OIDC/Tokens available when TLS is not enabled.
Other background Discussion:
https://github.com/dexidp/dex/issues/1593
https://github.com/elastic/elasticsearch/issues/61458