dippynark
commented
6 years ago @munnerz LGTM - except I don't think issuerRef should appear as a field on the ElasticsearchCluster resource as it leans towards a specific implementation. The tls stanza should only have an enabled field - perhaps an annotation would be the best way for users to set the method for certificate creation (e.g. cert-manager/self-signed) and the name of the Issuer to use/create if cert-manager is to be used
wallrj
It should be possible to easily enable TLS on an Elasticsearch cluster.
Initially, an implementation that relies upon cert-manager for signing certificates in its simplest form (e.g. a Certificate resource is created per replica) will be the target:
API Changes
We will need to add a new field structure to
elasticsearchclusters.spec.tlsInitially, only the 'CA' based cert-manager issuer will be supported: https://github.com/jetstack/cert-manager/blob/master/docs/user-guides/ca-based-issuer.md This may change in future once discussion around generalising the Certificate resource type has been resolved: https://github.com/jetstack/cert-manager/issues/265
Controller changes
navigator-controller will need updating to:
Pilot changes
if tls is enabled:
Open questions
(may be more of a general cert-manager problem): should each Pilot be generating its own private key and then creating a CSR for this, instead of storing the private key in the k8s apiserver? This provides a stronger auth model. We'll need to investigate how we can make cert-manager support this.
certificate rotation should be handled by Pilot too
TLS requires x-pack. How do we more generally support x-pack only features in ES? ref #200
/kind feature /cc @mattbates @wallrj