Elasticsearch 8 with PKI auth

[angryviking]

I am trying to configure Monstache to connect to Elasticsearch 8.12.2 using PKI auth instead of username/password.

From this comment, it looks like Monstache might not support this for ES 8+ (https://github.com/rwynn/monstache/issues/623#issuecomment-1186616950)?

I am running Monstache 6.7.14 in a docker container. I have imported the PKI certs and the ES ca cert and verified that Monstache has read access.

The relevant TOML file config:

[elasticsearch-pki-auth]
cert-file = "/data/config/certs/monstache.crt"
key-file = "/data/config/certs/monstache.key"

Monstache Environment settings

MONSTACHE_MONGO_URL=mongodb://mongo:27017/?tls=true&tlsCAFile=/data/config/certs/mongodbca.crt&tlsCertificateKeyFile=/data/config/certs/mongodb.pem&authSource=$external&authMechanism=MONGODB-X509
MONSTACHE_ES_URLS=https://elasticsearch:9200
MONSTACHE_ES_PEM=/data/config/certs/ca.crt
MONSTACHE_ES_PKI_CERT=/data/config/certs/monstache.crt
MONSTACHE_ES_PKI_KEY=/data/config/certs/monstache.key
MONSTACHE_ES_VALIDATE_PEM=false

When I use MONSTACHE_ES_USER and MONSTACHE_ES_PASS, I can connect fine. I would like to remove usernames and passwords from my config files.

Connecting to Elasticsearch with this certificate works as well. (From another container since the Monstache container doesn't have curl installed)

bash-5.1$ curl -k https://elasticsearch:9200/_security/_authenticate?pretty --key /tmp/monstache.key --cert /tmp/monstache.crt --cacert config/certs/ca/ca.crt
{
  "username" : "monstache",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "pki_dn" : "CN=monstache"
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "pki1",
    "type" : "pki"
  },
  "lookup_realm" : {
    "name" : "pki1",
    "type" : "pki"
  },
  "authentication_type" : "realm"
}