-
Notifications
You must be signed in to change notification settings - Fork 855
Feature: ability to specify multiple certificate authorities #709
Comments
In addition to this, I'd like to add that since elasticsearch dynamically reloads certificates without the need for a restart, I currently need to set One another solution would be to template the tls part in the |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'm still looking for this improvement. |
Hi @adongy, |
Another issue is that it should be better to have a CA for transport layer, and another for "public/beat" connection, i.e. different configs for xpack.security.transport.ssl and xpack.security.http.ssl I have an internal CA that manages cluster nodes, while another one is used to validate inblound connections from clients. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
still valid |
still valid |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
still valid |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
still valid |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
still valid |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Describe the feature:
I'd like to be able to specify multiple certificate authorities for the security settings of my cluster.
Currently, the playbook only supports a single file:
ansible-elasticsearch/tasks/elasticsearch-ssl.yml
Lines 59 to 69 in 37fc61b
ansible-elasticsearch/templates/elasticsearch.yml.j2
Lines 46 to 48 in cab03ec
ansible-elasticsearch/templates/elasticsearch.yml.j2
Lines 60 to 62 in cab03ec
The official documentation describes the parameters as a "List of paths to PEM encoded certificate files that should be trusted." https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_2
My usecase is rolling updates of certificate authorities without cluster downtime.
Currently, Elasticsearch dynamically reloads certificates when they are updated.
When the
verification_mode
is set tocertificate
orfull
, if the new certificate is signed by the CA, the update is transparent: other cluster nodes will still validate the certificate and continue communication.Best practices for CAs recommend rotating the authority regularly. If there is only one file declared in the configuration, as soon as a node reloads the new authority, it will not accept communication with other cluster nodes that have not updated their certificate to be signed by the new authority.
A solution to this is having multiple certificate authorities declared, replace one of them with the new authority while keeping the old one, update each node's certificates to be signed by the new authority, and remove the old authority at the end.
In our case, the playbook could be updated in a retrocompatible way by checking the variable type:
variable is string
is true when it's a string and false when it's a list (unfortunately, strings will pass both of the string and sequence test). It should work for both the jinja template and the tasks.Thanks!
The text was updated successfully, but these errors were encountered: