Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Chore/setup es blobstore credentials #314

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

thepsalmist
Copy link
Contributor

Script to add S3/B2 credentials to Elasticsearch keystore. Needed for snapshot & restore to AWS S3/Bcackblaze

@thepsalmist thepsalmist self-assigned this Jul 5, 2024
@thepsalmist thepsalmist requested a review from kilemensi July 5, 2024 11:02
@thepsalmist
Copy link
Contributor Author

Note: We need to configure credentials on all ES nodes. All our deploy scripts (benchmarking) from deploy.sh assumes deployment is on the logged in host.

Thinking if/how to handle multiple hosts & if this should leave on code repo??

@kilemensi
Copy link
Contributor

🤔 ... I think lets first clearly document all the steps we currently have to do to add credentials in all ES nodes.

  1. Do we need to create the keystore or is it created as part of installation?,
  2. Is it password protected or not (is there a need)?,
  3. Are the keystore contents backed-up as part of our backup (should they be?), etc.
  4. ???

Once this is done, then we'll be in a better position to answer your question:

Thinking if/how to handle multiple hosts & if this should leave on code repo??

@thepsalmist
Copy link
Contributor Author

thepsalmist commented Jul 8, 2024

🤔 ... I think lets first clearly document all the steps we currently have to do to add credentials in all ES nodes.

  1. Do we need to create the keystore or is it created as part of installation?,
  2. Is it password protected or not (is there a need)?,
  3. Are the keystore contents backed-up as part of our backup (should they be?), etc.
  4. ???

Once this is done, then we'll be in a better position to answer your question:

Thinking if/how to handle multiple hosts & if this should leave on code repo??

  1. For ES 8.x keystore is created automatically, since the default behaviour is to start with security auto-configurations on installation
  2. Currently not password protected (since we had decided to disable all x-pack security features - all access within angwin cluster), there's an option to create with password
  3. The keystore is not part of the backup done from the Snapshot Lifecycle Manager. Backing up keystore is considered best practice

@philbudne
Copy link
Contributor

Noticed this PR and wanted to share some musings/questions (without any specific answers):

I looked at it and thought "what does that have to do with blobstore.py?" Is there some ES-specific term (like repository or keystore) that could be used instead?

I see it creates a new top level directory for elasticsearch; we've tried to avoid top level clutter, and we already have docker/elastic-deploy.sh, which isn't ideal. I originally proposed that we run RabbitMQ outside docker, and in that case I wouldn't want a rabbitmq top level directory as well as an ES directory. One way to avoid cognitive dissonance would be to silently think of the docker directory as the deploy directory. I guess another would be to rename the directory!! It's a topic worthy of group discussion.

Could the installation of the keys be done in elastic-deploy.sh??? I realize it probably requires waiting for the ES cluster to come up...

As a P.S. Some time ago, I remember looking and seeing that I thought elastic-deploy.sh added a file to sources.list.d for the ES repo, but that was NOT the state of the currently running servers!

When possible, I think install scripts should be re-runable/idempotent: testing whether a step has been taken or not before taking the step, so that it's a no-op to re-run the script...

@thepsalmist
Copy link
Contributor Author

Noticed this PR and wanted to share some musings/questions (without any specific answers):

I looked at it and thought "what does that have to do with blobstore.py?" Is there some ES-specific term (like repository or keystore) that could be used instead?

I see it creates a new top level directory for elasticsearch; we've tried to avoid top level clutter, and we already have docker/elastic-deploy.sh, which isn't ideal. I originally proposed that we run RabbitMQ outside docker, and in that case I wouldn't want a rabbitmq top level directory as well as an ES directory. One way to avoid cognitive dissonance would be to silently think of the docker directory as the deploy directory. I guess another would be to rename the directory!! It's a topic worthy of group discussion.

Could the installation of the keys be done in elastic-deploy.sh??? I realize it probably requires waiting for the ES cluster to come up...

As a P.S. Some time ago, I remember looking and seeing that I thought elastic-deploy.sh added a file to sources.list.d for the ES repo, but that was NOT the state of the currently running servers!

When possible, I think install scripts should be re-runable/idempotent: testing whether a step has been taken or not before taking the step, so that it's a no-op to re-run the script...

Good suggestions from the above,

  1. the suggestion of an elasticsearch TLD was from an initial conversation on elastic-deploy.sh not being ideal with the docker/ directory. I'm also for the discussion on renaming the docker directory to something along deploy scripts.

  2. Move the script as part of elastic_deploy answers the other questions on naming et.al

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants