esConfig: elasticsearch.yml: | xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: full xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12 xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12 xpack.security.authc: anonymous: username: anonymous roles: superuser authz_exception: true
extraVolumes:
- name: tls-certificates emptyDir: {}
extraVolumeMounts:
- name: tls-certificates mountPath: /usr/share/elasticsearch/config/certs-gen
extraInitContainers:
- name: setup-tls-cert
image: "docker.elastic.co/elasticsearch/elasticsearch:7.11.0"
command:
-
sh
-
-c
-
| #!/usr/bin/env bash set -euo pipefail
elasticsearch-certutil cert
--name ${NODE_NAME}
--days 1000
--ip ${POD_IP}
--dns ${NODE_NAME},${POD_SERVICE_NAME},${POD_SERVICE_NAME_HEADLESS},${NODE_NAME}.${POD_SERVICE_NAME},${NODE_NAME}.${POD_SERVICE_NAME_HEADLESS}
--ca-cert /usr/share/elasticsearch/config/certs/tls.crt
--ca-key /usr/share/elasticsearch/config/certs/tls.key
--ca-pass ""
--pass ""
--out /usr/share/elasticsearch/config/certs-gen/keystore.p12 env: -
name: NODE_NAME valueFrom: fieldRef: fieldPath: metadata.name
-
name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP
-
name: POD_SERVICE_NAME value: "XXXXXXXX"
-
name: POD_SERVICE_NAME_HEADLESS value: "XXXXXXXXX-headless" volumeMounts:
-
name: elastic-certificates mountPath: /usr/share/elasticsearch/config/certs
-
name: tls-certificates mountPath: /usr/share/elasticsearch/config/certs-gen
-
secretMounts:
- name: elastic-certificates secretName: my-ca-cert path: /usr/share/elasticsearch/config/certs