elasticsearch 当Elasticsearch密钥库在K8S中运行时,如何在其上添加oidc客户端机密?
我有一个在AWS EKS中运行的自托管Elasticsearch集群,我想设置oidc身份验证。我遵照指示: 在elasticsearch 当Elasticsearch密钥库在K8S中运行时,如何在其上添加oidc客户端机密?,elasticsearch,kubernetes,elasticsearch,Kubernetes,我有一个在AWS EKS中运行的自托管Elasticsearch集群,我想设置oidc身份验证。我遵照指示: 在client secret设置中,它提到 You’ll need to add the client secret to the keystore 因此,我启动了带有基本身份验证的ES集群,并使用命令elasticsearch keystore add xpack.security.authc.realms.oidc.oidc realm.rp.client\u secret将密钥添
client secret
设置中,它提到
You’ll need to add the client secret to the keystore
因此,我启动了带有基本身份验证的ES集群,并使用命令elasticsearch keystore add xpack.security.authc.realms.oidc.oidc realm.rp.client\u secret
将密钥添加到密钥库中
之后,我更新ES yaml文件以包括配置:
xpack:
security:
authc:
realms:
oidc:
oidc-realm-name:
order: 2
rp.client_id: "client-id"
rp.response_type: "code"
rp.redirect_uri: "<KIBANA_ENDPOINT_URL>/api/security/v1/oidc"
op.issuer: "<check with your OpenID Connect Provider>"
op.authorization_endpoint: "<check with your OpenID Connect Provider>"
op.token_endpoint: "<check with your OpenID Connect Provider>"
op.userinfo_endpoint: "<check with your OpenID Connect Provider>"
op.jwkset_path: "<check with your OpenID Connect Provider>"
claims.principal: sub
claims.groups: "http://example.info/claims/groups"
看来ES没有找到我在密钥库中添加的秘密
然后我意识到,当我运行
卷展栏重新启动
应用oidc配置时,它丢失了密钥库。所以我的问题是,在K8S中添加Elasticsearch上的OIDC的正确方法是什么?如果您使用Helm进行部署,最好的方法是将其添加到图表的值中。
您需要在集群中创建一个秘密,该秘密将由InitContainer添加到密钥库中。
java.lang.IllegalStateException: security initialization failed
Likely root cause: SettingsException[The configuration setting [xpack.security.authc.realms.oidc.oidc-realm.rp.client_secret] is required]