클라우드/쿠버네티스

엘라스틱 서치 security 설정

ybchoi 2022. 5. 24. 20:36

기본값으로 비활성화 되어있는 인증관련설정을 활성화 함

7버전부터 인증설정이 없으면 익명사용자로 작업시 경고 메시지 출력됨

09:01:10 WARN  org.elasticsearch.client.RestClient  - request [GET ] returned 1 warnings: [299 Elasticsearch-7.17.1-e5acb99f822233d62d6444ce45a4543dc1c8059a "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See <https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html> to enable security."

아무런 인증없이 엘라스틱서치/키바나 사용할수 없으므로 아래와 같이 인증 설정을 함

 

config/elasticsearch.yml파일내

xpack.security.enabled: true

위 설정을 넣어준다

수동으로 넣으면 재기동 후 삭제되므로 아래 helm 차트내 values에 값 넣기

esConfig: {}
  elasticsearch.yml: |
    xpack.security.enabled: true

security enable시 ssl을 필수로 적용하여야함,

bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

테스트용 1node 작업시엔 문제 없지만 2노드이상이면 서로 통신에 ssl을 사용하므로 아래 설정을 해주어야함

 

ssl 인증서 관련 추가 설정 필요

"Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure",
"at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]",
"at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]",
"at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]",
"at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]",
"at sun.security.ssl.TransportContext.dispatch(TransportContext.java:204) ~[?:?]",
"at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]",
"at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]",
"at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]",
"at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:298) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1344) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1237) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286) ~[netty-handler-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]",
"at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446) ~[netty-codec-4.1.66.Final.jar:4.1.66.Final]",
"... 16 more"] }

인증서가 없어 서로 통신이 안됨

인증서 생성 및 배포

instance 정보로 인증서및 ca생성

elasticsearch@elasticsearch-master-0:~$ elasticsearch-certutil ca --out /tmp/elastic-stack-ca.p12 --pass ''
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

elasticsearch@elasticsearch-master-0:~$ elasticsearch-certutil cert --name security-master --dns security-master --ca /tmp/elastic-stack-ca.p12 --pass '' --ca-pass '' --out /tmp/elastic-certificates.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Certificates written to /tmp/elastic-certificates.p12

This file should be properly secured as it contains the private key for
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
elasticsearch@elasticsearch-master-0:~$ ll /tmp

생성된 인증서 로컬 저장 및 확인

ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl cp -n elasticsearch elasticsearch-master-0:/tmp/elastic-certificates.p12 elastic-certificates.p12
Defaulted container "elasticsearch" out of: elasticsearch, configure-sysctl (init)
tar: Removing leading `/' from member names
ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl cp -n elasticsearch elasticsearch-master-0:/tmp/elastic-stack-ca.p12 elastic-stack-ca.p12
Defaulted container "elasticsearch" out of: elasticsearch, configure-sysctl (init)
tar: Removing leading `/' from member names
ybchoi@ybchoiui-MacBookPro elasticsearch % ll
total 40
-rw-r--r--  1 ybchoi  staff  3658  5  6 11:10 elastic-certificates.p12
-rw-r--r--  1 ybchoi  staff  2672  5  6 11:10 elastic-stack-ca.p12
-rw-r--r--  1 ybchoi  staff  9863  5  6 10:24 values.yaml

ca이용하여 인증서 생성

ybchoi@ybchoiui-MacBookPro elasticsearch % ll
total 64
-rw-r--r--  1 ybchoi  staff  3658  5  6 11:10 elastic-certificates.p12
-rw-r--r--  1 ybchoi  staff  2672  5  6 11:10 elastic-stack-ca.p12
-rw-r--r--  1 ybchoi  staff  9863  5  6 10:24 values.yaml

생성된 인증서 k8s secret으로 등록

ybchoi@ybchoiui-MacBookPro elasticsearch % kubectl create secret -n elasticsearch generic elastic-certificates --from-file=elastic-certificates.p12
secret/elastic-certificates created

등록된 인증서를 마운트하고 사용할수 있도록 헬름차트 수정

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs

변경된 value 적용을 위한 upgrade

helm upgrade elasticsearch -n elasticsearch -f values.yaml elastic/elasticsearch

정상 작동안됨...

다 삭제하고 새로 배포해도 안됨

helm value.yaml내 protocol을 http → https로 변경하니 잘됨

내가 원하는건 그냥 패스워드 인증이므로 강제로 적용해야하는 transport layer에만 ssl을 적용하는것 테스트

굳이 https까지 쓸필욘 없으므로 아래와 같이 설정 후 재배포

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: false
secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs
protocol: http

정상 작동

필수인 tranport(cluster통신) 만 ssl적용하고 elasticsearch 접근은 http+userauth 이용하여 설정 완료

kibana

kibana의 경우 별다른 설정없이 기존 방법대로 설치 하면 됨