How to use transport.truststore_filepath with opendistro helm chart


I’m trying to setup ldap authentication using opendistro helm chart but I’m experiencing issues with the following elasticsearch config.

opendistro_security.ssl.transport.truststore_filepath: /tmp/my-certs.jks
opendistro_security.ssl.transport.truststore_password: mypassword

I don’t see any secret that I can use to mount that file. I tried to modify the helm chart and put the file inside client pod, but it seems that some java policy is messing around (file has 777 permissions and user:group elasticsearch).

From opendistro-opendistro-es-client-7b5c78567b-tf6dp pod logs:

Caused by: org.ldaptive.LdapException: Unable to connect to any of those ldap servers [myldapdserver.local:636] due to access denied (“” “/tmp/my-certs.jks” “read”)
Caused by: access denied (“” “/tmp/my-certs.jks” “read”)

What is the correct way to configure the truststore using the helm chart?

Thanks in advance.

I found that if I put the file manually inside /usr/share/elasticsearch/config in the client pod, LDAP works. Unfortunately, if the pods restarts it will fail again. I guess that must be better approach to achieve that in the helm chart.

I am also interested in how this is supposed to work. I guess one way of doing it is by adding the certs in the images, as described here: Docker - Open Distro Documentation

Similar to this:

FROM amazon/opendistro-for-elasticsearch:1.13.1
COPY --chown=elasticsearch:elasticsearch elasticsearch.yml /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch my-key-file.pem /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch my-certificate-chain.pem /usr/share/elasticsearch/config/
COPY --chown=elasticsearch:elasticsearch my-root-cas.pem /usr/share/elasticsearch/config/

But I’m thinking there must be a simpler way using ConfigMap or Secret?

Does anyone know?


I modified the template file es-client-deploy.yaml and mounted as secret(opendistro-custom) the files I needed. Once the helm chart is deployed the files are available because the secret is mounted. It worked like a charm.

I modified these entries:

   - mountPath: {{ .Values.elasticsearch.configDirectory }}/file1.jks
     name: opendistro-custom
      subPath: file1.jks

  - name: opendistro-custom
      secretName: opendistro-custom
      - key: file1.jks
        path: file1.jks

@ptd Ok I guess I can try that too. I just think there should be some more straightforward way to accomplish this.

Not sure if I got this wrong but in this thread it seems like it is possible to add the pem content in the config.yml (which in itself is mounted as a secret): LDAP Connection Not Working - #6 by anonsens

Couldn’t get that to work though.

I know that is not the best elegant solution but it will place any file in the config root directory inside the pod. That should be enough for any case.

I hope it helps.