I don’t see any secret that I can use to mount that file. I tried to modify the helm chart and put the file inside client pod, but it seems that some java policy is messing around (file has 777 permissions and user:group elasticsearch).
From opendistro-opendistro-es-client-7b5c78567b-tf6dp pod logs:
Caused by: org.ldaptive.LdapException: Unable to connect to any of those ldap servers [myldapdserver.local:636] due to java.security.AccessControlException: access denied (“java.io.FilePermission” “/tmp/my-certs.jks” “read”)
Caused by: java.security.AccessControlException: access denied (“java.io.FilePermission” “/tmp/my-certs.jks” “read”)
What is the correct way to configure the truststore using the helm chart?
I found that if I put the file manually inside /usr/share/elasticsearch/config in the client pod, LDAP works. Unfortunately, if the pods restarts it will fail again. I guess that must be better approach to achieve that in the helm chart.
I am also interested in how this is supposed to work. I guess one way of doing it is by adding the certs in the images, as described here: Docker - Open Distro Documentation
I modified the template file es-client-deploy.yaml and mounted as secret(opendistro-custom) the files I needed. Once the helm chart is deployed the files are available because the secret is mounted. It worked like a charm.
@ptd Ok I guess I can try that too. I just think there should be some more straightforward way to accomplish this.
Not sure if I got this wrong but in this thread it seems like it is possible to add the pem content in the config.yml (which in itself is mounted as a secret): LDAP Connection Not Working - #6 by anonsens
I know that is not the best elegant solution but it will place any file in the config root directory inside the pod. That should be enough for any case.