I’m trying to setup elasticsearch with opendistro security plugin.
Since my elasticsearch setup is a kubernetes statefulset, this introduced the following problem:
elastic has began responding to all http calls to 9200 with an error unless communication is done over https with valid client certs. This is mostly okay only that it also does that for the health api (/_cluster/health).
In my kubernetes setup, there is a readiness probe checking that api and failing, since it does not have the client certificates (I’m not sure if it’s even possible to have a readiness probe that uses client certificates)
In order for the cluster to function well in my environment, I need the readiness probe to pass, if it doesn’t, kubernetes will not start the other nodes, and will also kill the node that did not answer a “200 Okay” on its readiness probe.
So my question is: Can I enable tls but allow the health API to respond to requests without client certificates? Or, any other ideas about getting the opendistro security plugin to work in kubernetes?