Opendistro security plugin and kubernetes readiness probe

Hi guys,

I’m trying to setup elasticsearch with opendistro security plugin.
Since my elasticsearch setup is a kubernetes statefulset, this introduced the following problem:
elastic has began responding to all http calls to 9200 with an error unless communication is done over https with valid client certs. This is mostly okay only that it also does that for the health api (/_cluster/health).
In my kubernetes setup, there is a readiness probe checking that api and failing, since it does not have the client certificates (I’m not sure if it’s even possible to have a readiness probe that uses client certificates)
In order for the cluster to function well in my environment, I need the readiness probe to pass, if it doesn’t, kubernetes will not start the other nodes, and will also kill the node that did not answer a “200 Okay” on its readiness probe.

So my question is: Can I enable tls but allow the health API to respond to requests without client certificates? Or, any other ideas about getting the opendistro security plugin to work in kubernetes?

1 Like

Hi @LutraMan,

Did you succeed bootstrapping your cluster? I have a very similar issue since my readinessProbe keeps receiving a 500 error because of “Opendistro security not initialized”.
I don’t even use tls over http, only transport tls, but the security plugins seems to require security to be fully initialized (on a working cluster) prior to answer with 200 OK to any api call.

Cheers

Hi @LutraMan, were you able to solve the issue?
Thx!

@jeanfabrice I face the same issue too. Temporarily removing the probe and injecting them once the security is initialized works but it runs into failure during an update or evacuation where it does not get ready as get stuck at 0/3, readiness failed. So, I have to actively now remove it if #ready < #minnodes.

Did you already solve it by other means?
Thx!