docs: Docker SSL/TLS getting started #27281
Conversation
| services: | ||
| create_certs: | ||
| container_name: create_certs | ||
| image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.0.0-rc2 |
There was a problem hiding this comment.
Should we parameterize the version here and everywhere else that 6.0.0-rc2 is used? It's possible that I've got the workflow wrong, but it seems like you'll otherwise need to hard-code the version for each branch that this document will live on (master, 6.0, 6.x) in separate backport commits.
There was a problem hiding this comment.
Thanks @michaelbaamonde addressed in 03d040d already, almost missed that!
Adding also // NOTCONSOLE for curl example
And display a warning message for versions that haven't been released yet.
|
jenkins, test it |
| [[getting-started-tls-docker]] | ||
| === Getting started with TLS and Elasticsearch | ||
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. |
There was a problem hiding this comment.
X-Pack, Security, Gold, Platinum, and Enterprise are all proper nouns in this context, so they need capitals.
There was a problem hiding this comment.
Addressed in d258de6
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. | ||
|
|
||
| This section demonstrates an easy path to get started with SSL/TLS for both http and transport using the elasticsearch-platinum docker image. |
There was a problem hiding this comment.
"HTTP" should be capped.
Consider backticks for elasticsearch-platinum.
"Docker" is a proper noun.
There was a problem hiding this comment.
Addressed in d258de6
| ip: | ||
| - 127.0.0.1 | ||
|
|
||
| <1> Allow use of embedded Docker DNS server names. |
There was a problem hiding this comment.
Rather than "allowing" DNS, isn't this line an imperative that we will create a DNS entry? Like:
"Create a record for this node in Docker's internal DNS"
There was a problem hiding this comment.
Actually this is done by Docker itself and its embedded DNS server. Here we just add the localhost IP address to the SAN records of the certificate, so that https calls, used in our examples, will work without issues.
| volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}} | ||
| ---- | ||
|
|
||
| <1> Bootstrap `elastic` with the password defined in `.env`. See {xpack-ref}/setting-up-authentication.html#bootstrap-elastic-passwords[the Elastic Boostrap Password]. |
There was a problem hiding this comment.
Addressed in d258de6
| CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates <1> | ||
| ELASTIC_PASSWORD=PleaseChangeMe <2> | ||
|
|
||
| <1> The path, inside the docker image, where certificates are expected to be found. |
There was a problem hiding this comment.
Addressed in d258de6
| fi; | ||
| chgrp -R 0 config/x-pack/certificates/certs | ||
| ' | ||
| user: ${UID:-1000} |
There was a problem hiding this comment.
AsciiDoc is trying to expand this as an attribute and failing:
asciidoc: WARNING: getting-started-tls-docker.asciidoc: line 71: illegal system attribute name: UID
Standard escaping seems to work:
$\{UID:-1000\}
There was a problem hiding this comment.
Great catch! Addressed in d258de6
| image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version} | ||
| command: > | ||
| bash -c ' | ||
| if [[ ! -d config/x-pack/certificates/certs ]]; then |
There was a problem hiding this comment.
Can we:
- Indent the script under the opening qoute
- Indent the conditional bodies within the script
?
There was a problem hiding this comment.
Addressed in e73fb2a
| <1> Bootstrap `elastic` with the password defined in `.env`. See {xpack-ref}/setting-up-authentication.html#bootstrap-elastic-passwords[the Elastic Boostrap Password]. | ||
| <2> Disable verification of authenticity for inter-node communication. Allows creating self-signed certificates without having to pin specific internal IP addresses. | ||
| endif::[] | ||
|
|
There was a problem hiding this comment.
Hard to explain, but explained well here. Nice.
| ["source","sh"] | ||
| ---- | ||
| docker-compose -f create-certs.yml up | ||
| ---- |
There was a problem hiding this comment.
Is it worth making the node containers "depend" on this one instead? Will that work? Is it too fiddly?
There was a problem hiding this comment.
As discussed this is very tricky, because the create-certs docker container will eventually exit and it's hard to create a decent healthcheck in this case.
| [[getting-started-tls-docker]] | ||
| === Getting started with TLS and Elasticsearch | ||
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. |
There was a problem hiding this comment.
Is "X-Pack Security" cleaner than "X-Pack licenced for Security"?
There was a problem hiding this comment.
Addressed in d258de6
Since we are demo'ing a two node cluster, specify minimum_master_nodes as per: https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#minimum_master_nodes
|
Thanks for the thorough review @Jarpy , I have addressed the identified issues. |
|
Oh no, thank you. |
Commit docs for a getting started example for https and TLS/SSL enabled transport with the Docker Elasticsearch image.