Add support for client certificates to the readiness probe
See original GitHub issueDescribe the feature:
I would like to enable xpack.security.http.ssl.client_authentication: required
on my cluster, but this breaks the readiness probe since there is no parameter to let it include a client certificate in the cURL request. It would be nice if there was a way to specify additional cURL arguments so that I could add it myself, or if there were parameters to specify certificate paths and such.
I could work around it for now by setting xpack.security.http.ssl.client_authentication: optional
but then I might as well not use client certificates at all.
Describe a specific use case for the feature:
Additional cluster security.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:9 (1 by maintainers)
Top Results From Across the Web
How to verify certificates for Liveness probe configured to https?
You can use Readiness command instead of HTTP request. This will give you complete control over the check, including the certificate ...
Read more >Configure Liveness, Readiness and Startup Probes
This page shows how to configure liveness, readiness and startup probes for containers. The kubelet uses liveness probes to know when to ...
Read more >Kubernetes Liveness and Readiness Probes: How to Avoid ...
A readiness probe like this can be useful for catching configuration issues at deployment time—like using the wrong certificate for mutual-TLS, ...
Read more >Liveness and Readiness Probes with Spring Boot
Adding the Spring Boot Actuator dependency to your application is the only requirement! Actuator will use the Health support to configure ...
Read more >Configuring Strimzi (In Development)
Internal listeners connect clients to Kafka brokers within the Kubernetes cluster. An internal type listener configuration uses a headless service and the ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I’m interested in that feature too, it’s one of the few ways traffic e.g. from nginx ingress can be securely authenticated towards the elasticsearch cluster.
The readinessProbe, how I see it, would become much more complex, e.g. it would need to evaluate the current config and based on the parameters there either use a client certificate or not. Also it needs another secret that has a client certificate mounted.
Maybe there’s a simpler way of implementing it, but e.g. having Helm Parameters like:
Is that something that could be considered good enough to be ever accepted as PR?
Still a problem we’re facing.