Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for client certificates to the readiness probe

See original GitHub issue

Describe the feature:

I would like to enable xpack.security.http.ssl.client_authentication: required on my cluster, but this breaks the readiness probe since there is no parameter to let it include a client certificate in the cURL request. It would be nice if there was a way to specify additional cURL arguments so that I could add it myself, or if there were parameters to specify certificate paths and such.

I could work around it for now by setting xpack.security.http.ssl.client_authentication: optional but then I might as well not use client certificates at all.

Describe a specific use case for the feature:

Additional cluster security.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:9 (1 by maintainers)

Top GitHub Comments

1reaction

abossardcommented, Aug 16, 2022

I’m interested in that feature too, it’s one of the few ways traffic e.g. from nginx ingress can be securely authenticated towards the elasticsearch cluster.

The readinessProbe, how I see it, would become much more complex, e.g. it would need to evaluate the current config and based on the parameters there either use a client certificate or not. Also it needs another secret that has a client certificate mounted.

Maybe there’s a simpler way of implementing it, but e.g. having Helm Parameters like:

addtionalCertificateVolumeMounts:
- secretName:
  mountPath:
# and
additionalCurlParameters:
- --cert <some path from above client.cert>
- --key <some path from above client.key>
- --cacert <some path from above ca.crt>

Is that something that could be considered good enough to be ever accepted as PR?

0reactions

OvervCWcommented, Nov 15, 2022

Still a problem we’re facing.

Top Results From Across the Web

How to verify certificates for Liveness probe configured to https?

You can use Readiness command instead of HTTP request. This will give you complete control over the check, including the certificate ...

Configure Liveness, Readiness and Startup Probes

This page shows how to configure liveness, readiness and startup probes for containers. The kubelet uses liveness probes to know when to ...

Kubernetes Liveness and Readiness Probes: How to Avoid ...

A readiness probe like this can be useful for catching configuration issues at deployment time—like using the wrong certificate for mutual-TLS, ...

Liveness and Readiness Probes with Spring Boot

Adding the Spring Boot Actuator dependency to your application is the only requirement! Actuator will use the Health support to configure ...

Configuring Strimzi (In Development)

Internal listeners connect clients to Kafka brokers within the Kubernetes cluster. An internal type listener configuration uses a headless service and the ...