docs: Docker SSL/TLS getting started#27281
Conversation
| services: | ||
| create_certs: | ||
| container_name: create_certs | ||
| image: docker.elastic.co/elasticsearch/elasticsearch-platinum:6.0.0-rc2 |
There was a problem hiding this comment.
Should we parameterize the version here and everywhere else that 6.0.0-rc2 is used? It's possible that I've got the workflow wrong, but it seems like you'll otherwise need to hard-code the version for each branch that this document will live on (master, 6.0, 6.x) in separate backport commits.
There was a problem hiding this comment.
Thanks @michaelbaamonde addressed in 03d040d already, almost missed that!
Adding also // NOTCONSOLE for curl example
And display a warning message for versions that haven't been released yet.
|
jenkins, test it |
ghost
left a comment
ghost
left a comment
There was a problem hiding this comment.
Even works on Windows (after installing Curl). Very nice!
| [[getting-started-tls-docker]] | ||
| === Getting started with TLS and Elasticsearch | ||
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. |
There was a problem hiding this comment.
X-Pack, Security, Gold, Platinum, and Enterprise are all proper nouns in this context, so they need capitals.
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. | ||
|
|
||
| This section demonstrates an easy path to get started with SSL/TLS for both http and transport using the elasticsearch-platinum docker image. |
There was a problem hiding this comment.
"HTTP" should be capped.
Consider backticks for elasticsearch-platinum.
"Docker" is a proper noun.
| ip: | ||
| - 127.0.0.1 | ||
|
|
||
| <1> Allow use of embedded Docker DNS server names. |
There was a problem hiding this comment.
Rather than "allowing" DNS, isn't this line an imperative that we will create a DNS entry? Like:
"Create a record for this node in Docker's internal DNS"
There was a problem hiding this comment.
Actually this is done by Docker itself and its embedded DNS server. Here we just add the localhost IP address to the SAN records of the certificate, so that https calls, used in our examples, will work without issues.
| volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}} | ||
| ---- | ||
|
|
||
| <1> Bootstrap `elastic` with the password defined in `.env`. See {xpack-ref}/setting-up-authentication.html#bootstrap-elastic-passwords[the Elastic Boostrap Password]. |
| CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates <1> | ||
| ELASTIC_PASSWORD=PleaseChangeMe <2> | ||
|
|
||
| <1> The path, inside the docker image, where certificates are expected to be found. |
| fi; | ||
| chgrp -R 0 config/x-pack/certificates/certs | ||
| ' | ||
| user: ${UID:-1000} |
There was a problem hiding this comment.
AsciiDoc is trying to expand this as an attribute and failing:
asciidoc: WARNING: getting-started-tls-docker.asciidoc: line 71: illegal system attribute name: UID
Standard escaping seems to work:
$\{UID:-1000\}
| image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version} | ||
| command: > | ||
| bash -c ' | ||
| if [[ ! -d config/x-pack/certificates/certs ]]; then |
There was a problem hiding this comment.
Can we:
- Indent the script under the opening qoute
- Indent the conditional bodies within the script
?
| <1> Bootstrap `elastic` with the password defined in `.env`. See {xpack-ref}/setting-up-authentication.html#bootstrap-elastic-passwords[the Elastic Boostrap Password]. | ||
| <2> Disable verification of authenticity for inter-node communication. Allows creating self-signed certificates without having to pin specific internal IP addresses. | ||
| endif::[] | ||
|
|
There was a problem hiding this comment.
Hard to explain, but explained well here. Nice.
| ["source","sh"] | ||
| ---- | ||
| docker-compose -f create-certs.yml up | ||
| ---- |
There was a problem hiding this comment.
Is it worth making the node containers "depend" on this one instead? Will that work? Is it too fiddly?
There was a problem hiding this comment.
As discussed this is very tricky, because the create-certs docker container will eventually exit and it's hard to create a decent healthcheck in this case.
| [[getting-started-tls-docker]] | ||
| === Getting started with TLS and Elasticsearch | ||
|
|
||
| Starting with version 6.0.0, x-pack licensed for security (gold, platinum or enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS] encryption for the transport networking layer. |
There was a problem hiding this comment.
Is "X-Pack Security" cleaner than "X-Pack licenced for Security"?
Since we are demo'ing a two node cluster, specify minimum_master_nodes as per: https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#minimum_master_nodes
|
Thanks for the thorough review @Jarpy , I have addressed the identified issues. |
|
Oh no, thank you. |
3 participants
Commit docs for a getting started example for https and TLS/SSL enabled transport with the Docker Elasticsearch image.