honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Update TLS on Docker for 6.3 (#32114) 

Remove references to the `platinum` image and add a self-generated trial
licence to the example for TLS on Docker.

Fixes elastic/elasticsearch-docker#176
This commit is contained in:
Toby McLaughlin 2018-07-18 17:07:31 +10:00 committed by GitHub
parent 93d7468f3a
commit 487cfc3b3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc
View File

@ -1,12 +1,13 @@
[role="xpack"]
[[configuring-tls-docker]]
=== Encrypting Communications in an {es} Docker Image
=== Encrypting Communications in an {es} Docker Container
Starting with version 6.0.0, {security} (Gold, Platinum or Enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS]
encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both
HTTPS and transport using the `elasticsearch-platinum` docker image.
HTTPS and transport using the {es} Docker image. The example uses
Docker Compose to manage the containers.
For further details, please refer to
{xpack-ref}/encrypting-communications.html[Encrypting Communications] and
@ -17,7 +18,7 @@ https://www.elastic.co/subscriptions[available subscriptions].
<<docker,Install {es} with Docker>>.
Inside a new, empty, directory create the following **four files**:
Inside a new, empty directory, create the following four files:
`instances.yml`:
["source","yaml"]
@ -29,6 +30,7 @@ instances:
- localhost
ip:
- 127.0.0.1
- name: es02
dns:
- es02
@ -60,6 +62,7 @@ ifeval::["{release-state}"!="unreleased"]
["source","yaml",subs="attributes"]
----
version: '2.2'
services:
create_certs:
container_name: create_certs
@ -96,6 +99,7 @@ ifeval::["{release-state}"!="unreleased"]
["source","yaml",subs="attributes"]
----
version: '2.2'
services:
es01:
container_name: es01
@ -105,9 +109,11 @@ services:
- discovery.zen.minimum_master_nodes=2
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD <1>
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial <2>
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate <2>
- xpack.security.transport.ssl.verification_mode=certificate <3>
- xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.ssl.key=$CERTS_DIR/es01/es01.key
@ -119,15 +125,18 @@ services:
interval: 30s
timeout: 10s
retries: 5
es02:
container_name: es02
image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
image: docker.elastic.co/elasticsearch/elasticsearch:{version}
environment:
- node.name=es02
- discovery.zen.minimum_master_nodes=2
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- discovery.zen.ping.unicast.hosts=es01
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
@ -135,16 +144,20 @@ services:
- xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
- xpack.ssl.key=$CERTS_DIR/es02/es02.key
volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
wait_until_ready:
image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
image: docker.elastic.co/elasticsearch/elasticsearch:{version}
command: /usr/bin/true
depends_on: {"es01": {"condition": "service_healthy"}}
volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
----
<1> Bootstrap `elastic` with the password defined in `.env`. See
<1> Bootstrap `elastic` with the password defined in `.env`. See
{stack-ov}/built-in-users.html#bootstrap-elastic-passwords[the Elastic Bootstrap Password].
<2> Disable verification of authenticity for inter-node communication. Allows
<2> Automatically generate and apply a trial subscription, in order to enable
{security}.
<3> Disable verification of authenticity for inter-node communication. Allows
creating self-signed certificates without having to pin specific internal IP addresses.
endif::[]