[DOCS] Added TLS configuration info for Docker (elastic/x-pack-elasticsearch#2939)

* [DOCS] Add docker TLS configuration info * [DOCS] Updated layout of TLS docker page * [DOCS] Clean up docker TLS pages * [DOCS] Changed nesting of TLS docker info * [DOCS] More small updates to TLS docker page Original commit: elastic/x-pack-elasticsearch@2b0504632a
2017-11-10 09:33:56 -08:00 · 2017-11-10 09:33:56 -08:00 · fb769be92e
parent 742a052619
commit fb769be92e
2 changed files with 192 additions and 0 deletions
--- a/docs/en/security/configuring-es.asciidoc
+++ b/docs/en/security/configuring-es.asciidoc
@ -10,3 +10,5 @@ password-protect your data as well as implement more advanced security measures
 such as encrypting communications, role-based access control, IP filtering, and
 auditing. For more information, see
 {xpack-ref}/xpack-security.html[Securing the Elastic Stack].
+
+include::securing-communications/configuring-tls-docker.asciidoc[]
--- a/docs/en/security/securing-communications/configuring-tls-docker.asciidoc
+++ b/docs/en/security/securing-communications/configuring-tls-docker.asciidoc
@ -0,0 +1,190 @@
+[role="xpack"]
+[[configuring-tls-docker]]
+=== Encrypting Communications in an {es} Docker Image
+
+Starting with version 6.0.0, {security} (Gold, Platinum or Enterprise subscriptions) https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html[requires SSL/TLS]
+encryption for the transport networking layer.
+
+This section demonstrates an easy path to get started with SSL/TLS for both
+HTTPS and transport using the `elasticsearch-platinum` docker image.
+
+For further details, please refer to
+{xpack-ref}/encrypting-communications.html[Encrypting Communications] and
+https://www.elastic.co/subscriptions[available subscriptions].
+
+[float]
+==== Prepare the environment
+
+<<docker,Install {es} with Docker>>. 
+
+Inside a new, empty, directory create the following **four files**:
+
+`instances.yml`:
+["source","yaml"]
+----
+instances:
+  - name: es01
+    dns:
+      - es01 <1>
+      - localhost
+    ip:
+      - 127.0.0.1
+  - name: es02
+    dns:
+      - es02
+      - localhost
+    ip:
+      - 127.0.0.1
+----
+<1> Allow use of embedded Docker DNS server names.
+
+`.env`:
+[source,yaml]
+----
+CERTS_DIR=/usr/share/elasticsearch/config/x-pack/certificates <1>
+ELASTIC_PASSWORD=PleaseChangeMe <2>
+----
+<1> The path, inside the Docker image, where certificates are expected to be found.
+<2> Initial password for the `elastic` user.
+
+[[getting-starter-tls-create-certs-composefile]]
+`create-certs.yml`:
+ifeval::["{release-state}"=="unreleased"]
+
+WARNING: Version {version} of {es} has not yet been released, so a
+`create-certs.yml` is not available for this version.
+
+endif::[]
+
+ifeval::["{release-state}"!="unreleased"]
+["source","yaml",subs="attributes"]
+----
+version: '2.2'
+services:
+  create_certs:
+    container_name: create_certs
+    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
+    command: >
+      bash -c '
+        if [[ ! -d config/x-pack/certificates/certs ]]; then
+          mkdir config/x-pack/certificates/certs;
+        fi;
+        if [[ ! -f /local/certs/bundle.zip ]]; then
+          bin/x-pack/certgen --silent --in config/x-pack/certificates/instances.yml --out config/x-pack/certificates/certs/bundle.zip;
+          unzip config/x-pack/certificates/certs/bundle.zip -d config/x-pack/certificates/certs; <1>
+        fi;
+        chgrp -R 0 config/x-pack/certificates/certs
+      '
+    user: $\{UID:-1000\}
+    working_dir: /usr/share/elasticsearch
+    volumes: ['.:/usr/share/elasticsearch/config/x-pack/certificates']
+----
+
+<1> The new node certificates and CA certificate+key are placed under the local directory `certs`.
+endif::[]
+
+[[getting-starter-tls-create-docker-compose]]
+`docker-compose.yml`:
+ifeval::["{release-state}"=="unreleased"]
+
+WARNING: Version {version} of {es} has not yet been released, so a
+`docker-compose.yml` is not available for this version.
+
+endif::[]
+
+ifeval::["{release-state}"!="unreleased"]
+["source","yaml",subs="attributes"]
+----
+version: '2.2'
+services:
+  es01:
+    container_name: es01
+    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
+    environment:
+      - node.name=es01
+      - discovery.zen.minimum_master_nodes=2
+      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD <1>
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate <2>
+      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.ssl.certificate=$CERTS_DIR/es01/es01.crt
+      - xpack.ssl.key=$CERTS_DIR/es01/es01.key
+    volumes: ['esdata_01:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
+    ports:
+      - 9200:9200
+    healthcheck:
+      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
+      interval: 30s
+      timeout: 10s
+      retries: 5
+  es02:
+    container_name: es02
+    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
+    environment:
+      - node.name=es02
+      - discovery.zen.minimum_master_nodes=2
+      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
+      - discovery.zen.ping.unicast.hosts=es01
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
+      - xpack.ssl.certificate=$CERTS_DIR/es02/es02.crt
+      - xpack.ssl.key=$CERTS_DIR/es02/es02.key
+    volumes: ['esdata_02:/usr/share/elasticsearch/data', './certs:$CERTS_DIR']
+  wait_until_ready:
+    image: docker.elastic.co/elasticsearch/elasticsearch-platinum:{version}
+    command: /usr/bin/true
+    depends_on: {"es01": {"condition": "service_healthy"}}
+volumes: {"esdata_01": {"driver": "local"}, "esdata_02": {"driver": "local"}}
+----
+
+<1> Bootstrap `elastic` with the password defined in `.env`. See {xpack-ref}/setting-up-authentication.html#bootstrap-elastic-passwords[the Elastic Bootstrap Password].
+<2> Disable verification of authenticity for inter-node communication. Allows
+creating self-signed certificates without having to pin specific internal IP addresses.
+endif::[]
+
+[float]
+==== Run the example
+. Generate the certificates (only needed once):
+
+--
+["source","sh"]
+----
+docker-compose -f create-certs.yml up
+----
+--
+. Start two {es} nodes configured for SSL/TLS:
+
+--
+["source","sh"]
+----
+docker-compose up -d
+----
+--
+. Access the {es} API over SSL/TLS using the bootstrapped password:
+
+--
+["source","sh"]
+----
+curl --cacert certs/ca/ca.crt -u elastic:PleaseChangeMe
+https://localhost:9200
+----
+// NOTCONSOLE
+--
+. The `setup-passwords` tool can also be used to generate random passwords for
+all users:
+
+--
+["source","sh"]
+----
+docker exec es01 /bin/bash -c "bin/x-pack/setup-passwords auto --batch
+-Expack.ssl.certificate=x-pack/certificates/es01/es01.crt
+-Expack.ssl.certificate_authorities=x-pack/certificates/ca/ca.crt
+-Expack.ssl.key=x-pack/certificates/es01/es01.key
+--url https://localhost:9200"
+----
+--