Porting over docker certificate security stuff

This commit is contained in:
keithhc2 2021-05-11 11:58:43 -07:00
parent adce33d8cc
commit af01690c7f
4 changed files with 42 additions and 3 deletions

View File

@ -12,7 +12,7 @@ Before deploying to a production environment, you should replace the demo securi
Additionally, you can set the Docker environment variable `DISABLE_INSTALL_DEMO_CONFIG` to `true`. This change completely disables the demo installer.
#### Sample Docker Compose file
## Sample Docker Compose file
```yml
version: '3'
@ -142,3 +142,38 @@ If you encounter any `File /usr/share/opensearch/config/opensearch.yml has insec
{: .note }
Finally, you can reach OpenSearch Dashboards at http://localhost:5601, sign in, and use the **Security** panel to perform other management tasks.
## Using certificates with Docker
To use your own certificates in your configuration, add all of the necessary certificates to the volumes section of the Docker Compose file:
```yml
volumes:
- ./root-ca.pem:/full/path/to/certificate.pem
- ./admin.pem:/full/path/to/certificate.pem
- ./admin-key.pem:/full/path/to/certificate.pem
#Add other certificates
```
After replacing the demo certificates with your own, you must also include a custom `opensearch.yml` in your setup, which you need to specify in the volumes section.
```yml
volumes:
#Add certificates here
- ./custom-opensearch.yml: /full/path/to/custom-opensearch.yml
```
Remember that the certificates you specify in your Docker Compose file must be the same as the certificates listed in your custom `opensearch.yml` file. At a minimum, you should replace the root, admin, and node certificates with your own. For more information about adding and using certificates, see [Configure TLS certificates](../security/configuration/tls.md).
```yml
opensearch_security.ssl.transport.pemcert_filepath: new-node-cert.pem
opensearch_security.ssl.transport.pemkey_filepath: new-node-cert-key.pem
opensearch_security.ssl.transport.pemtrustedcas_filepath: new-root-ca.pem
opensearch_security.ssl.http.pemcert_filepath: new-node-cert.pem
opensearch_security.ssl.http.pemkey_filepath: new-node-cert-key.pem
opensearch_security.ssl.http.pemtrustedcas_filepath: new-root-ca.pem
opensearch_security.authcz.admin_dn:
- CN=admin,OU=SSL,O=Test,L=Test,C=DE
```
To start the cluster, run `docker-compose up` as usual.

View File

@ -185,7 +185,7 @@ services:
- ./custom-opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
```
You can use this same method to [pass your own certificates](../docker-security/) to the containers for use with the [Security](../../../security/configuration/) plugin.
You can also configure `docker-compose.yml` and `opensearch.yml` [to take your own certificates](../docker-security/) for use with the [Security](../../security/configuration/) plugin.
### (Optional) Set up Performance Analyzer

View File

@ -105,3 +105,7 @@ output.opensearch:
ssl.certificate: "/full/path/to/client-cert.pem"
ssl.key: "/full/path/to/to/client-cert-key.pem"
```
## Using certificates with Docker
While we recommend using the [tarball](../../../install/tar) installation of ODFE to test client certificate authentication configurations, you can also use any of the other install types. For instructions on using Docker, for example, see [Docker security configuration](../../../install/docker-security).

View File

@ -170,7 +170,7 @@ This process generates many files, but these are the ones you need to add to you
- (Optional) `each-node-cert.pem`
- (Optional) `each-node-key.pem`
For information about adding and configuring these certificates, see [Docker security configuration](../../../install/docker-security/) and [Configure TLS certificates](../tls/).
For information about adding and using these certificates in your own setup, see [Docker security configuration](../../../install/docker-security/) and [Configure TLS certificates](../tls/).
## Run securityadmin.sh