Encrypting communications in an Elasticsearch Docker Containeredit
Unless you are using a trial license, Elastic Stack security features require SSL/TLS encryption for the transport networking layer.
This section demonstrates an easy path to get started with SSL/TLS for both HTTPS and transport using the Elasticsearch Docker image. The example uses Docker Compose to manage the containers.
For further details, see Encrypting communications and available subscriptions.
Prepare the environmentedit
Install Elasticsearch with Docker.
Inside a new, empty directory, create the following four files:
instances.yml
:
instances: - name: es01 dns: - es01 - localhost ip: - 127.0.0.1 - name: es02 dns: - es02 - localhost ip: - 127.0.0.1
.env
:
COMPOSE_PROJECT_NAME=es CERTS_DIR=/usr/share/elasticsearch/config/certificates ELASTIC_PASSWORD=PleaseChangeMe
Use an | |
The path, inside the Docker image, where certificates are expected to be found. | |
Initial password for the |
Version 8.0.0 of Elasticsearch has not yet been released, so a
create-certs.yml
is not available for this version.
Version 8.0.0 of Elasticsearch has not yet been released, so a
docker-compose.yml
is not available for this version.
Run the exampleedit
Generate the certificates (only needed once):
docker-compose -f create-certs.yml run --rm create_certs
Start two Elasticsearch nodes configured for SSL/TLS:
docker-compose up -d
Access the Elasticsearch API over SSL/TLS using the bootstrapped password:
docker run --rm -v es_certs:/certs --network=es_default docker.elastic.co/elasticsearch/elasticsearch:8.0.0 curl --cacert /certs/ca/ca.crt -u elastic:PleaseChangeMe https://es01:9200
The
elasticsearch-setup-passwords
tool can also be used to generate random passwords for all users:Windows users not running PowerShell will need to remove
\
and join lines in the snippet below.docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \ auto --batch \ -Expack.security.http.ssl.certificate=certificates/es01/es01.crt \ -Expack.security.http.ssl.certificate_authorities=certificates/ca/ca.crt \ -Expack.security.http.ssl.key=certificates/es01/es01.key \ --url https://localhost:9200"
Tear everything downedit
To remove all the Docker resources created by the example, issue:
docker-compose down -v