0

I have a web server in a Kubernetes Deployment which uses an ElasticSearch instance on ElasticCloud.

I have parameterised (thanks to environment variables) my container, from a Secret, with this kind of url: https://elastic:***@xxx.yyy.eu-west-3.aws.elastic-cloud.com:9243

I'm really dissatisfied for these reason:

  • My container have access to the credentials
  • I have downtimes whenever I change the password

Is there a kind of Service, or any good practise, which would be able to proxy ElasticCloud (adding credentials)? If it is possible, I'd like to have a mechanism to update credentials.

vaizki
  • 158
  • 3
GlinesMome
  • 113
  • 6

1 Answers1

1

I suggest you create a Deployment of caddy:2 Pods which a Caddyfile mounted from a Secret, something like this:

http://elastic-proxy.default.svc.cluster.local:9243 {
    reverse_proxy https://xxx.yyy.eu-west-3.aws.elastic-cloud.com:9243 {
        header_up Authorization "Basic Zm9vOmJhcgo="
        header_up Host {upstream_hostport}
        header_up X-Forwarded-Host {host}
    }
}

The create a Service named elastic-proxy in the namespace (default in this example). Point the app Pods to this service instead of the Elastic Cloud.

Explanation:

This will create a Caddy 2 server which reverse proxies everything coming to port 9243 with virtual host elastic-proxy.default.svc.cluster.local to the Elastic Cloud and adds an Authorization header with the Basic Auth credentials (foo:bar here).

You can create the password with base64 like this:

$ echo 'elastic:password' | base64
ZWxhc3RpYzpwYXNzd29yZAo=

Every time you change the password (why do you even change it?), just modify the Caddyfile in the Secret.

GlinesMome
  • 113
  • 6
vaizki
  • 158
  • 3