How to configure X-Pack secured search service liveness/readiness probes with authentication in Paas

Issue

We tried to configure in our PAAS environnement the Elasticsearch X-Pack feature.

When we follow this article and enable X-Pack feature in dev server (with environment variable), the ElasticSearch endpoint used for readiness and liveness are not accessible anymore and return 401 error. So Elasticsearch can’t be reached by Liferay Cloud, and stays unavailable.

Environment

PaaS

Resolution

The documentation in this article is suitable for Self-Hosted deployments only. Self-Managed (PaaS) deployments require settings on the cloud environment side.
Update the liveness and readiness probes within the Elasticsearch service's LCP.json file to incorporate authentication. Since enabling X-Pack security secures Elasticsearch endpoints, the health checks must authenticate to access these endpoints
If the basic authentication username and password is elastic and changeme then the base64 value is ZWxhc3RpYzpjaGFuZ2VtZQ== using this

echo -n "elastic:changeme" | base64

So the probe configuration would look something like this:
```
    "httpGet": {
      "path": "/",
      "port": 9200,
      "httpHeaders":[
      {
         "name":"Authorization",
         "value":"Basic ZWxhc3RpYzpjaGFuZ2VtZQ=="
      }
   ]
```
If you prefer to use TLS on top of the basic authentication (from internal discussion I see that this can be quite complex to configure, and it doesn't really provide any great additional benefits) you should use this

"scheme": "HTTPS"

(and of course it also requires additional steps - generating certificates, etc. - as documented in the mentioned article)
```
    "httpGet": {
      "path": "/",
      "port": 9200,
      "scheme": "HTTPS",
      "httpHeaders":[
      {
         "name":"Authorization",
         "value":"Basic ZWxhc3RpYzpjaGFuZ2VtZQ=="
      }
   ]
```

If additionally you would like to limit the visibility of this authorization by extracting it as a Liferay Cloud Secret.

Let's say something like this :

 "httpGet": {
      "path": "/",
      "port": 9200,
      "httpHeaders":[
      {
         "name":"Authorization",
         "value":"@lcp-secret-elasticsearch-authorization"
      }
   ]

Please note that at the time of writing this article (January 2025) this is not possible. Currently, Liferay Cloud API does not read secrets under probes, so this is not possible yet. However, our cloud engineers have registered now this as a feature request, and hopefully it will be possible in the future.