Accessing ECK through NodeJS SDK

Hi there!

I've been trying out and experimenting with the ECK Quickstart project and the Node.js SDK for a while and it's been really nice this far. However, I've only done so with certificate verification turned off, and it seems I'm running into some issues when turning it on.

The relevant code in my Node service looks something like this (I’ve changed the name “quickstart” to “elastic”):

  const client = new Client({
    node: 'https://elastic-es-http.default.svc.cluster.local:9200',
    maxRetries: 5,
    requestTimeout: 60000,
    sniffOnStart: true,
    auth: {
      username: 'elastic',
      password: process.env.ELASTIC_PASSWORD,
    ssl: {
      ca: fs.readFileSync('/etc/ssl/elastic/ca.crt'),
      rejectUnauthorized: true,

My service deployment is configured with the relevant parts as follows,:

      - name: servicename
          - name: ELASTIC_PASSWORD
                name: elastic-es-elastic-user
                key: elastic
          - name: elastic-certs
            mountPath: /etc/ssl/elastic/ca.crt
            readOnly: true
            subPath: ca.crt
        - name: elastic-certs
            secretName: elastic-es-http-certs-public

I’ve also configured the Elastic cluster to add the address I’m trying to use as a SAN:

  version: 7.7.0
        - dns: elastic-es-http.default.svc.cluster.local

I’m executing the service with NODE_EXTRA_CA_CERTS=/etc/ssl/elastic/ca.crt node ./run.js

For the life of me I can’t get this working though, since the IP of the Elastic cluster is not in the certificate’s alt names:

ConnectionError: Hostname/IP does not match certificate's altnames: IP: is not in the cert's list:

Of course, it does work if I add the IP to the SANs of the certificate, but this feels error-prone since this IP is bound to change if I’d be using another environment.

It feels like I’m probably just missing something simple here, but I'd greatly appreciate getting any pointers on what it is I'm missing. :slight_smile:

I guess this is because you enable sniffOnStart. By default ECK set network.publish_host to the Pod IP, which is not in the HTTP certs.

I'll open a Github issue to discuss this problem. In the meantime could you try to disable sniffOnStart ?


@michael.morello wow, thanks a lot, that did the trick!

I'll keep an eye on the discussions in the Github issue and see where you land.

All the best

Issue has been opened here:

I managed to make sniffing work but it requires a potential user-facing change in the Kubernetes Services managed by ECK.