After enabling xpack security readinessprobe fails

laurijssen · June 18, 2024, 7:48am

I've got elk stack running through helm without security but now I was aked to turn it on.

So I generated certificates with elastic-certutil and put them in a secret and changed the config into

esConfig:
  elasticsearch.yml: |
    cluster.name: "docker-cluster"
    network.host: 0.0.0.0
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.license.self_generated.type: basic

secretMounts:
  - name: elastic-certificates
    secretName: elastic-certificates
    path: /usr/share/elasticsearch/config/certs
    defaultMode: 0755

Also changed protocol to https: protocol: https

Then helm upgrade and the elastics pod restarts without error. Yet it never becomes ready!

This is 100% because of readinessprobe not triggering, because this the readinessprobe in elasticsearch and that is NOT logged in the kubelet logs

                http () {
                  local path="${1}"
                  local args="${2}"
                  set -- -XGET -s

                  if [ "$args" != "" ]; then
                    set -- "$@" $args
                  fi

                  if [ -n "${ELASTIC_PASSWORD}" ]; then
                    set -- "$@" -u "elastic:${ELASTIC_PASSWORD}"
                  fi

                  curl --connect-timeout 20 --output /dev/null -k "$@" "{{ .Values.protocol }}://127.0.0.1:{{ .Values.httpPort }}${path}"
}

What IS logged is the readinessprobe bash command from KIBANA and that fails all the time with a connect timeout.

I feel like Im in a chicken and egg situation here. How do I get xpack securitu going with kibana as frontend?

Here's the kubelet log showing the curl request from kibana with timeouts, this is with protocol http but https fails as well.

[bash -c #!/usr/bin/env bash -e
# Disable nss cache to avoid filling dentry cache when calling curl
# This is required with Kibana Docker using nss < 3.52
export NSS_SDB_USE_CACHE=no

http () {
local path="${1}"
            set -- -XGET -s --fail -L
  if [ -n "${ELASTICSEARCH_USERNAME}" ] && [ -n "${ELASTICSEARCH_PASSWORD}" ]; then
 set -- "$@" -u "${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"


STATUS=$(curl --output /dev/null --write-out "%{http_code}" -k "$@" "http://localhost:5601${path}")

Artem_Shelkovnikov · June 18, 2024, 8:29am

From Elastic Search to Elasticsearch

TimV · June 19, 2024, 4:09am

This helm chart requires that, if security is enabled, you provide the password for the elastic user to the container in the ELASTIC_PASSWORD environment variable.

                  if [ -n "${ELASTIC_PASSWORD}" ]; then
                    set -- "$@" -u "elastic:${ELASTIC_PASSWORD}"
                  fi

Otherwise the curl health check will fail because it does not have valid credentials.

laurijssen · June 19, 2024, 6:26am

Ok thanks. I tried that by just hardcoding default credentials in the ready proby.
With xpack security disabled, protocol http the kubelet logs do get the script triggered.....and the pod becomes ready.

Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:           if [ "$args" != "" ]; then
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:             set -- "$@" $args
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:           fi
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:           set -- "$@" -u "elastic:changeme"
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:
Jun 19 08:17:56 LOGSTASH.nl kubelet[757]:           curl --output /dev/null -k "$@" .......

But with xpack.security enabled and protocol https the script is never logged in the kubelet logs, so it seems its not triggered at all.

laurijssen · June 20, 2024, 6:14am

found the solution

I enabled only transport level

xpack.security.transport.ssl.enabled: true

but http must also be enabled!

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

then (of course) elastic runs on https and also the credentials must be provided

system · July 18, 2024, 6:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enable xpack on a running Elastic cluster Elasticsearch elastic-stack-security	10	2143	October 25, 2021
Kubernetes pods are not ready in a Cluster with xpack.security.enabled: true after the pod restart Elasticsearch docker	1	421	September 20, 2022
XPACK Security in ELK stack 7.1.1 Elasticsearch elastic-stack-security	11	3370	July 4, 2019
ELK with Xpack Elasticsearch	8	7035	March 6, 2020
Elasticsearc with xpack security enabled Elasticsearch	9	1834	November 4, 2022

After enabling xpack security readinessprobe fails

Related Topics