In the http section, tls.selfSignedCertificate and tls.certificate are mutually exclusive fields. You should only have one or the other. If you want to use cert-manager to issue the certificate, then only the tls.certificate field should be set.
You have set the service type to ClusterIP -- which is the default anyway. It only makes pods accessible inside the Kubernetes cluster. The IP address you are trying to issue the certificate to is a private, internal IP address that cannot be accessed from outside.
The documentation page you linked to omits a few minor details that might not be obvious at first. Apologies for that. We'll review it for the next release.
If you are trying to access Elasticsearch from outside the Kubernetes cluster, then the service type must be set to LoadBalancer or NodePort (see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). As you're using an on-premise Kubernetes deployment, I am not sure how it will handle these service types. You should check with your system administrator to understand how the cluster is configured to expose services externally.
The following snippets illustrates how one would normally use cert-manager to expose an Elasticsearch deployment. Some details may vary depending on how your Kubernetes cluster is configured (for instance, not all providers support loadBalancerIP).
Unfortunatly this leads to a CrashLoopbackOff of the elastic container withe the following stacktrace:
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.http.ssl]]; nested: ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: CertificateException[failed to parse any certificates from [/usr/share/elasticsearch/config/http-certs/tls.crt]];
Likely root cause: java.security.cert.CertificateException: failed to parse any certificates from [/usr/share/elasticsearch/config/http-certs/tls.crt]
The secret has been created but tls.crt seems to be 0 bytes long:
The yaml I used to create the certs until now was the one from the documentation. In the end it wasn't working but at least the certs were there. Should I somehow merge the yaml you provided with the one from the tutorial ?
It looks like an issue with cert-manager in your cluster. The certificate should not be empty. Try deleting and re-creating the certificate to see if the problem persists. It might be worth checking the cert-manager logs as well to see if there are any issues reported there.
The cert-manager Certificate manifest in the documentation is correct and you should be able to use it as-is. I was simply illustrating how to add an IP address to the generated certificate as that's what you were trying to do in the original question.
For the curl to work in https you must add the value of the subjectAltName in the /etc/hosts. If you don't you'll get some strange NSS errors.
So simply add this line to your /etc/hosts
<eck_svc_ip> quickstart-es-http.default.svc
My elastic config is now the following:
...
http:
service:
spec:
type: ClusterIP
clusterIP: 10.233.35.89 #Hardcoding value of clusterIP because why not
tls:
certificate:
secretName: quickstart-es-cert #Secret with new certs
You can now curl your endpoint using the --cacert of curl.
Glad you got it working. Adding the IP address to /etc/hosts is strictly not necessary and a potential security issue if you are using a shared cluster with untrusted users. For testing purposes, you can invoke curl with the --resolve flag instead.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
