I checked the final YAML that is generated after the fleet server is deployed and I see there is no volume that is mounted on the path from where ca.crt is trying to be copied.
I compared the fleet server deployment with an agent deployment without fleet and came up with what I believe is the correct config for the deployment:
Mounts:
/etc/agent.yml from config (ro,path="agent.yml")
/mnt/elastic-internal/elasticsearch-association/elastic-system/elasticsearch/certs from elasticsearch-certs-0 (ro)
/usr/share/elastic-agent/fleet-setup.yml from fleet-setup-config (ro,path="fleet-setup.yml")
/usr/share/fleet-server/config/http-certs from fleet-certs (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9g5dw (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
config:
Type: Secret (a volume populated by a Secret)
SecretName: fleet-server-agent-config
Optional: false
fleet-certs:
Type: Secret (a volume populated by a Secret)
SecretName: fleet-server-agent-http-certs-internal
Optional: false
fleet-setup-config:
Type: Secret (a volume populated by a Secret)
SecretName: fleet-server-agent-config
Optional: false
elasticsearch-certs-0:
Type: Secret (a volume populated by a Secret)
SecretName: fleet-server-agent-es-elastic-system-elasticsearch-ca
Optional: false
but then I get a new error and this one doesn't have any apparent code that is calling this path or corresponding secret that is created like the above error
Error: 1 error: open /mnt/elastic-internal/kibana-association/elastic-system/kibana/certs/ca.crt: no such file or directory reading <nil>
@r0zbot are you getting metrics and logs from the agent? I made the same changes you did and was able to get an agent to register to the fleet server and both show up in Kibana but there is no data coming through.
I wanted to drop a reply here as I came across a similar issue, but was able to resolve it.
Something that is not very clear (upfront) in the ECK docs, is that if you are using a custom HTTP cert for Kibana and Elasticsearch (and Fleet Server), is that the secret files that contains the tls.crt and tls.key values should also contain the root ca.crt and any intermediate ca certs. The mentions of this are 1. here in the actual command, and 2. here.
The command for mention 1. only takes into account self-signed certs, but if you have a cert signed by a private CA, then you can replace --from-file=ca.crt=tls.crt with --from-file=ca.crt=<your_ca_crt>
If you don't have the root ca.crt and any intermediate ca certs in the secret file, they can't be mounted into the Agent deployment for the certs to be validated.
Also, if you use something like Letsencrypt for your cert gen, then you're probably running into this issue
The reason you probably aren't getting any logs is because the Agent is failing to validate the cert of the Elasticsearch HTTPS endpoint. If you were to mount the Elasticsearch CA, like you did the Fleet and Kibana ones it should work, or you can make the above change and add the ca's to the secret files.
There is indeed a bug in the ECK Agent controller that leads to this behavior. Please see GitHub issue for bug description and workaround. The fix is planned to be released in 1.8.0.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.