I saw on the release notes a mention of using ECK with Istio with disabling HTTP level TLS - I've been trying to use mTLS with Istio and ES and running into problems both with the transport layer (which I think I've resolved by using network.bind_host = 127.0.0.1) and the ECK managed Kibana which seems to fail to communicate with the ES cluster when mTLS is enabled.
Is this supported, and if so is there any guidance on making this work?
I don't believe we have an official guide for Istio or any other service meshes as there are many different ways in which they can be configured. It wouldn't be easy to figure out the exact cause of the problem without having access to the environment, but If you provide some details of your Istio setup and the Elasticsearch manifests, I can try to see if there's anything obvious that's missing from the configuration.
Thank you for reporting this. I did some tests and I think there are a couple of issues that prevent ECK-managed clusters from correctly working under Istio. I have created issues in the project repo to investigate them further.
You should be able to work around the issue with the transport port by defining an additional service for the transport layer so that Istio can discover the transport ports:
Thanks Peter, I'll give that a test - also see the comment about Kibana log in loop when TLS is disabled. That sounds like a strong possibility as I've been testing quite a few different cluster deployments, I'll clear my browser and try that again.
For anyone else interested, an example of using ECK 1.0.0-beta1 to deploy Elasticsearch and Kibana under Istio 1.3.3 can be found in https://github.com/elastic/cloud-on-k8s/issues/2064#issuecomment-547903913. Please note that this is general guidance only and not an official guide to ECK with Istio.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.