Hi! We are trying to configure an ECK operator (version 1.3.2) that manages an Elasticsearch (6.8.14).
We have configured the Elasticsearch to use our own custom certificates via xpack:
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/custom-certs/cert.pem
xpack.security.http.ssl.certificate_authorities:
- /usr/share/elasticsearch/config/custom-certs/ca.pem # our custom ca
- /usr/share/elasticsearch/config/http-certs/ca.crt # ca already provided
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/custom-certs/key.pem
xpack.security.http.ssl.verification_mode: certificate
The nodes are happily able to talk to each other and our REST clients can also talk to these nodes. However, the Operator itself throws an error when trying to get the cluster settings, which prevents it from making any progress in reconciliation:
{"log.level":"error","@timestamp":"2021-02-26T02:08:35.850Z","log.logger":"controller","message":"Reconciler error","service.version":"1.3.2+cd7cb18e","service.type":"eck","ecs.version":"1.4.0","controller":"elasticsearch-controller","name":"elasticsearch","namespace":"namespace","error":"Put "https://elasticsearch-es-http.namespace.svc:9200/_cluster/settings\": x509: certificate signed by unknown authority","errorCauses":[{"error":"Put "https://elasticsearch-es-http.namespace.svc:9200/_cluster/settings\": x509: certificate signed by unknown authority"}],"error.stack_trace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:246\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.6.3/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/pkg/mod/k8s.io/apimachinery@v0.18.6/pkg/util/wait/wait.go:90"}
I can't seem to find any docs for how we can configure ECK to use our custom certs. Any suggestions or advice? Could we configure Elasticsearch to also accept the certs that ECK is using (where are those controlled?)?
Thanks!