I have a running ECK cluster (ES+Kibana) provisioned with http.tls.selfSignedCertificate.disabled: true.
Now, I would like to try out alerts, which requires TLS to be enabled. I tried to change the above settings to:
http:
tls:
selfSignedCertificate:
#disabled: true
# add a list of SANs into the self-signed HTTP certificate
subjectAltNames:
- dns: elasticsearch-logging-es-http
- dns: elasticsearch-logging-es-http.default.svc
- dns: elasticsearch-logging-es-http.default.svc.cluster.local
and did kubectl apply -f es.yaml. The es cluster still on http.
Hey @xcompass,
What you did looks correct. The service keeps its name *-es-http though (it is still the HTTP protocol, even though encrypted with TLS), but Elasticsearch itself should only be reachable through HTTPS. You can curl the endpoint using https to verify that's the case.
Thanks @sebgl for the reply. I actually did test https with curl, and got the following error:
[root@elasticsearch-logging-es-default-2 elasticsearch]# curl https://localhost:9200
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
I think this causes kibana to connect ES using http instead of https. Is there a way to force operator generate https on the svc so kibana can get the correct reference? Or is it a bug that operator didn't pick up the change and generate the correct svc?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.