Hello ,
I wanted to install Fleet server on the AKS cluster , but I got the following errror , would you please help me to solve this issue?
Error:
message: Application: fleet-server--7.17.0[]: State changed to FAILED: Error - x509: certificate is valid for elastic.dev.mydomain.com, not elasticsearch-es-http.default.svc - type: 'ERROR' - sub_type: 'FAILED'
ELastic YAML :
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch
spec:
secureSettings:
- secretName: es-snapshot-secret #secret for repository
version: 7.17.0
nodeSets:
- name: default
count: 3
config:
# most Elasticsearch configuration parameters are possible to set, e.g: node.attr.attr_name: attr_value
node.roles: ["master", "data", "ingest", "ml"]
# this allows ES to run on nodes even if their vm.max_map_count has not been increased, at a performance cost
node.store.allow_mmap: false
path.repo: ["/"]
podTemplate:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: sysctl
securityContext:
privileged: true
command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
- name: install-plugin
command:
- sh
- -c
- |
bin/elasticsearch-plugin install --batch repository-azure
- name: add-azure-keys
env:
- name: AZURE_ACCESS_ACCOUNT
valueFrom:
secretKeyRef:
name: es-azure-snapshot-secret
key: azure.client.default.account
- name: AZURE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: es-azure-snapshot-secret
key: azure.client.default.key
command:
- sh
- -c
- |
echo $AZURE_ACCESS_ACCOUNT | bin/elasticsearch-keystore add --stdin --force azure.client.default.account
echo $AZURE_ACCESS_KEY | bin/elasticsearch-keystore add --stdin --force azure.client.default.key
volumeClaimTemplates:
- metadata:
name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
http:
tls:
certificate:
secretName: elastic-tls
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: "letsencrypt"
ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
name: elastic-ingress
namespace: default
spec:
rules:
- host: elastic.dev.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: elasticsearch-es-http
port:
number: 9200
tls:
- hosts:
- elastic.dev.mydomain.com
secretName: elastic-tls
Fleet Agent Yaml:
apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
name: fleet-agent
spec:
version: 7.17.0
elasticsearchRefs:
- name: elasticsearch
mode: fleet
fleetServerEnabled: true
http:
service:
spec:
type: ClusterIP
daemonSet:
podTemplate:
spec:
automountServiceAccountToken: true
serviceAccountName: elastic-agent
mode: fleet
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elastic-agent
rules:
- apiGroups: [""] # "" indicates the core API group
resources:
- namespaces
- pods
- nodes
- nodes/metrics
- nodes/proxy
- nodes/stats
- events
- configmaps
- services
- endpoints
- deployments
verbs:
- get
- watch
- list
- nonResourceURLs:
- /metrics
verbs:
- get
- watch
- list
- apiGroups: ["coordination.k8s.io"]
#
# at the HTTP level, the name of the resource for accessing Job
# objects is "jobs"
resources:
- leases
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: elastic-agent
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: elastic-agent
subjects:
- kind: ServiceAccount
name: elastic-agent
namespace: default
roleRef:
kind: ClusterRole
name: elastic-agent
apiGroup: rbac.authorization.k8s.io