Hi there,
I want to try out central management for Elastic Agents, but i cannot get "Kibana security" enabled, although I'm sure it is configured correctly.
I'm running the stack on docker (19.03.12), ELK_VERSION is 7.11.1 .
Internal cluster communication is secured, for external access I'm using traefik as reverse proxy.
Currently I'm configuring the stack via host-mounted configuration files (elasticsearch.yml, kibana.yml), but I also tried to configure via environment variables with the same result.
Any ideas are highly appreciated to get this resolved
Here is my configuration:
- docker-compose (left out services es02/es03):
version: '3.2'
services:
es01:
container_name: es01
build:
context: elasticsearch/
args:
ELK_VERSION: $ELK_VERSION
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elasticsearch/config/es01.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
- /mnt/volume-elastic-data/es01-data:/usr/share/elasticsearch/data
- es-certs:$CERTS_DIR
environment:
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
healthcheck:
test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
networks:
- proxy_net
labels:
- 'traefik.enable=true'
- 'traefik.port=9200'
- 'traefik.protocol=https'
- 'traefik.frontend.passHostHeader=true'
- 'traefik.frontend.rule=Host:elastic.notarealdomain.com'
kibana:
container_name: kibana
build:
context: kibana/
args:
ELK_VERSION: $ELK_VERSION
volumes:
- ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
- es-certs:$CERTS_DIR
depends_on:
- es01
networks:
- proxy_net
environment:
- "ELASTICSEARCH_USERNAME=kibana_system"
- "ELASTICSEARCH_PASSWORD=$KIBANA_PASSWORD"
- "ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=${CERTS_DIR}/ca/ca.crt"
labels:
- 'traefik.enable=true'
- 'traefik.port=5601'
- 'traefik.frontend.passHostHeader=true'
- 'traefik.frontend.rule=Host:kibana.notarealdomain.com'
networks:
proxy_net:
external: true
volumes:
es-certs:
- elasticsearch.yml:
---
network.host: 0.0.0.0
cluster.name: "elk-cluster"
cluster.initial_master_nodes: es01,es02,es03
bootstrap.memory_lock: true
node.name: es01
discovery.seed_hosts: es02,es03
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
xpack.license.self_generated.type: trial
xpack.monitoring.collection.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certificates/es01/es01.key
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/ca.crt
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certificates/es01/es01.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/ca.crt
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certificates/es01/es01.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certificates/es01/es01.key
- kibana.yml:
---
server.name: kibana.notarealdomain.com
server.host: 0.0.0.0
elasticsearch.hosts: [ "https://es01:9200", "https://es02:9200", "https://es03:9200" ]
xpack.reporting.kibanaServer.port: 443
xpack.reporting.kibanaServer.protocol: https
xpack.reporting.kibanaServer.hostname: kibana.notarealdomain.com
monitoring.ui.container.elasticsearch.enabled: true
xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
xpack.fleet.enabled: true
xpack.fleet.agents.enabled: true
xpack.fleet.agents.elasticsearch.host: "https://elastic.notarealdomain.com:443"
xpack.fleet.agents.kibana.host: "https://kibana.notarealdomain.com:443"
xpack.fleet.agents.tlsCheckDisabled: false
Thanks, Patrick