Kibana stuck with association errors on K8S

While attempting to troubleshoot why my enterprise search wouldn't deploy I ended up running into another error. The guide says after running the yaml for deploying enterprise search, to restart kibana. Which from what I've found you do by deleting the kibana pod. When it tried to come back up I kept getting association errors to both elastic and enterprise search.

My configuration is as follows:
K8S private deployment with 5 N1-Standard-4 kubernetes nodes.

I had elastic and kibana fully up and running with 8.6.2. During troubleshooting, I updated to 8.7.0, hoping that would resolve my issue. It did not.

kubectl apply -f https://download.elastic.co/downloads/eck/2.7.0/crds.yaml

kubectl apply -f https://download.elastic.co/downloads/eck/2.7.0/operator.yaml <

Elastic Yaml:

kind: Elasticsearch
metadata:
  name: main
spec:
  version: 8.7.0
  nodeSets:
  - name: ndpool
    config:
      node.store.allow_mmap: false
      xpack.ml.enabled: true
    podTemplate:
      metadata:
        labels:
          pod: es
      spec:
        containers:
        - name: elasticsearch
          resources:
            requests:
              memory: 7.5Gi
              cpu: 1
            limits:
              memory: 10Gi
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 3Gi
        storageClassName: standard
  secureSettings:
  - secretName: gcs_secret_name
  http:
    service:
      spec:
        # expose this cluster Service with a LoadBalancer
        type: LoadBalancer
        ports: 
          - protocol: TCP
            port: 9200
            targetPort: 9200
        loadBalancerIP:  xx.xx.xxx.xxx

Kibana Yaml:

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: kibana
spec:
  version: 8.7.0
  count: 1
  elasticsearchRef:
    name: main
  enterpriseSearchRef:
    name: enterprisesearch
  podTemplate:
    metadata:
        labels:
          pod: kb
    spec:
      containers:
      - name: kibana
        env:
          - name: "NETWORK_HOST"
            value: "_site_,_lo_"
        ports:                                      
        - containerPort: 5601         
          name: http                               
        - containerPort: 22                         
          name: ssh
      # nodeSelector:
      #   type: frontend
  http:
    service:
      spec:
        type: LoadBalancer # default is ClusterIP
        loadBalancerIP: 34.xx.xxx.xxx
  
    tls:
      certificate:
        secretName: kibana-ssl-cert

Enterprise Search Yaml:

apiVersion: enterprisesearch.k8s.elastic.co/v1
kind: EnterpriseSearch
metadata:
  name: enterprisesearch
spec:
  version: 8.7.0
  count: 1
  elasticsearchRef:
    name: main
  config:
    ent_search.external_url: https://kibana-dev.ourcompany.com:3002 # https://localhost:3002
    ent_search.listen_port: 3002
    kibana.host:  https://kibana-dev.ourcompany.com:5601
    app_search.engine_document_size.limit: 100kb
  configRef:
    secretName: gcs_secret_name
  podTemplate:
    spec:
      containers:
      - name: enterprisesearch

// kubectl get elastic

NAME                                  HEALTH   NODES   VERSION   AGE
kibana.kibana.k8s.elastic.co/kibana                              3h26m
NAME                                              HEALTH   NODES   VERSION   PHASE   AGE
elasticsearch.elasticsearch.k8s.elastic.co/main   green    3       8.7.0     Ready   35d

kubectl describe kibana

$ kubectl describe kb
Name:         kibana
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  kibana.k8s.elastic.co/v1
Kind:         Kibana
Metadata:
  Creation Timestamp:  2023-04-03T17:58:51Z
  Generation:          1
  Managed Fields:
    API Version:  kibana.k8s.elastic.co/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:count:
        f:elasticsearchRef:
          .:
          f:name:
        f:http:
          .:
          f:service:
            .:
            f:spec:
              .:
              f:loadBalancerIP:
              f:type:
          f:tls:
            .:
            f:certificate:
              .:
              f:secretName:
        f:podTemplate:
          .:
          f:metadata:
            .:
            f:labels:
              .:
              f:pod:
          f:spec:
            .:
            f:containers:
        f:version:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-04-03T17:58:51Z
    API Version:  kibana.k8s.elastic.co/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:associationStatus:
        f:count:
        f:elasticsearchAssociationStatus:
        f:observedGeneration:
    Manager:         elastic-operator
    Operation:       Update
    Subresource:     status
    Time:            2023-04-03T17:59:01Z
  Resource Version:  30118595
  UID:               xxxxxxx-xxxx-xxxx-xxxx-xxxxx
Spec:
  Count:  1
  Elasticsearch Ref:
    Name:  main
  Http:
    Service:
      Spec:
        Load Balancer IP:  34.xx.xxx.xxx
        Type:              LoadBalancer
    Tls:
      Certificate:
        Secret Name:  kibana-ssl-cert
  Pod Template:
    Metadata:
      Labels:
        Pod:  kb
    Spec:
      Containers:
        Env:
          Name:   NETWORK_HOST
          Value:  _site_,_lo_
        Name:     kibana
        Ports:
          Container Port:  5601
          Name:            http
          Container Port:  22
          Name:            ssh
  Version:                 8.7.0
Status:
  Association Status:                Pending
  Count:                             0
  Elasticsearch Association Status:  Pending
  Observed Generation:               1
Events:
  Type     Reason            Age   From               Message
  ----     ------            ----  ----               -------
  Warning  AssociationError  20m   kibana-controller  Association backend for elasticsearch is not configured

Hi,

One thing I noticed in your manifest is that you removed the name of the HTTP Service for Elasticsearch:

          type: LoadBalancer
          ports: 
            - protocol: TCP
              port: 9200
              targetPort: 9200
+             name: https
          loadBalancerIP:  xx.xx.xxx.xxx

This prevents the operator from creating the URL used by Kibana to access Elasticsearch.

Thank you - that got me past the association error!

Now I'm getting ent-search pods, but still a red status.

NAME HEALTH NODES VERSION AGE
enterprisesearch.enterprisesearch.k8s.elastic.co/search 2m52s

any ideas?

THank you - now, I'm getting green on all my health, but still getting an association error. If I remove the reference to the enterprise search load balancer, then It won't give a green status on ent.

kubect describe kibana:
"Association backend for ent is not configured "

with:

Enterprise Search Association Status: Pending

Could you share all the (updated) manifests on https://gist.github.com/?
Also please check the operator logs to check if there is any error related to your deployment.
Thanks

The logs for kibana show:

  [2023-04-25T13:50:31.870+00:00][INFO ][http.server.Kibana] http server running at https://0.0.0.0:5601
 [2023-04-25T13:50:31.904+00:00][INFO ][status] Kibana is now degraded

It still loads kibana but with an Association backend ent not in config error and the enterpriseSearch say Pending. Describe ent shows all green with no errors

Some Questions that I'm investigating - any input would be valuable:

1. I want to access workplace search via kibana - should the network host be set to an IP or localhost?

2. Do I need a loadbalancer on enterprise search to work within Kibana or only if I want stand alone access?

3. Do I need the TLS certificate? if so do I use the same one as kibana or create a new secret?

4. I do not have the Java Ent settings configured in es, kibana, or ent - is this necessary? IF so, I've seen both Xms7500 and Xms3500 - which one do I want and why?

5. in Kibana the Workplace search screen still gives me the " In your config/kibana.yml file, set enterpriseSearch.host to the URL of your Workplace Search instance. For example" Notice - but I do have this configured. Where can I look in the operator to see why I'm getting this error when I have that configured? Are there docs for the operator - to see what causes each error?

I've tried every combination of config settings including the following:
Calling out a reserved IP

metadata:
  name: kibana
spec:
  version: 8.7.0
  count: 1
  elasticsearchRef:
    name: main
  enterpriseSearchRef:
    name: enterprisesearch
  config:
    enterpriseSearch.host: "http://3x.2xx.xxx.xxx:3002"

calling out localhost

metadata:
  name: kibana
spec:
  version: 8.7.0
  count: 1
  elasticsearchRef:
    name: main
  enterpriseSearchRef:
    name: search
  config:
    enterpriseSearch.host: "localhost:3002"

moving config into the enterpriseRef section

  name: kibana
spec:
  version: 8.7.0
  count: 1
  elasticsearchRef:
    name: main
  enterpriseSearchRef:
    name: search
  config:
    enterpriseSearch.host: "http://3x.2xx.xxx.xxx:3002"
---
metadata:
  name: search
  namespace: default
spec:
  version: 8.7.0
  count: 2
  elasticsearchRef:
    name: main
  config:
    ent_search.external_url: http://3x.2xx.xxx.xxx:3002
    kibana.host:  https://kibana-dev.mydomain.com:5601 

Adding and removing TLS reference in enterprise search with kibana cert.

and adding and removing a load balancer for ent with the defined IP.

A detailed example would be awesome if anyone has one.

How do I get the operator logs? The logs for kubectl logs ent-pod-name gives me the following (relevant sections). If I remove my TLS cert from the kibana.yaml i get green and no errors; but it still doesn't work in kibana.

Elasticsearch cluster is ready
[2023-04-25T15:58:39.246+00:00][8][4004][app-server][INFO]: [pre-flight] Successfully connected to Elasticsearch
[2023-04-25T15:58:39.315+00:00][8][4004][app-server][INFO]: [pre-flight] Successfully loaded Elasticsearch plugin information 
for all nodes
[2023-04-25T15:58:39.324+00:00][8][4004][app-server][INFO]: [pre-flight] Elasticsearch running with an active enterprise license
[2023-04-25T15:58:39.345+00:00][8][4004][app-server][INFO]: [pre-flight] Elasticsearch API key service is enabled
[2023-04-25T15:58:39.355+00:00][8][4004][app-server][INFO]: [pre-flight] Elasticsearch will be used for authentication        
[2023-04-25T15:58:39.357+00:00][8][4004][app-server][INFO]: Elasticsearch looks healthy and configured correctly to run Enterprise Search
[2023-04-25T15:58:39.359+00:00][8][4004][app-server][INFO]: Performing pre-flight checks for Kibana running on https://kibana-dev.mydomain.com:5601...
[2023-04-25T15:58:39.620+00:00][8][4004][app-server][WARN]: [pre-flight] Failed to connect to Kibana backend. Make sure it is 
running and healthy.
[2023-04-25T15:58:39.670+00:00][8][4004][app-server][ERROR]: Could not connect to Kibana backend after 0 seconds.
[2023-04-25T15:58:39.671+00:00][8][4004][app-server][WARN]: Enterprise Search is unable to connect to Kibana. Ensure it is running at https://kibana-mydomain.com:5601 for user default-search-ent-user.
...
.encryption_keys to decrypt secrets between reboots. See https://www.elastic.co/guide/en/enterprise-search/current/encryption-keys.html for additional details.
[2023-04-25T15:59:02.872+00:00][8][4004][app-server][WARN]: 
#########################################################

Cannot decrypt App Search API tokens, App Search API tokens, or Workplace Search API keys.
Ensure that secret_management.encryption_keys is correctly set for Enterprise Search.
See https://www.elastic.co/guide/en/enterprise-search/current/encryption-keys.html for additional details.

In case you can't recover your encryption keys, you will need to regenerate:
- App Search API tokens
- Workplace Search API keys
- Workplace Search content sources configuration
- App Search web crawler configurations


#########################################################
[cron-Work::Cron::LogHealthStats][INFO]: Health stats: {"jvm"=>{"gc"=>{"collection_count"=>19, "collection_time"=>1374, "garbage_collectors"=>{"G1 Young Generation"=>{"collection_count"=>19, "collection_time"=>1374}, "G1 Old Generation"=>{"collection_count"=>0, "collection_time"=>0}}}, "pid"=>8, "uptime"=>56487, "memory_usage"=>{"heap_init"=>3670016000, "heap_used"=>711983104, "heap_committed"=>3670016000, "heap_max"=>3670016000, "object_pending_finalization_count"=>0, "non_heap_init"=>7667712, "non_heap_committed"=>201785344}, "memory_pools"=>["CodeHeap 'non-nmethods'", "Metaspace", "CodeHeap 'profiled nmethods'", "Compressed Class Space", "G1 Eden Space", "G1 Old Gen", "G1 Survivor Space", "CodeHeap 'non-profiled nmethods'"], "threads"=>{"thread_count"=>19, "peak_thread_count"=>19, "total_started_thread_count"=>19, "daemon_thread_count"=>18}, "vm_version"=>"11.0.18+10", "vm_vendor"=>"Eclipse Adoptium", "vm_name"=>"OpenJDK 64-Bit Server VM"}, "system"=>{"java_version"=>"11.0.18", "jruby_version"=>"9.3.3.0", "os_name"=>"Linux", "os_version"=>"5.15.65+"}, "filebeat"=>{"alive"=>false}, "metricbeat"=>{"alive"=>false}}
...
2023-04-25 15:59:07.840:INFO:oejs.Server:main: Started @58875ms
[2023-04-25T15:59:07.841+00:00][8][4004][app-server][INFO]: Jetty successfully started and is ready to handle requests!       
[2023-04-25T15:59:07.845+00:00][8][4004][app-server][INFO]:
#########################################################

Success! Elastic Enterprise Search is starting successfully.

Advanced tooling and management interfaces are available via Kibana. Learn more about configuring and running
Kibana with Enterprise Search at https://www.elastic.co/guide/en/enterprise-search/master/user-interfaces.html.

In a few moments, you'll be able to access Enterprise Search from Kibana at the following address:

  * Kibana URL: https://kibana-dev.mydomain.com:5601/app/enterprise_search/overview

Everything looks healthly..

kubectl get elastic
NAME                                              HEALTH   NODES   VERSION   PHASE   AGE
elasticsearch.elasticsearch.k8s.elastic.co/main   green    3       8.7.0     Ready   21h

NAME                                                      HEALTH   NODES   VERSION   AGE
enterprisesearch.enterprisesearch.k8s.elastic.co/search   green    2       8.7.0     9h

NAME                                  HEALTH   NODES   VERSION   AGE
kibana.kibana.k8s.elastic.co/kibana   green    1       8.7.0     21h

and yet... when I go to the url - it still saysconfig is not set up.

I think this may have something to do with my issue, but not sure what to do.

It says enterprise search is not work with Custom CA's, but then it says it does.

I need to use mydomain ssl in kibana; what do I need to do to make kibana and enterprise search talk with these limitations?

• Troubleshoot ECK | Elastic Cloud on Kubernetes [2.10] | Elastic
• Troubleshooting methods | Elastic Cloud on Kubernetes [2.10] | Elastic

but still getting an association error

      containers:
      - name: kibana
        env:
          - name: "NETWORK_HOST"
            value: "_site_,_lo_"
        ports:                                      
        - containerPort: 5601         
          name: http                               
        - containerPort: 22                         
          name: ssh

Would it be possible to remove the ports section from all your manifest? I don't think this is needed, this should be name: https for Kibana port, and I'm not sure to understand why there is a ssh port?

Do I need the TLS certificate? if so do I use the same one as kibana or create a new secret?

It depends if the TLS certificate in the Secret holds the expected name I guess?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.