Kibana unable to configure fleet access

Hi there,

I'm trying to configure Fleet on Kibana container.

Mi elastic-docker.yml is this (have 3 instances of elastic search and 1 of kibana):

version: '2.2'

services:
 es01:
   image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
   container_name: es01
   environment:
     - node.name=es01
     - cluster.name=es-docker-cluster
     - discovery.seed_hosts=es02,es03
     - cluster.initial_master_nodes=es01,es02,es03
     - bootstrap.memory_lock=true
     - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
     - xpack.license.self_generated.type=trial
     - xpack.security.enabled=true
     - xpack.security.http.ssl.enabled=true
     - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
     - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
     - xpack.security.transport.ssl.enabled=true
     - xpack.security.transport.ssl.verification_mode=certificate
     - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
     - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
     - xpack.security.authc.api_key.enabled=true
   ulimits:
     memlock:
       soft: -1
       hard: -1
   volumes:
     - ./data01:/usr/share/elasticsearch/data
     - ./certs:$CERTS_DIR
   ports:
     - 9200:9200
   networks:
     - elastic
  healthcheck:
     test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
     interval: 30s
     timeout: 10s
     retries: 5

 es02:
   image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
   container_name: es02
   environment:
     - node.name=es02
     - cluster.name=es-docker-cluster
     - discovery.seed_hosts=es01,es03
     - cluster.initial_master_nodes=es01,es02,es03
     - bootstrap.memory_lock=true
     - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
     - xpack.license.self_generated.type=trial
     - xpack.security.enabled=true
     - xpack.security.http.ssl.enabled=true
     - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
     - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
     - xpack.security.transport.ssl.enabled=true
     - xpack.security.transport.ssl.verification_mode=certificate
     - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
     - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
     - xpack.security.authc.api_key.enabled=true
   ulimits:
     memlock:
       soft: -1
       hard: -1
   volumes:
     - ./data02:/usr/share/elasticsearch/data
     - ./certs:$CERTS_DIR
   networks:
     - elastic


 es03:
   image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
   container_name: es03
   environment:
     - node.name=es03
     - cluster.name=es-docker-cluster
     - discovery.seed_hosts=es01,es02
     - cluster.initial_master_nodes=es01,es02,es03
     - bootstrap.memory_lock=true
     - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
     - xpack.license.self_generated.type=trial
     - xpack.security.enabled=true
     - xpack.security.http.ssl.enabled=true
     - xpack.security.http.ssl.key=$CERTS_DIR/es03/es03.key
     - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.http.ssl.certificate=$CERTS_DIR/es03/es03.crt
     - xpack.security.transport.ssl.enabled=true
     - xpack.security.transport.ssl.verification_mode=certificate
     - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
     - xpack.security.transport.ssl.certificate=$CERTS_DIR/es03/es03.crt
     - xpack.security.transport.ssl.key=$CERTS_DIR/es03/es03.key
     - xpack.security.authc.api_key.enabled=true
   ulimits:
     memlock:
       soft: -1
       hard: -1
   volumes:
     - ./data03:/usr/share/elasticsearch/data
     - ./certs:$CERTS_DIR
   networks:
     - elastic


 kib01:
   image: docker.elastic.co/kibana/kibana:${VERSION}
   container_name: kib01
   depends_on: {"es01": {"condition": "service_healthy"}}
   ports:
     - 5601:5601
   environment:
     xpack.fleet.enabled: "true"
     xpack.security.enabled: "true"
     xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters54321"
     SERVERNAME: localhost
     ELASTICSEARCH_URL: https://es01:9200
     ELASTICSEARCH_HOSTS: https://es01:9200
     ELASTICSEARCH_USERNAME: kibana_system
     ELASTICSEARCH_PASSWORD: Lu88DZ9M4ujQalyhrEMD
     ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
     SERVER_SSL_ENABLED: "true"
     SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key
     SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt
   volumes:
     - ./certs:$CERTS_DIR
   networks:
     - elastic
volumes:
 data01:
   driver: local
 certs:
   driver: local

networks:
 elastic:
   driver: bridge

The images are UP.
But when I try to enter on https://192.168.1.152:5601/app/ingestManager#/fleet the system says that I have to:
Set xpack.encryptedSavedObjects.encryptionKey to any alphanumeric value of at least 32 characters.

I have already add those lines in my docker-compose.yml document.
I don't know how can I configure to use Fleet.

Can someone help please?

Thx

Hi @Mikel_U Happy to hear you are trying out Fleet. First thing I did was compare it to one of the docker-compose setups we do: https://github.com/elastic/package-storage/blob/production/testing/environments/kibana.config.yml One thing we do differently is load in the config instead of using environment variables. Could you try this out?

I'm new on elastic/docker. Where do I have to put that kibana.config.yml?? Inside docker kibana instance (on /usr/share/kibana/config/kibana.yml) or before creating the instances? And if it is like that, how to execute "docker-compose" command?

Now I do:

$ docker-compose -f elastic-docker.yml up -d

thx one more time

You can mount it in as file. See https://github.com/elastic/package-storage/blob/production/testing/environments/snapshot.yml

Thx for your help. I understand how I have to do it :slight_smile:
I will post when it's working :wink:

I get this errors on kib01 logs:

FATAL  Error: Unknown configuration key(s): 
	"xpack.fleet.enabled", 
	"xpack.fleet.agents.enabled", 
	"xpack.fleet.agents.elasticsearch.host", 
	"xpack.fleet.agents.kibana.host", 
	"xpack.fleet.agents.tlsCheckDisabled". 
	
	Check for spelling errors and ensure that expected plugins are installed.

And the container gets down.

My new elastic-docker.yml file is this:

version: '2.2'

services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./data01:/usr/share/elasticsearch/data
      - ./certs:$CERTS_DIR
    ports:
      - 9200:9200
    networks:
      - elastic

    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

es02:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es03
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./data02:/usr/share/elasticsearch/data
      - ./certs:$CERTS_DIR
    networks:
      - elastic

 es03:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es03
    environment:
      - node.name=es03
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02,es03
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es03/es03.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es03/es03.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es03/es03.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es03/es03.key
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./data03:/usr/share/elasticsearch/data
      - ./certs:$CERTS_DIR
    networks:
      - elastic

 kib01:
    image: docker.elastic.co/kibana/kibana:${VERSION}
    container_name: kib01
    depends_on: {"es01": {"condition": "service_healthy"}}
    #ports:
    #  - 5601:5601
    #environment:
      #SERVERNAME: localhost
      #ELASTICSEARCH_URL: https://es01:9200
      #ELASTICSEARCH_HOSTS: https://es01:9200
      #ELASTICSEARCH_USERNAME: kibana_system
      #ELASTICSEARCH_PASSWORD: Lu88DZ9M4ujQalyhrEMD
      #ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
      #SERVER_SSL_ENABLED: "true"
      #SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key
      #SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt
    volumes:
      - ./certs:$CERTS_DIR
      - ./kibana.config.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic
volumes:
  data01:
    driver: local
  data02:
    driver: local
  data03:
    driver: local
  certs:
    driver: local

networks:
  elastic:
    driver: bridge

and kibana.config.yml is:

server.name: kib01
server.host: "0"

elasticsearch.hosts: [ "http://es01:9200" ]
elasticsearch.username: elastic
elasticsearch.password: PQ2kgqMtUYP6Tqaf6kXG
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/certs/ca/ca.crt"]
server.ssl.certificate: /usr/share/kibana/config/certs/kib01/kib01.crt
server.ssl.key: /usr/share/kibana/config/certs/kib01/kib01.key
xpack.monitoring.ui.container.elasticsearch.enabled: true

xpack.fleet.enabled: true
#xpack.fleet.registryUrl: "http://package-registry:8080"
xpack.fleet.agents.enabled: true
xpack.fleet.agents.elasticsearch.host: "http://es01:9200"
xpack.fleet.agents.kibana.host: "http://kib01:5601"
xpack.fleet.agents.tlsCheckDisabled: true

xpack.encryptedSavedObjects.encryptionKey: "this-is-not-a-real-key-but-gets-the-job-done"

How can I fix it? Thx

Finally I did it.

I have combined the 2 ways. First I have used environment variables on the docker-compose.yml and on the other hand, I have used kibana.config.yml.
My docker-compose.yml:

version: '2.2'

services:
  es01:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es01
    environment:
      - node.name=es01
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es02
      - cluster.initial_master_nodes=es01,es02
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./data01:/usr/share/elasticsearch/data
      - ./certs:$CERTS_DIR
    ports:
      - 9200:9200
    networks:
      - elastic

    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

 es02:
    image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
    container_name: es02
    environment:
      - node.name=es02
      - cluster.name=es-docker-cluster
      - discovery.seed_hosts=es01
      - cluster.initial_master_nodes=es01,es02
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
      - xpack.security.authc.api_key.enabled=true
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./data02:/usr/share/elasticsearch/data
      - ./certs:$CERTS_DIR
    networks:
      - elastic

kib01:
    image: docker.elastic.co/kibana/kibana:${VERSION}
    container_name: kib01
    depends_on: {"es01": {"condition": "service_healthy"}}
    ports:
      - 5601:5601
    environment:
      SERVERNAME: localhost
      ELASTICSEARCH_URL: https://es01:9200
      ELASTICSEARCH_HOSTS: https://es01:9200
      ELASTICSEARCH_USERNAME: kibana_system
      ELASTICSEARCH_PASSWORD: Lu88DZ9M4ujQalyhrEMD
      ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt
      SERVER_SSL_ENABLED: "true"
      SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key
      SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt
    volumes:
      - ./certs:$CERTS_DIR
      - ./kibana.config.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - elastic
volumes:
  data01:
    driver: local
  data02:
    driver: local
  kibana.config.yml:
    driver: local
  certs:
    driver: local

networks:
  elastic:
    driver: bridge

my kibana.config.ylm:

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true

xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "this-is-not-a-real-key-but-gets-the-job-done"

Now Fleet is available.

thx.

1 Like