Kubernetes agent with self signed certificate

deborggraever · August 19, 2022, 7:36am

Hi,

I have installed an on-prem elastic cluster with kibana and fleet.
All use xpack with a self signed root certificate.

I installed elastic agents for logging and metrics on multiple servers (Ubuntu 20.04) where the root certifcate is added to the trusted root certificates, which work fine.

Now for the kubernetes cluster i spend few hours trying to get them working but cannot find a solution. All nodes have the root certificate added to the trusted root certificates, but i keep getting untrusted certificate error and get no data in elastic.

When i shell into the pod and look at filebeat logging, i see the following error:

{"log.level":"error","@timestamp":"2022-08-18T19:42:55.209Z","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":38},"message":"Error dialing x509: certificate signed by unknown authority","service.name":"filebeat","network":"tcp","address":"elastic-001.xxxx:9200","ecs.version":"1.6.0"}

I also added the root certificate as a kubernetes secret, mounted it into the containers and used env vars to configure the certificate. The documentation about the env vars is not 100% clear to me.

Here is part of the agent deploy manifest:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: elastic-agent
  namespace: kube-system
  labels:
    app: elastic-agent
spec:
  selector:
    matchLabels:
      app: elastic-agent
  template:
    metadata:
      labels:
        app: elastic-agent
    spec:
      ...
      containers:
        - name: elastic-agent
          image: docker.elastic.co/beats/elastic-agent:8.3.3
          env:
            - name: FLEET_ENROLL
              value: "1"
            # Set to true in case of insecure or unverified HTTP
            - name: FLEET_INSECURE
              value: "true"
              # The ip:port pair of fleet server
            - name: FLEET_URL
              value: "https://elastic-fleet.xxxx:8220"
              # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
            - name: FLEET_ENROLLMENT_TOKEN
              value: "xxxxx"
            - name: FLEET_SERVER_ELASTICSEARCH_CA
              value: /etc/pki/elastic-ca.crt
            - name: ELASTICSEARCH_CA
              value: /etc/pki/elastic-ca.crt
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          ...
          volumeMounts:
            ...
            - name: elastic-ca
              mountPath: /etc/pki/elastic-ca.crt
              subPath: elastic-ca.crt
              readOnly: true
      volumes:
        ...
        - name: elastic-ca
          secret:
            secretName: elastic-ca

Any documentation on how to configure self signed certificates for elastic agent on kubernetes?
The agents do show as healthy in fleet, so that part works.

Kind regards,
Randy

deborggraever · August 22, 2022, 12:57pm

After more trying i found a working solution.

I have mounted the custom CA directly into the /etc/ssl/certs folder and removed the env vars for CA.

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: elastic-agent
  namespace: kube-system
  labels:
    app: elastic-agent
spec:
  selector:
    matchLabels:
      app: elastic-agent
  template:
    metadata:
      labels:
        app: elastic-agent
    spec:
      ...
      containers:
        - name: elastic-agent
          image: docker.elastic.co/beats/elastic-agent:8.3.3
          env:
            - name: FLEET_ENROLL
              value: "1"
            # Set to true in case of insecure or unverified HTTP
            - name: FLEET_INSECURE
              value: "true"
              # The ip:port pair of fleet server
            - name: FLEET_URL
              value: "https://elastic-fleet.xxxx:8220"
              # If left empty KIBANA_HOST, KIBANA_FLEET_USERNAME, KIBANA_FLEET_PASSWORD are needed
            - name: FLEET_ENROLLMENT_TOKEN
              value: "xxxxx"
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          ...
          volumeMounts:
            ...
            - name: elastic-ca
              mountPath: /etc/ssl/certs/elastic-ca.crt
              subPath: elastic-ca.crt
              readOnly: true
      volumes:
        ...
        - name: elastic-ca
          secret:
            secretName: elastic-ca

Topic		Replies	Views
Elastic Agent show `Error dialing x509: certificate signed by unknown authority` but it is healthy in fleet Elastic Agent	4	3792	May 5, 2023
Fleet Server - Error - x509: certificate signed by unknown authority Beats docker , fleet	2	2410	October 4, 2021
Elastic-Agent - metricbeat x509 certificate signed by unknown authority Elasticsearch docker , elastic-agent	2	1746	June 12, 2022
How to deploy an elastic-agent in fleet against an elasticsearch with a self-signed certificate? Beats fleet	1	1647	July 19, 2021
Fleet server no data from other elastic agents Beats fleet , elastic-agent	1	379	July 13, 2022

Kubernetes agent with self signed certificate

Related Topics