Hello everyone. I'm trying to set up security. So that users can log in through kibana using their username / password. Faced a x-pack config issue.
My file values.yaml:
replicas: 2
resources:
requests:
cpu: "2000m"
memory: "4Gi"
limits:
cpu: "2000m"
memory: "4Gi"
volumeClaimTemplate:
storageClassName: local-path
resources:
requests:
storage: 5Gi
extraEnvs:
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
protocol: https
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.authc.realms.native.local.order: 0
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
I say right away, if I remove the x-pack configuration, the pod's work correctly and the page opens.
What I've done:
- Generated certificates for the manual on the github via the command: make secrets
- And placed them in the path: / usr / share / Elasticsearch / config / certs / on my master server
- Created secrets in my namespace:
[root@k8s-efk-master ~]# kubectl -n efk get secrets
NAME TYPE DATA AGE
default-token-l94j7 kubernetes.io/service-account-token 3 8h
elastic-certificate-crt Opaque 1 70m
elastic-certificate-pem Opaque 1 70m
elastic-certificates Opaque 1 70m
elastic-credentials Opaque 2 70m
[root@k8s-efk-master ~]# kubectl -n efk get pods
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 0/1 Running 0 61m
elasticsearch-master-1 0/1 Running 0 61m
I checked the pods and they are stuck at:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 4m4s (x408 over 63m) kubelet Readiness probe failed: Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )
Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )
However, in the logs I found such an entry on master-0:
{"type": "server", "timestamp": "2021-12-20T21:14:47,214Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-0", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.geoip_databases][0]]]).", "cluster.uuid": "oXKAWHR_SgOcpNUhNNB2kw", "node.id": "22--KBu0TtiN13QimTAIiw" }
i tried to go to pod to get status and got results like this:
kubectl exec -it elasticsearch-master-0 bash -n efk
elasticsearch@elasticsearch-master-0:~$ curl -u admin:admin https://elasticsearch-master:9200/_cluster/health?pretty=true
curl: (7) Failed to connect to elasticsearch-master port 9200: Connection refused
elasticsearch@elasticsearch-master-0:~$ curl -u admin:admin https://localhost:9200/_cluster/health?pretty=true
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
Please tell me what I'm doing wrong and maybe I'm missing something?