Problem with configuring https x-pack

Hello everyone. I'm trying to set up security. So that users can log in through kibana using their username / password. Faced a x-pack config issue.

My file values.yaml:

  replicas: 2
  resources:
    requests:
      cpu: "2000m"
      memory: "4Gi"
    limits:
      cpu: "2000m"
      memory: "4Gi"
  volumeClaimTemplate:
    storageClassName: local-path
    resources:
      requests:
        storage: 5Gi
  extraEnvs:
    - name: ELASTIC_USERNAME
      valueFrom:
        secretKeyRef:
          name: elastic-credentials
          key: username
    - name: ELASTIC_PASSWORD
      valueFrom:
        secretKeyRef:
          name: elastic-credentials
          key: password
  protocol: https
  esConfig:
    elasticsearch.yml: |
      xpack.security.enabled: true
      xpack.security.transport.ssl.enabled: true
      xpack.security.transport.ssl.verification_mode: certificate
      xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
      xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
      xpack.security.http.ssl.enabled: true
      xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
      xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
      xpack.security.authc.realms.native.local.order: 0
  secretMounts:
    - name: elastic-certificates
      secretName: elastic-certificates
      path: /usr/share/elasticsearch/config/certs

I say right away, if I remove the x-pack configuration, the pod's work correctly and the page opens.

What I've done:

  • Generated certificates for the manual on the github via the command: make secrets
  • And placed them in the path: / usr / share / Elasticsearch / config / certs / on my master server
  • Created secrets in my namespace:
[root@k8s-efk-master ~]# kubectl -n efk get secrets
NAME                        TYPE                                  DATA   AGE
default-token-l94j7         kubernetes.io/service-account-token   3      8h
elastic-certificate-crt     Opaque                                1      70m
elastic-certificate-pem     Opaque                                1      70m
elastic-certificates        Opaque                                1      70m
elastic-credentials         Opaque                                2      70m
[root@k8s-efk-master ~]# kubectl -n efk get pods
NAME                     READY   STATUS    RESTARTS   AGE
elasticsearch-master-0   0/1     Running   0          61m
elasticsearch-master-1   0/1     Running   0          61m

I checked the pods and they are stuck at:

Events:
  Type     Reason     Age                   From     Message
  ----     ------     ----                  ----     -------
  Warning  Unhealthy  4m4s (x408 over 63m)  kubelet  Readiness probe failed: Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )
Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )

However, in the logs I found such an entry on master-0:

{"type": "server", "timestamp": "2021-12-20T21:14:47,214Z", "level": "INFO", "component": "o.e.c.r.a.AllocationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-0", "message": "Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.geoip_databases][0]]]).", "cluster.uuid": "oXKAWHR_SgOcpNUhNNB2kw", "node.id": "22--KBu0TtiN13QimTAIiw"  }

i tried to go to pod to get status and got results like this:

kubectl exec -it elasticsearch-master-0 bash -n efk

elasticsearch@elasticsearch-master-0:~$ curl -u admin:admin https://elasticsearch-master:9200/_cluster/health?pretty=true
curl: (7) Failed to connect to elasticsearch-master port 9200: Connection refused

elasticsearch@elasticsearch-master-0:~$ curl -u admin:admin https://localhost:9200/_cluster/health?pretty=true
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

Please tell me what I'm doing wrong and maybe I'm missing something?

Resolved. ELASTIC_USERNAME should be equal: elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.