search

elastic / helm-charts

You know, for Kubernetes
Apache License 2.0
1.88k stars 1.93k forks source link

Elastic:Helm - protocol http not respected #1736

Open doug62 opened 1 year ago

doug62 commented 1 year ago

Chart version: 8.5.1

Kubernetes version: NA

Kubernetes provider: E.g. GKE (Google Kubernetes Engine) NA

Helm Version: NA

helm get release output NA

Describe the bug: Previously worked, while trying to disable internal https (https->http via Traefic externally), I assume the elastic/values value for 'protocol: http' would eliminate internal https calls however. elasticsearch/templates/test/test-elasticsearch-health.yaml

!/usr/bin/env bash -e

    curl -XGET --fail --cacert /usr/share/elasticsearch/config/certs/tls.crt -u "elastic:${ELASTIC_PASSWORD}" https://'{{ template "elasticsearch.uname" . }}:{{ .Values.httpPort }}/_cluster/health?{{ .Values.clusterHealthCheckParams }}'

Is hard coded to HTTPS, this area should be HTTP, this is preventing pod start/services and Kibana as well.

Steps to reproduce: Helm values:
protocol: http helm install see elastic log errors where this call fails

Expected behavior: All internal https should be http for all dependent internal calls when protocol: http

Provide logs and/or server output (if relevant): {"@timestamp":"2022-11-21T20:27:46.853Z", "log.level": "WARN", "message":"received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:60256}", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[elasticsearch-master-0][transport_worker][T#2]","log.logger":"org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport","elasticsearch.cluster.uuid":"uanIH6ZeSsyh3QM6rUpYKQ","elasticsearch.node.id":"qXaL4nFqT8i4fhEzVuNNyg","elasticsearch.node.name":"elasticsearch-master-0","elasticsearch.cluster.name":"elasticsearch"}

ghost commented 1 year ago

Han into the same issue. I planed to use the chart with a certificate in the container. But it did not seem to by default setup the correct configuration for kibana.yaml for using SSL I used the following configuration

kibanaConfig:
  kibana.yml: |
    server.publicBaseUrl: https://kibana.example.com
    server.ssl:
      enabled: true
      key: /usr/share/kibana/config/certs/tls.key
      certificate: /usr/share/kibana/config/certs/tls.crt
    elasticsearch.ssl:
      certificateAuthorities: /usr/share/kibana/config/certs/ca.crt
      verificationMode: certificate

based on https://github.com/elastic/helm-charts/blob/main/kibana/examples/security/values.yaml

ishallbethat commented 1 year ago

Can please support http for Kibana chart ? I saw crt volume mount was coded in chart and not allow conditions to bypass.

lapwat commented 1 year ago

As per the values.yaml, the default value for protocol is https.

As per the README, the default value for protocol is http.

One of the two should be changed to have a coherent documentation.