Closed Butters646 closed 5 years ago
elasticsearch:
auth:
enabled: false
needs to be true.
I thought I had that set. Retried it with enabled: true.
I see these env vars configured in the daemon set:
{
"name": "OUTPUT_USER",
"value": "elastic"
},
{
"name": "OUTPUT_PASSWORD",
"value": "mypassword"
},
I am still getting the same error in the pods however:
2019-06-12 15:12:23 +0000 [error]: unexpected error error_class=Faraday::SSLError error="SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:\n\n Excon.defaults[:ssl_ca_path] = path_to_certs
\n ENV['SSL_CERT_DIR'] = path_to_certs
\n Excon.defaults[:ssl_ca_file] = path_to_file
\n ENV['SSL_CERT_FILE'] = path_to_file
\n Excon.defaults[:ssl_verify_callback] = callback
\n (see OpenSSL::SSL::SSLContext#verify_callback)\nor:\n Excon.defaults[:ssl_verify_peer] = false
(less secure).\n
Do you use a self signed cert? If so, "ssl_verify true" should be false. I'll add an config option for this...
@bartlettc22 as you've implemented this in https://github.com/kiwigrid/helm-charts/pull/41/files and i don't use an ssl secured es server, can you help here?
I am not using self signed certs. I use certs that I generated via the ES cert utility.
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html
First I generated the CA which I used to create the cert for the ES. For kibana I created a secret with the CA cert in pem format. There were specific values you needed to use with kibana chart to get the cert in the right spot on the pod, but I was able to get it working.
I was looking for something similar to do with the fluentd scraper, but couldn't figure out how to do it.
This pretty much sounds like you're creating a self signed cert as you use your own CA.
If you want to use a real cert create a CSR and send it to a trusted CA. This will cost you money.
Workaround could be a free letsencrypt certificate.
See: https://www.elastic.co/de/blog/x-pack-security-for-elasticsearch-with-lets-encrypt-certificates
Ok. I guess that setting says to ignore ssl cert errors? I went in and manually changed the configmap to set ssl_verify false. The pods now startup fine and go green but I see this error in the logs:
2019-06-12 23:39:18 +0000 [warn]: [elasticsearch] failed to flush the buffer. retry_time=1 next_retry_seconds=2019-06-12 23:39:19 +0000 chunk="58b28eb0053b15224b7edc2b969a3cd6" error_class=Fluent::Plugin::ElasticsearchOutput::RecoverableRequestFailure error="could not push logs to Elasticsearch cluster ({:host=>\"elasticsearch-master\", :port=>9200, :scheme=>\"https\", :user=>\"elastic\", :password=>\"obfuscated\"}): read timeout reached"
I double checked the username and password on the pod's env are the correct creds for the es cluster.
No, if ssl_verify = false it allows self signed certificates. If you have questions about this, ask in the plugin repo issue tracker: https://github.com/uken/fluent-plugin-elasticsearch#user-password-path-scheme-ssl_verify
You're pushing your logs to "elasticsearch-master". Seems wrong to me. At least it would be in the stable/elasticsearch chart. Should be "elasticsearch-client".
In version 4.0.0 of the chart there is a sslVerify config flag available now. See: https://github.com/kiwigrid/helm-charts/pull/121
I am using the ES helm chart for the official ES docker image - https://github.com/elastic/helm-charts/tree/master/elasticsearch
It creates a stateful set with three pods and a service:
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2019-05-31T22:20:34Z"
name: elasticsearch-master
namespace: logging
resourceVersion: "49137365"
selfLink: /api/v1/namespaces/logging/services/elasticsearch-master
uid: 4f2cf835-83f2-11e9-8482-0279ebfe8b36
spec:
clusterIP: 10.16.30.141
ports:
- name: http
port: 9200
protocol: TCP
targetPort: 9200
- name: transport
port: 9300
protocol: TCP
targetPort: 9300
selector:
app: elasticsearch-master
chart: elasticsearch-7.1.0
heritage: Tiller
release: elasticsearch
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
I've edited your post again. Please use code tags in the future ;-)
It seems the current fluentd / fluentd-elasticsearch plugin is not supporting ES 7.1 yet. Could you test with ES version 6.7 please?
I'll update the image in a bit.
Please test with the newest build of the image from my private repo.
registry.hub.docker.com/monotek/fluentd-elasticsearch:28
PR to kubernetes repo: https://github.com/kubernetes/kubernetes/pull/79014
It's working now with your image. Thank you so much for your help!
One thing I did notice is when set sslVerify: false under elasticsearch in the values.yaml file, the output.conf file in the configmap still had ssl_verify true in it. I had to edit it manually again. Maybe I wasn't using the latest version of chart? I just ran the install command again. Did I need to update something? (I am not a helm expert.)
You need to do a "helm repo update" before the install so the newest version of the chart is used.
Can we close this? The updated image will be avialable via this pr: https://github.com/kiwigrid/helm-charts/pull/125
Yes. I think my issues have been resolved. Thanks again.
Is this a request for help?: Yes
Version of Helm and Kubernetes:
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"} Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Which chart in which version:
What happened:
I tried to setup the chart by passing in the CA certificate I use with kibana in the pem format. When the pods start up they crash with this error:
2019-06-10 15:10:36 +0000 [error]: unexpected error error_class=Faraday::SSLError error="SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate. This may be an issue with the remote host or with Excon. Excon has certificates bundled, but these can be customized:\n\n
Excon.defaults[:ssl_ca_path] = path_to_certs
\nENV['SSL_CERT_DIR'] = path_to_certs
\nExcon.defaults[:ssl_ca_file] = path_to_file
\nENV['SSL_CERT_FILE'] = path_to_file
\nExcon.defaults[:ssl_verify_callback] = callback
\n (see OpenSSL::SSL::SSLContext#verify_callback)\nor:\nExcon.defaults[:ssl_verify_peer] = false
(less secure).\n"The docs are unclear on what format the cert is needed in and where it should be placed. It seems just giving it what kibana uses is not correct.
What you expected to happen:
Pods start successfully and communicate with ES.
How to reproduce it (as minimally and precisely as possible):
I installed a secure version of ES off this chart:
https://github.com/elastic/helm-charts/tree/6.5.2-alpha1/elasticsearch#security
ES seems to working, the cluster is green. I also have been able to get kibana to talk to it.
Anything else we need to know: