Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Enabling security breaks ES endpoints. #1779

Open
andrew-pickin-epi opened this issue Feb 23, 2023 · 0 comments
Open

Enabling security breaks ES endpoints. #1779

andrew-pickin-epi opened this issue Feb 23, 2023 · 0 comments

Comments

@andrew-pickin-epi
Copy link

andrew-pickin-epi commented Feb 23, 2023
edited

Chart version:
8.5.1
Kubernetes version:
1.23
Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
EKS
Helm Version:
3.6.3
helm get release output

Output of helm get release 
$ helm3 -n logging get values elasticsearch
USER-SUPPLIED VALUES:
extraEnvs:
- name: xpack.security.enabled
  value: "false"
ingress:
  annotations:
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
  className: nginx
  enabled: true
  hosts:
  - host: elastic-expt.epimorphics.net
    paths:
    - path: /
  labels: {}
resources:
  requests:
    cpu: 300m
    memory: 1Gi
volumeClaimTemplate:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 30Gi

Describe the bug:

When secuity is enabled ES endpoints do not function.
Nodes fail to communicate.

Steps to reproduce:

Set values as above

Expected behavior:

https should work correctly is secuity enabled.

Provide logs and/or server output (if relevant):

$ kubectl -n logging exec -it elasticsearch-master-0  -- bash
Defaulted container "elasticsearch" out of: elasticsearch, configure-sysctl (init)
elasticsearch@elasticsearch-master-0:~$ curl -XGET https://localhost:9200/_cat/indices
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
elasticsearch@elasticsearch-master-0:~$ curl -XGET -k -u "elastic:${ELASTIC_PASSWORD}" https://localhost:9200/_cat/indices
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
elasticsearch@elasticsearch-master-0:~$ curl  https://localhost:9200/_cat/indices
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

With secuity disabled:

elasticsearch@elasticsearch-master-0:~$ curl  http://localhost:9200/_cat/indices
green open logstash-default-2023.02.19-000001 XwzJFPhdRRSGiQu-6nbEeg 1 1 164067 0 199.3mb  99.6mb
green open logstash-default-2023.02.21-000001 r7chdKQnRtWGJIniqAaHyA 1 1 182690 0 249.1mb 124.5mb
green open logstash-default-2023.02.23-000001 gWiYAVKeQO-hUDANNBp4mQ 1 1 162164 0 246.1mb 132.9mb
green open logstash-default-2023.02.18-000001 Poe4yOMeSm6JZ_WkYPT_iQ 1 1 164114 0 202.5mb 101.2mb
green open logstash-default-2023.02.20-000001 3NEsbm81STi2XpCdvE-rtg 1 1 189173 0   249mb 124.5mb
green open logstash-default-2023.02.17-000001 Da-5_aLBRF22evvP2Qf5Pg 1 1 176245 0   223mb 111.5mb
green open logstash-default-2023.02.22-000001 54cyxuSwT8C7v-quDd4oPw 1 1 172836 0 228.7mb 114.3mb

Any additional context:
Security enable also means install upgrade fails to start as readiness check fails without protocol:http and nodes fail to communicate (connection refused).

See also #1778 & #1772
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrew-pickin-epi