我尝试使用this chart将elasticsearch和kibana部署到kubernetes,并在kibana容器内得到此错误,因此入口返回503错误,容器从未准备好。
错误:
[2022-11-08T12:30:53.321+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.112.130.148:42748, Remote: 10.96.237.95:9200Ip地址10.96.237.95是有效的ElasticSearch服务地址,端口正确。
当我在kibana容器中执行curl to elasticsearch时,它成功地返回了一个响应。
我的配置中是否遗漏了什么?
图表版本:第7.17.3条
ElasticSearch图表的值:
clusterName: "elasticsearch"
nodeGroup: "master"
createCert: false
roles:
master: "true"
data: "true"
ingest: "true"
ml: "true"
transform: "true"
remote_cluster_client: "true"
protocol: https
replicas: 2
sysctlVmMaxMapCount: 262144
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 90
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
imageTag: "7.17.3"
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
clusterHealthCheckParams: "wait_for_status=green&timeout=20s"
antiAffinity: "soft"
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1000m"
memory: "1Gi"
esJavaOpts: "-Xms512m -Xmx512m"
volumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 30Gi
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certsKibana图表的值:
elasticSearchHosts: "https://elasticsearch-master:9200"
extraEnvs:
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: KIBANA_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: encryption-key
key: encryption_key
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/elastic-certificate.pem
certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
xpack.security.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/kibana/config/certs
imageTag: "7.17.3"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.allow-http: 'false'
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
hosts:
- host: mydomain.com
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
tls:
- hosts:
- mydomain.com
secretName: mydomain.comUPD:用其他映像版本(8. 4. 1)试过了,什么都没有改变,我得到了同样的错误。顺便说一下,logstash成功地将日志运送到这个elasticsearch示例,所以我认为问题出在kibana。
2条答案
按热度按时间ao218c7q1#
想通了。这完全是个麻烦。我希望这些提示能帮助其他人:
xpack.security.http.ssl.enabled应该设置为false。我找不到其他方法来解决它,但如果你这样做的话,我很乐意听到任何建议。在我看来,你不需要http层的安全性,因为kibana通过传输层连接到弹性(如果我错了请纠正我)。因此xpack.security.transport.ssl.enabled仍应设置为true,但是xpack.security.http.ssl.enabled应该设置为false。(不要忘记将readinessProbeprotocol字段更改为http,并将kibana图表中的elasticsearch的协议更改为http。ELASTIC_USERNAMEenv变量在elasticsearch图表中无意义,仅使用密码,用户始终为elasticELASTICSEARCH_USERNAME实际上应设置为kibana_systems用户,并为该用户提供相应的密码lx0bsm1f2#
您需要在kibana.yml中向Kibana提供Elasticsearch的自签名CA
您可以通过设置
但不建议用于生产。