我正在尝试使用此图表将elasticsearch和kibana部署到kubernetes,并在kibana容器内收到此错误,因此入口返回503错误并且容器从未准备好。
错误:
[2022-11-08T12:30:53.321+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.112.130.148:42748, Remote: 10.96.237.95:9200
IP地址10.96.237.95是有效的elasticsearch服务地址,端口正确。
当我从 kibana 容器内对 elasticsearch 执行curl 操作时,它成功返回响应。
我的配置中是否缺少某些内容?
图表版本:7.17.3
elasticsearch 图表的值:
clusterName: "elasticsearch"
nodeGroup: "master"
createCert: false
roles:
master: "true"
data: "true"
ingest: "true"
ml: "true"
transform: "true"
remote_cluster_client: "true"
protocol: https
replicas: 2
sysctlVmMaxMapCount: 262144
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 90
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
imageTag: "7.17.3"
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
clusterHealthCheckParams: "wait_for_status=green&timeout=20s"
antiAffinity: "soft"
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1000m"
memory: "1Gi"
esJavaOpts: "-Xms512m -Xmx512m"
volumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 30Gi
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
kibana 图表的值:
elasticSearchHosts: "https://elasticsearch-master:9200"
extraEnvs:
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: KIBANA_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: encryption-key
key: encryption_key
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/elastic-certificate.pem
certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
xpack.security.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/kibana/config/certs
imageTag: "7.17.3"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.allow-http: 'false'
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
hosts:
- host: mydomain.com
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
tls:
- hosts:
- mydomain.com
secretName: mydomain.com
UPD:尝试使用其他图像版本(8.4.1),没有任何变化,我收到相同的错误。顺便说一句,logstash 已成功将日志发送到此 elasticsearch 实例,所以我认为问题出在 kibana 中。
想通了。这实在是太痛苦了。我希望这些提示对其他人有帮助:
xpack.security.http.ssl.enabled
应设置为 false。我找不到其他方法,但如果你这样做,我很高兴听到任何建议。在我看来,您不需要 http 层的安全性,因为 kibana 通过传输层连接到弹性(如果我错了,请纠正我)。因此 xpack.security.transport.ssl.enabled
应仍设置为 true,但 xpack.security.http.ssl.enabled
应设置为 false。 (不要忘记将 readinessProbe 的 protocol
字段更改为 http,并将 kibana 图表中的 elasticsearch 协议更改为 http。ELASTIC_USERNAME
env变量在elasticsearch图表中毫无意义,仅使用密码,用户始终是elastic
ELASTICSEARCH_USERNAME
实际上应设置为 kibana_systems
用户并使用该用户的相应密码您需要在 kibana.yml 中向 Kibana 提供 Elasticsearch 的自签名 CA
elasticsearch.ssl.certificateAuthorities: "/path/cert.ca"
可以通过设置来测试
elasticsearch.ssl.verificationMode: "none"
但不建议用于生产。
我的elasticsearch api主机是9200上的https 所以我按照以下步骤使 kibana 门户正常工作
从elasticsearch安装目录重置了kibana的密码
.lasticsearch-reset-password.bat -u kibana_system --auto
取消注释 kibana.yml 中的以下条目。为主机添加了 https,新密码
elasticsearch.hosts:“https://localhost:9200”
elasticsearch.用户名:“kibana_system”
elasticsearch.密码:“
设置elasticsearch.ssl.verificationMode:无
从 kibana 文件夹安装启动 kibana.bat,等待说 http server running on localhost:5601
使用弹性用户名和密码登录;是的,弹性不是 kibana