A73*_*735 1 networking elasticsearch kibana kubernetes kubernetes-helm
我正在尝试使用此图表将 elasticsearch 和 kibana 部署到 kubernetes ,并在 kibana 容器内收到此错误,因此 ingress 返回 503 错误,并且容器从未准备好。
错误:
[2022-11-08T12:30:53.321+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. socket hang up - Local: 10.112.130.148:42748, Remote: 10.96.237.95:9200
ip地址10.96.237.95是有效的elasticsearch服务地址,端口是正确的。
当我从 kibana 容器内部对 elasticsearch 进行curl 操作时,它成功返回响应。
我的配置中是否缺少某些内容?
图表版本:7.17.3
elasticsearch 图表的值:
clusterName: "elasticsearch"
nodeGroup: "master"
createCert: false
roles:
master: "true"
data: "true"
ingest: "true"
ml: "true"
transform: "true"
remote_cluster_client: "true"
protocol: https
replicas: 2
sysctlVmMaxMapCount: 262144
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 90
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
imageTag: "7.17.3"
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
clusterHealthCheckParams: "wait_for_status=green&timeout=20s"
antiAffinity: "soft"
resources:
requests:
cpu: "100m"
memory: "1Gi"
limits:
cpu: "1000m"
memory: "1Gi"
esJavaOpts: "-Xms512m -Xmx512m"
volumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 30Gi
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
kibana 图表的值:
elasticSearchHosts: "https://elasticsearch-master:9200"
extraEnvs:
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-creds
key: password
- name: KIBANA_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: encryption-key
key: encryption_key
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/elastic-certificate.pem
certificate: /usr/share/kibana/config/certs/elastic-certificate.pem
xpack.security.encryptionKey: ${KIBANA_ENCRYPTION_KEY}
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate
protocol: https
secretMounts:
- name: elastic-certificate-pem
secretName: elastic-certificate-pem
path: /usr/share/kibana/config/certs
imageTag: "7.17.3"
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
kubernetes.io/ingress.allow-http: 'false'
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
hosts:
- host: mydomain.com
paths:
- path: /
pathType: Prefix
backend:
serviceName: kibana
servicePort: 5601
tls:
- hosts:
- mydomain.com
secretName: mydomain.com
UPD:尝试使用其他图像版本(8.4.1),没有任何改变,我收到相同的错误。顺便说一句,logstash 已成功将日志发送到此 elasticsearch 实例,所以我认为问题出在 kibana 中。
弄清楚了。这实在是太痛苦了。我希望这些提示能帮助其他人:
xpack.security.http.ssl.enabled应设置为 false。我找不到其他方法,但如果你这样做,我很高兴听到任何建议。在我看来,您不需要 http 层的安全性,因为 kibana 通过传输层连接到弹性(如果我错了,请纠正我)。因此xpack.security.transport.ssl.enabled仍应设置为 true,但xpack.security.http.ssl.enabled应设置为 false。(不要忘记将protocolreadinessProbe 的字段更改为 http,并将 kibana 图表中的 elasticsearch 协议更改为 http。ELASTIC_USERNAMEenv变量在elasticsearch图表中毫无意义,仅使用密码,用户始终是elasticELASTICSEARCH_USERNAME在 kibana 图表中实际上应该设置为kibana_systems用户并使用该用户的相应密码| 归档时间: |
|
| 查看次数: |
4856 次 |
| 最近记录: |