我已经在我的k8s集群上部署了ECK(使用helm(,我正试图按照文档安装elasticsearch。https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-elasticsearch.html
我已经对外公开了服务/弹性搜索产品http,这样我就可以从我的k8s集群外部连接到它。然而,正如你所看到的,当我试图从curl或浏览器连接到它时,我收到了一个错误";502坏网关";错误
curl elasticsearch.dev.acme.com
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>
在检查pod(elasticsearch-prod-es-default-0(时,我可以看到以下消息重复出现。
{"类型":"服务器","时间戳":"2021-04-27T13:12:20048Z","级别":"警告","组件":"o.e.x.s.t.n.SecurityNetty4HttpServerTransport","集群名称":"弹性搜索产品","节点名称":-0","消息":"接收明文http tra在https通道上的Office,关闭连接Netty4HttpChannel{localAddress=/10.0.5.81:9200,remoteAddress=/10.10.3.50:46380}"cluster.uuid":"t0mRfv7kREGQhXW9DVM3Vw"node.id":"nCyAItDmSqGZRa3lApsC6g"}
你能帮我理解为什么会发生这种情况以及如何解决吗
我怀疑这与我的TLS配置有关,因为当我禁用TLS时,我可以毫无问题地从外部连接到它。然而,在生产环境中,我认为保持TLS启用很重要?
仅供参考,我可以使用-k标志通过curl转发服务并连接到它。
我尝试过的
- 我已尝试将我的域添加到此处所述的部分https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-http-settings-tls-sans.html#k8s-弹性搜索http服务san
- 我曾尝试使用openssl生成自签名证书,但没有成功。尝试本地连接会返回以下错误消息
卷曲-u";弹性:$PASSWORD"https://localhost:9200"curl:(60(SSL证书问题:无法获取本地颁发者证书更多详细信息请点击此处:https://curl.haxx.se/docs/sslcerts.htmlcurl无法验证服务器的合法性,因此无法建立与它的安全连接。若要了解有关此情况的更多信息,以及如何修复,请访问上面提到的网页。
- 我已尝试使用该工具生成证书https://www.elastic.co/guide/en/elasticsearch/reference/7.9/configuring-tls.html#tls-运输
bin/elasticsearch certutil cabin/elasticsearch certutil cert--ca elastic-stack-ca.12--pem
然后使用生成的.crt和.key创建了一个kubectl机密elastic-tls-cert。但是再次卷曲不带-k的localhost时出现以下错误:
curl--cacert cacert.pem-u"弹性:$PASSWORD"-XGET";https://localhost:9200"curl:(60(SSL证书问题:无法获取本地颁发者证书更多详细信息请点击此处:https://curl.haxx.se/docs/sslcerts.htmlcurl无法验证服务器的合法性,因此无法建立与它的安全连接。若要了解有关此情况的更多信息,以及如何修复,请访问上面提到的网页。
弹性搜索.yml
# This sample sets up an Elasticsearch cluster with 3 nodes.
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-prod
namespace: elastic-system
spec:
version: 7.12.0
nodeSets:
- name: default
config:
# most Elasticsearch configuration parameters are possible to set, e.g: node.attr.attr_name: attr_value
node.roles: ["master", "data", "ingest", "ml"]
# this allows ES to run on nodes even if their vm.max_map_count has not been increased, at a performance cost
node.store.allow_mmap: false
xpack.security.enabled: true
podTemplate:
metadata:
labels:
# additional labels for pods
foo: bar
spec:
nodeSelector:
acme/node-type: ops
# this changes the kernel setting on the node to allow ES to use mmap
# if you uncomment this init container you will likely also want to remove the
# "node.store.allow_mmap: false" setting above
# initContainers:
# - name: sysctl
# securityContext:
# privileged: true
# command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
###
# uncomment the line below if you are using a service mesh such as linkerd2 that uses service account tokens for pod identification.
# automountServiceAccountToken: true
containers:
- name: elasticsearch
# specify resource limits and requests
resources:
limits:
memory: 4Gi
cpu: 1
env:
- name: ES_JAVA_OPTS
value: "-Xms2g -Xmx2g"
count: 3
# # request 2Gi of persistent data storage for pods in this topology element
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 250Gi
storageClassName: elasticsearch
# # inject secure settings into Elasticsearch nodes from k8s secrets references
# secureSettings:
# - secretName: ref-to-secret
# - secretName: another-ref-to-secret
# # expose only a subset of the secret keys (optional)
# entries:
# - key: value1
# path: newkey # project a key to a specific path (optional)
http:
service:
spec:
# expose this cluster Service with a LoadBalancer
type: NodePort
# tls:
# selfSignedCertificate:
# add a list of SANs into the self-signed HTTP certificate
subjectAltNames:
# - ip: 192.168.1.2
# - ip: 192.168.1.3
# - dns: elasticsearch.dev.acme.com
# - dns: localhost
# certificate:
# # provide your own certificate
# secretName: elastic-tls-cert
kubectl版本
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.6-eks-49a6c0", GitCommit:"49a6c0bf091506e7bafcdb1b142351b69363355a", GitTreeState:"clean", BuildDate:"2020-12-23T22:10:21Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
掌舵人名单
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
elastic-operator elastic-system 1 2021-04-26 11:18:02.286692269 +0100 BST deployed eck-operator-1.5.0 1.5.0
资源
pod/elastic-operator-0 1/1 Running 0 4h58m 10.0.5.142 ip-10-0-5-71.us-east-2.compute.internal <none> <none>
pod/elasticsearch-prod-es-default-0 1/1 Running 0 9m5s 10.0.5.81 ip-10-0-5-71.us-east-2.compute.internal <none> <none>
pod/elasticsearch-prod-es-default-1 1/1 Running 0 9m5s 10.0.1.128 ip-10-0-1-207.us-east-2.compute.internal <none> <none>
pod/elasticsearch-prod-es-default-2 1/1 Running 0 9m5s 10.0.5.60 ip-10-0-5-71.us-east-2.compute.internal <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/elastic-operator-webhook ClusterIP 172.20.218.208 <none> 443/TCP 26h app.kubernetes.io/instance=elastic-operator,app.kubernetes.io/name=elastic-operator
service/elasticsearch-prod-es-default ClusterIP None <none> 9200/TCP 9m5s common.k8s.elastic.co/type=elasticsearch,elasticsearch.k8s.elastic.co/cluster-name=elasticsearch-prod,elasticsearch.k8s.elastic.co/statefulset-name=elasticsearch-prod-es-default
service/elasticsearch-prod-es-http NodePort 172.20.229.173 <none> 9200:30604/TCP 9m6s common.k8s.elastic.co/type=elasticsearch,elasticsearch.k8s.elastic.co/cluster-name=elasticsearch-prod
service/elasticsearch-prod-es-transport ClusterIP None <none> 9300/TCP 9m6s common.k8s.elastic.co/type=elasticsearch,elasticsearch.k8s.elastic.co/cluster-name=elasticsearch-prod
aws-alb入口控制器
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: elastic-ingress
namespace: elastic-system
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: "<redacted>"
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/certificate-arn: <redacted>
alb.ingress.kubernetes.io/tags: Environment=prod,Team=dev
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/healthcheck-interval-seconds: '300'
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=acme-aws-ingress-logs,access_logs.s3.prefix=dev-ingress
spec:
rules:
- host: elasticsearch.dev.acme.com
http:
paths:
- path: /*
pathType: Prefix
backend:
service:
name: elasticsearch-prod-es-http
port:
number: 9200
# - host: kibana.dev.acme.com
# http:
# paths:
# - path: /*
# pathType: Prefix
# backend:
# service:
# name: kibana-prod-kb-http
# port:
# number: 5601
如果将来有人遇到这个问题,请确保您的入口配置正确。错误消息表明这是入口配置错误。
received plaintext http traffic on an https channel, closing connection
在我的情况下,我使用aws负载均衡器控制器。我不得不在入口附加一个注释,强制连接为HTTPS而不是HTTP。
alb.ingress.kubernetes.io/backend-protocol: "HTTPS"
对于我的情况,这个问题是通过将上面的注释设置到我的入口文件来解决的,它与设置自定义/专用TLS证书无关。
您必须禁用http ssl,为此您必须修改config/elasticsearch.yml文件并将相关变量更改为false:
xpack.security.http.ssl:
enabled: false
keystore.path: certs/http.p12
我的解决方案:http=>https
适用于windows用户ES版本8+运行cmd elastic.bat后弹性用户的密码(用bin/elasticsearch-reset-password -u elastic重置(:
XXXXXXXXXXXX
那么请求使用https代替http,如@royer-adames 所评论