Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to setup ES/Kibana with nginx ingress and SSL enabled?

See original GitHub issue

I followed the secure example, and installed nginx ingress, but I can’t seem to get it working with nginx. Without the TLS, I can connect to it, using http://es.

I’m able to port-forward connect to https://es:9200 but not directly through nginx. I suspect it’s trying to connect to https on port 443, but ES https is running on 9200.

I tried a few things, none of them worked. Does anyone advice or a sample values file?

After creating secrets, I have these values set (snippet):

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/client-body-buffer-size: 10M
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  path: /
  #hosts:
  #  - es.localhost
  tls:
    - secretName: elastic-certificates
      hosts:
        - es.localhost

service:
  type: ClusterIP

protocol: https 

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

6reactions
khanhvu161188commented, Dec 7, 2020

@teebu I finally solved it now. The reason it did not work is when we turn SSL for elasticsearch, the connection from ingress to service will be dropped cause TLS verification is failed. You should modify the ingress in value.yaml like below

ingress:
  enabled: true
  annotations: 
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "resources/elastic-certificate-pem"  => need to point to ES certificate pem.
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"  => must be false if you use elasticsearch-utils to generate CA.
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" => must be HTTPS
3reactions
connorworkmancommented, Feb 18, 2021

@shamndor This is what works for me with ssl enabled (and a self-signed cert) on kibana and elasticsearch. Elasticsearch:

...
protocol: https
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - elasticsearch.example.com
esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
...

Kibana:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - kibana.example.com

You might try setting ingress class or removing some of the other configs to see if that works.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Kubernetes - Exposing Kibana through an Ingress
In this article I will go over the configuration I use that gives me a secure and publicly exposed Kibana backed by Elasticsearch...
Read more >
Kibana with nginx ingress controller in Kubernetes
I feel as though I am missing some sort of setting with either SERVER_BASEPATH and/or my nginx ingress configuration.
Read more >
b. Using an Ingress with NGINX (SSL)
Setting up an ingress for NGINX for the OIG domain on Kubernetes · Create a SSL certificate. a. Generate SSL certificate. b. Create...
Read more >
Monitor and Analyze Nginx Ingress Controller Logs on ...
Kibana Index Management. Click on the Create Template button. Enter the Name for the template and the Index patterns.
Read more >
Run ingress nginx as a reverse proxy for kibana with appid ...
I've read a number of similar questions on here and blogs online, I've tried a number of configuration changes but cannot seem to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Readiness probe failed: Error: Got HTTP code 503 but expected a 200

Next page

cannot deploy elasticsearch to kubernetes