elasticsearch - 使用 Elastic ECK 设置 Ingress 时遇到问题
问题描述
我在 kubernetes 上为 ElasticSearch 设置工作入口时遇到问题。我用的是自己的CustomResourceDefinitionie x.k8s.elastic.co/v1beta1。
我的elastic.yaml样子是这样的:(ingress.yaml包含在底部)
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: elasticsearch-test
namespace: elastic-system
spec:
version: 7.4.0
#http:
# tls:
# certificate:
# secretName: tls-secret-test
http:
service:
spec:
type: ClusterIP
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: master
count: 1
nodeSelector:
component: elasticsearch
volumeClaimTemplates:
- metadata:
name: elasticsearch-master
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: multik8s-nfs-storage
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: multik8s-nfs-storage
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: false
'''
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: elasticsearch
namespace: elastic-system
spec:
tls:
- hosts:
- elasticsearch.foo.bar
secretName: tls-secret
rules:
- host: elasticsearch.foo.bar
http:
paths:
- path: /
backend:
serviceName: elasticsearch-test-es-http
servicePort: 9200
我的kibana.yaml样子是这样的:
apiVersion: kibana.k8s.elastic.co/v1beta1
kind: Kibana
metadata:
name: kibana-test
namespace: elastic-system
spec:
version: 7.4.0
#http:
# tls:
# certificate:
# secretName: tls-secret-test
http:
service:
spec:
type: ClusterIP
tls:
selfSignedCertificate:
disabled: true
count: 1
elasticsearchRef:
name: elasticsearch-test
'''
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: kibana
namespace: elastic-system
spec:
tls:
- hosts:
- kibana.foo.bar
secretName: tls-secret
rules:
- host: kibana.foo.bar
http:
paths:
- path: /
backend:
serviceName: kibana-test-kb-http
servicePort: 5601
首先,我确实有自己的签名 tls 证书,我想在入口中使用。奇怪的是,kibana的入口直接开箱即用,没有任何问题。elasticsearch的入口仅在我与 k8s 集群位于同一网络时才有效。不在它之外。
curl -u "elastic:$PASSWORD" -k "https://elasticsearch.foo.bar"
curl: (7) Failed to connect to elasticsearch.foo.bar port 443: Connection refused
在我得到的同一个网络上
curl -u "elastic:$PASSWORD" -k "https://elasticsearch.foo.bar"
{
"name" : "elasticsearch-test-es-master-0",
"cluster_name" : "elasticsearch-test",
"cluster_uuid" : "ulfFb-tjT8KplEBPSglo6w",
"version" : ...
}
我已经通过设置进行了一些实验
tls:
selfSignedCertificate:
subjectAltNames:
- dns: elasticsearch.foo.bar
和
tls:
certificate:
secretName: tls-secret-test
没有成功......但我猜那是用于内部流量,即在kibana和elasticsearch之间?
我不确定我做错了什么,因为它与 Kibana 一起工作,但不是 ElasticSearch ......
Ps kibana 和 elastics 健康都是绿色的:即
NAME HEALTH NODES VERSION PHASE AGE
elasticsearch-test green 1 7.4.0 Ready 1d
NAME HEALTH NODES VERSION AGE
kibana-test green 1 7.4.0 1d
解决方案
如果 tls 被停用,请尝试不使用 https 请求
http:
service:
spec:
type: ClusterIP
tls:
selfSignedCertificate:
disabled: true
用这个命令
curl -u "elastic:$PASSWORD" -k "http://elasticsearch.foo.bar"
这是我的入口(在没有 tls 的情况下工作正常)
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
# remove comment if tls is activated
# annotations:
# nginx.ingress.kubernetes.io/backend-protocol: HTTPS
# nginx.ingress.kubernetes.io/secure-backends: "true"
name: elastic-ingress
spec:
rules:
- host: elasticsearch.foo.bar
http:
paths:
- backend:
serviceName:
servicePort: 9200
path: /
tls:
- hosts:
- elasticsearch.foo.bar
secretName: tls
推荐阅读
- java - 如何注册自定义类型到类型的映射
- javascript - 为什么 isNaN('-10') 是假的?
- python-3.x - 为请求 ConnectionError 捕获 Python 异常的正确方法
- python - 在 mongdb 中存储和检索 PyroGram file_id 的字符串值的正确方法是什么?
- python - 如何在使用硒刮擦时打印带有或不带有熊猫的漂亮列表?
- javascript - 使用 Django 将变量传递给包含的 html 模式
- python - 使用 python 从 XM 中提取值
- apache - 如何在 Apache 中返回目录列表之前执行脚本?
- c++ - 当使用字符串“find”函数时,双斜杠返回无限结果
- azure - 在 AKS 创建期间创建新的默认主体