Hello.
I want to install opendistro-es on kubernetes using helm chart.
helm chart is opendistro-build/helm/opendistro-es at main · opendistro-for-elasticsearch/opendistro-build · GitHub.
Here is my values.yaml
config:
opendistro_security.ssl.transport.enabled: true
opendistro_security.ssl.transport.keystore_type: PKCS12
opendistro_security.ssl.transport.keystore_filepath: elk-transport-key.pem
opendistro_security.ssl.transport.truststore_type: PKCS12
opendistro_security.ssl.transport.truststore_filepath: elk-transport-crt.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.keystore_type: PKCS12
opendistro_security.ssl.http.keystore_filepath: elk-transport-key.pem
opendistro_security.ssl.http.truststore_type: PKCS12
opendistro_security.ssl.http.truststore_filepath: elk-transport-crt.pem
opendistro_security.ssl.http.clientauth_mode: NONE
I create keystore and truststore file like below.
docker run --rm -v `pwd`:/cacert docker.elastic.co/elasticsearch/elasticsearch:7.3.2 /bin/sh -c " \
elasticsearch-certutil ca --days 3650 --out /cacert/elastic-stack-ca.p12 --pass changeit && \
elasticsearch-certutil cert --ca /cacert/elastic-stack-ca.p12 --ca-pass changeit --days 3650 --out
/cacert/elastic-certificates.p12 --pass changeit \
"
And I create secret like below.
kubectl create secret generic elastic-certificates \
--from-file=elk-transport-crt.pem=elastic-certificates.p12 \
--from-file=elk-transport-key.pem=elastic-certificates.p12 \
--from-file=elk-transport-root-ca.pem=elastic-certificates.p12 \
-n opendistro-es-stage
after helm install, there’s error.
logs is here.
[2020-02-10T06:20:44,552][INFO ][o.e.h.AbstractHttpServerTransport] [opendistro-es-stage-master-0] publish_address {10.244.7.207:9200}, bound_addresses {0.0.0.0:9200}
[2020-02-10T06:20:44,553][INFO ][o.e.n.Node ] [opendistro-es-stage-master-0] started
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [opendistro-es-stage-master-0] Node started
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] Check if .opendistro_security index exists ...
[2020-02-10T06:20:44,553][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] .opendistro_security index does not exist yet, so no need to load config on node startup. Use securityadmin to initialize cluster
[2020-02-10T06:20:44,554][INFO ][c.a.o.s.OpenDistroSecurityPlugin] [opendistro-es-stage-master-0] 4 Open Distro Security modules loaded so far: [Module [type=DLSFLS, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.OpenDistroSecurityFlsDlsIndexSearcherWrapper], Module [type=AUDITLOG, implementing class=com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditLogImpl], Module [type=MULTITENANCY, implementing class=com.amazon.opendistroforelasticsearch.security.configuration.PrivilegesInterceptorImpl], Module [type=REST_MANAGEMENT_API, implementing class=com.amazon.opendistroforelasticsearch.security.dlic.rest.api.OpenDistroSecurityRestApiActions]]
[2020-02-10T06:20:44,554][INFO ][c.a.o.s.c.ConfigurationRepository] [opendistro-es-stage-master-0] Background init thread started. Install default config?: false
[2020-02-10T06:20:44,591][INFO ][o.e.g.GatewayService ] [opendistro-es-stage-master-0] recovered [0] indices into cluster_state
[2020-02-10T06:20:44,754][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [opendistro-es-stage-master-0] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]
[2020-02-10T06:20:45,617][ERROR][c.a.o.s.t.OpenDistroSecurityRequestHandler] [opendistro-es-stage-master-0] ElasticsearchException[Illegal parameter in http or transport request found.
This means that one node is trying to connect to another with
a non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone
is spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/]
What is the problem and how can I fix this problem?
Thanks,