UNCLASSIFIED - NO CUI

Skip to content

fix(fluent): disable tls flushes when istio enabled for fluentbit and elastic

Zach Callahan requested to merge ek-213-istio-mtls-fix into master

General MR

Summary

This MR provides a fix necessary for FluentBit to work correctly with in-cluster ElasticSearch when mTLS is explicitly enabled via Istio on the latter. This change is necessary to fully resolve big-bang/product/packages/elasticsearch-kibana#213 (closed).

Relevant logs/screenshots

Prior to this change, when using these values:

istio:
  enabled: true
fluentbit:
  enabled: true
elasticsearchKibana:
  enabled: true
  values:
    istio:
      elasticsearch:
        enabled: true

A user would see errors similar to:

fluent-bit [2024/10/03 18:49:29] [ warn] [engine] failed to flush chunk '1-1727981314.199913773.flb', retry in 37 seconds: task_id=14, input=tail.0 > output=es.0 (out_id=0)
fluent-bit [2024/10/03 18:49:29] [error] [tls] error: unexpected EOF

within the fluentbit containers.

This is due to fluent sending a TLS client hello to envoy when envoy is listening for plaintext HTTP.

With this change, however, fluentbit is directed to make that connection via plaintext HTTP, conforming to envoy's listener behavior and allowing traffic to be tunneled over the envoy mTLS proxy.

NOTE: unless elasticsearch is deployed via the 213-ek-mtls-fix branch, FluentBit will report certificate validation errors, so a proper verification for now also requires these values:

elasticsearchKibana:
  git:
    branch: 213-ek-mtls-fix
    tag: null

Linked Issue

big-bang/product/packages/elasticsearch-kibana#213 (closed)

Upgrade Notices

N/A

Merge request reports

Loading