elasticsearch endpoint is throwing certificate error

Elasticsearch endpoint is throwing error (see below) when trying to reach the elasticearch endpoint through the istio virtual service. The enforcement of istio authpolicies, peerauths work that was done previously may require additional configuration changes for elasticsearch to work alongside the mtls istio-proxy.

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end:TLS_error_end

added elasticsearch kindbug statusready-to-work teamObservability labels

changed iteration to Big Bang Iterations Sep 3, 2024 - Sep 16, 2024

changed milestone to %2.36.0

removed milestone %2.36.0

added triage-priority label

assigned to @kliu

The error message we're seeing from the Istio proxy sidecar indicates a TLS (Transport Layer Security) handshake failure. Specifically, the error CERTIFICATE_VERIFY_FAILED suggests that the client (Istio proxy) was unable to verify the server's certificate during the TLS handshake.

added statusdoing label and removed statusready-to-work label

changed title from elasticsearch virtual service is throwing an error to elasticsearch endpoint is throwing a certificate error

changed title from elasticsearch endpoint is throwing a certificate error to elasticsearch endpoint is throwing certificate error

set weight to 3

changed title from elasticsearch endpoint is throwing certificate error to elasticsearch endpoint is throwing certificate error, cannot reach

changed the description

changed title from elasticsearch endpoint is throwing certificate error, cannot reach to elasticsearch endpoint is throwing certificate error

Per Elastic Cloud on Kubernetes istio documentation the tls.selfSignedCertificate needs to be disabled if istio is enabled-https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-service-mesh-istio.html#k8s-service-mesh-istio-elasticsearch

added statusreview label and removed statusdoing label

mentioned in merge request !295 (merged)

removed iteration Big Bang Iterations Sep 3, 2024 - Sep 16, 2024

changed iteration to Big Bang Iterations Sep 17, 2024 - Sep 30, 2024

mentioned in merge request big-bang/bigbang!5088 (merged)

with the mr to the elasticsearch package where elasticsearch certificates are handled by istio proxy envoy when istio is enabled, similar configuration for kibana needs to be enabled to allow traffic from elasticsearch to kibana, see issue represents this work: #207 (closed).

added statusblocked label and removed statusreview label

Elasticsearch-kibana gets stuck during the upgrade from 1.18.0-bb.2 to 1.18.0-bb.3, and issue has been open to track: #207 (closed)

marked this issue as blocked by #207 (closed)

added statusreview label and removed statusblocked label

removed statusreview label

added statusdoing label

closed with merge request big-bang/bigbang!5088 (merged)

mentioned in commit big-bang/bigbang@38e64c48

added statusreview label and removed statusdoing label

changed the description

An issue was created to debug sso error as these changes in elasticsearch xpack.security settings conflicted with the sso secret xpack settings that get added to the config causing elasticsearch to fail at startup when sso is enabled. MR to rollback the 1.18.0-bb.3 changes until the sso error issue has been resolved.

mentioned in issue #213 (closed)

removed statusreview label

added statusreview label

removed statusreview label

mentioned in merge request !307 (merged)