UNCLASSIFIED - NO CUI

Skip to content

Resolve "elasticsearch endpoint is throwing certificate error"

Kirby Liu requested to merge mtls-elasticsearch into main

General MR

Summary

istio enabled requires elasticsearch self signed cert and mtl to be disabled or will double encrypt. These changes allow istio to handle the mtls traffic encryption if istio is enabled.

Relevant logs/screenshots

N/A

Linked Issue

Links to #204 (closed)

Upgrade Notices

Elasticsearch Statefulsets Update Strategy are set to OnDelete, so in order for the changes in this package mr to take effect (i.e tunneling certificates/mtls handling through istio-proxy) 1) istio must be enabled and 2) the elasticsearch pods need to be manually deleted (for more information see kubernetes documentation on statefulsets updates strategies).

kubectl instructions

To get a list of pods that will need to be manually restarted run the following

kubectl get pod -n logging -l elasticsearch.k8s.elastic.co/cluster-name=logging-ek

If availability is important than you can manually do a rolling upgrade by deleting the pods one by one while waiting for them to restart kubectl delete pod <name of pods> -n logging

If availability is not important and you want to restart all the pods at once then run the following

kubectl delete pod -n logging -l elasticsearch.k8s.elastic.co/cluster-name=logging-ek

After restarting all the pods and confirming that the pods are back in a ready state, check that elasticsearch cluster health is green by running

kubectl get elasticsearch -n logging
Edited by Kirby Liu

Merge request reports

Loading