Deploy Elasticsearch and Kibana on Kubernetes with Helm

Posted on by

We will install Elasticsearch and Kibana as well as set up basic security for the Elastic Stack plus secured HTTPS traffic.

Pre-requisites

We are using our Kubernetes homelab in this article.

Configuration files used in this article can be found on GitHub. Clone the following repository:

$ git clone https://github.com/lisenet/kubernetes-homelab.git
$ cd ./kubernetes-homelab/kubernetes/elasticsearch/

The Plan

  1. Install Helm.
  2. Create an internal Certificate Authority (CA).
  3. Create a wildcard certificate for Elasticsearch signed by the CA.
  4. Install Elasticsearch 7.17 using Helm.
  5. Install Kibana 7.17 using Helm.

Install Helm

On a Debian-based OS, do the following:

$ curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
$ sudo apt-get install -y apt-transport-https
$ echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
$ sudo apt-get update
$ sudo apt-get install -y helm

Add Helm repository:

$ helm repo add elastic https://helm.elastic.co

Create Internal Certificate Authority (CA)

This section covers steps required to create a Root CA. Note that we have done this for the homelab environment here.

Generate a Root CA that is valid for 10 years:

$ openssl req -newkey rsa:2048 -keyout homelab-ca.key -nodes -x509 -days 3650 -out homelab-ca.crt

Verify X509v3 extensions:

$ openssl x509 -text -noout -in homelab-ca.crt | grep CA
     CA:TRUE

Create a wildcard certificate signed by the Root CA to be used with Elasticsearch and Kibana:

$ DOMAIN="wildcard.hl.test"
$ openssl genrsa -out "${DOMAIN}".key 2048 && chmod 0600 "${DOMAIN}".key

Generate a Certificate Sign Request (CSR):

$ openssl req -new -sha256 -key "${DOMAIN}".key -out "${DOMAIN}".csr

Sign the request with the Root CA:

$ openssl x509 -req -in "${DOMAIN}".csr -CA homelab-ca.crt -CAkey homelab-ca.key -CAcreateserial -out "${DOMAIN}".crt -days 1825 -sha256

Optional: import the Root CA in to your browser.

Install Elasticsearch on Kubernetes

Create logging namespace:

$ kubectl create namespace logging

Create a secret to store Elasticsearch credentials:

$ kubectl apply -f ./elastic-credentials-secret.yml

Create a secret to store Elasticsearch SSL certificates. We are using the Root CA to sign the certificate.

$ kubectl apply -f ./elastic-certificates-secret.yml

By default, the Elasticsearch security features are disabled when we have a basic license. To enable security features, we will use the xpack.security.enabled setting.

In order to enable TLS/SSL on the HTTP networking layer, which Elasticsearch uses to communicate with other clients, we will use the xpack.security.http.ssl.enabled setting.

Create a values file values-elasticsearch.yml for Elasticsearch:

---
clusterName: "elasticsearch"
nodeGroup: "master"

roles:
  master: "true"
  ingest: "true"
  data: "true"
  remote_cluster_client: "true"
  ml: "true"

replicas: 1
minimumMasterNodes: 1

protocol: https
httpPort: 9200
imagePullPolicy: "IfNotPresent"

extraEnvs:
  - name: "ELASTIC_PASSWORD"
    valueFrom:
      secretKeyRef:
        name: "elastic-credentials"
        key: "password"
  - name: "ELASTIC_USERNAME"
    valueFrom:
      secretKeyRef:
        name: "elastic-credentials"
        key: "username"

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: "true"
    xpack.security.transport.ssl.enabled: "true"
    xpack.security.transport.ssl.supported_protocols: "TLSv1.2"
    xpack.security.transport.ssl.client_authentication: "none"
    xpack.security.transport.ssl.key: "/usr/share/elasticsearch/config/certs/tls.key"
    xpack.security.transport.ssl.certificate: "/usr/share/elasticsearch/config/certs/tls.crt"
    xpack.security.transport.ssl.certificate_authorities: "/usr/share/elasticsearch/config/certs/homelab-ca.crt"
    xpack.security.transport.ssl.verification_mode: "certificate"
    xpack.security.http.ssl.enabled: "true"
    xpack.security.http.ssl.supported_protocols: "TLSv1.2"
    xpack.security.http.ssl.client_authentication: "none"
    xpack.security.http.ssl.key: "/usr/share/elasticsearch/config/certs/tls.key"
    xpack.security.http.ssl.certificate: "/usr/share/elasticsearch/config/certs/tls.crt"
    xpack.security.http.ssl.certificate_authorities: "/usr/share/elasticsearch/config/certs/homelab-ca.crt"

secretMounts:
  - name: "elastic-certificates"
    secretName: "elastic-certificates"
    path: "/usr/share/elasticsearch/config/certs"
    defaultMode: "0755"

resources:
  requests:
    cpu: "250m"
    memory: "2Gi"
  limits:
    cpu: "1000m"
    memory: "4Gi"

volumeClaimTemplate:
  accessModes: ["ReadWriteOnce"]
  storageClassName: "freenas-nfs-csi"
  resources:
    requests:
      storage: 64Gi

service:
  enabled: true
  labels: {}
  labelsHeadless: {}
  type: LoadBalancer
  nodePort: ""
  annotations: {}
  httpPortName: https
  transportPortName: transport
  loadBalancerIP: "10.11.1.59"
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""

clusterHealthCheckParams: "wait_for_status=yellow&timeout=2s"

Deploy a single node Elasticsearch with authentication, certificates for TLS and custom values:

$ helm upgrade --install elasticsearch \
  elastic/elasticsearch \
  --namespace logging \
  --version "7.17.1" \
  --values ./values-elasticsearch.yml

Elasticsearch endpoint will be available at https://10.11.1.59:9200/.

You can test it by using curl:

$ curl -sk -u "username:password" https://10.11.1.59:9200/ | jq
{
  "name": "elasticsearch-master-0",
  "cluster_name": "elasticsearch",
  "cluster_uuid": "t6rPuP6NSn6IDaW98J0VWw",
  "version": {
    "number": "7.17.1",
    "build_flavor": "default",
    "build_type": "docker",
    "build_hash": "e5acb99f822233d62d6444ce45a4543dc1c8059a",
    "build_date": "2022-02-23T22:20:54.153567231Z",
    "build_snapshot": false,
    "lucene_version": "8.11.1",
    "minimum_wire_compatibility_version": "6.8.0",
    "minimum_index_compatibility_version": "6.0.0-beta1"
  },
  "tagline": "You Know, for Search"
}

Install Kibana on Kubernetes

Create a values file values-kibana.yml for Kibana:

---
elasticsearchHosts: "https://elasticsearch-master:9200"

replicas: 1

protocol: https
httpPort: 5601
imagePullPolicy: "IfNotPresent"

extraEnvs:
  - name: "NODE_OPTIONS"
    value: "--max-old-space-size=1800"
  - name: "ELASTICSEARCH_USERNAME"
    valueFrom:
      secretKeyRef:
        name: "elastic-credentials"
        key: "username"
  - name: "ELASTICSEARCH_PASSWORD"
    valueFrom:
      secretKeyRef:
        name: "elastic-credentials"
        key: "password"

kibanaConfig:
  kibana.yml: |
    server.ssl:
      enabled: "true"
      key: "/usr/share/kibana/config/certs/tls.key"
      certificate: "/usr/share/kibana/config/certs/tls.crt"
      certificateAuthorities: [ "/usr/share/kibana/config/certs/homelab-ca.crt" ]
      clientAuthentication: "none"
      supportedProtocols: [ "TLSv1.2", "TLSv1.3" ]
    elasticsearch.ssl:
      certificateAuthorities: [ "/usr/share/kibana/config/certs/homelab-ca.crt" ]
      verificationMode: "certificate"
    newsfeed.enabled: "false"
    telemetry.enabled: "false"
    telemetry.optIn: "false"

secretMounts:
  - name: "elastic-certificates"
    secretName: "elastic-certificates"
    path: "/usr/share/kibana/config/certs"
    defaultMode: "0755"

resources:
  requests:
    cpu: "55m"
    memory: "512Mi"
  limits:
    cpu: "1000m"
    memory: "2Gi"

service:
  type: LoadBalancer
  loadBalancerIP: "10.11.1.58"
  port: 5601
  nodePort: ""
  labels: {}
  annotations: {}
  loadBalancerSourceRanges: []
  httpPortName: http

Deploy Kibana using authentication and TLS to connect to Elasticsearch:

$ helm upgrade --install kibana \
  elastic/kibana \
  --namespace logging \
  --version "7.17.1" \
  --values ./values-kibana.yml

Kibana endpoint will be available at https://10.11.1.58:5601/.

Verify that pods are running:

$ kubectl get po -n logging
NAME                             READY   STATUS    RESTARTS   AGE
elasticsearch-master-0           1/1     Running   0          23h
kibana-kibana-5d8dc78bfb-4fqr2   1/1     Running   0          23h

Verify services:

$ kubectl get svc -n logging
NAME                            TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
elasticsearch-master            LoadBalancer   10.105.182.194   10.11.1.59    9200:31657/TCP,9300:32405/TCP   3d22h
elasticsearch-master-headless   ClusterIP      None             none          9200/TCP,9300/TCP               3d22h
kibana-kibana                   LoadBalancer   10.105.176.223   10.11.1.58    5601:31251/TCP                  3d21h

References

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/configuring-stack-security.html

https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-settings.html

18 thoughts on “Deploy Elasticsearch and Kibana on Kubernetes with Helm

  2. hello, can I have details about certificates. I create a rootCA and a certificate with key. I change values inside elastic-certificates-secret.yml with my values (I put base64 encoded rootca and crt and key)
    After applying all I obtain “io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca”, at elastic start. When I left intact your elastic-certificates-secret.yml, it’s ok but with your certificates and not my certificates.
    thanks for the help

    Reply

    • Hi Bruno, the error message suggests that the CA cert has not been provided. Did you generate a root CA certificate, and then used it to sign the ElasticSearch certificate?

  3. Hello,
    I followed this article but used AWS CA for certs and my cert is bind by passphrase and when I run my es version 7.10.2, I am getting below error:ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: IllegalStateException[Error parsing Private Key from: /usr/share/elasticsearch/config/certs/tls.key]; nested: NoSuchAlgorithmException[PBES2 SecretKeyFactory not available];
    Likely root cause: java.security.NoSuchAlgorithmException: PBES2 SecretKeyFactory not available
    Not sure, why I am getting this error. I tried to follow the steps as it is.

    Reply

    • Hi, does your config provide the passphrase to ElasticSearch to decrypt the private key in some way? The error suggests that ElasticSearch could not read the private key, probably because it is encrypted and may need a passphrase to decrypt it.

  4. How can we add these elasticsearch SSL certificates( tls.key, tls.crt and homelab-ca.crt) to elastic-certificates-secret.yml file, Could you help me on this

    Reply

  5. Hello,
    How can we add elasticsearch SSL certificates to elastic-certificates-secret.yml file.
    Could you help on this.

    Reply

    • Hi ,
      We have converted ssl certificates from plain text to base64
      Command used for converting : openssl base64 -in elasticsearch-ca.crt -out elasticsearch-ca.b64
      Still elastic search pods are not running throwing like ssl certificate issue.
      Could you please help us to understand issue here .
      logs attached here for reference:

    • Please check if you can get certificate data from your Kubernetes secrets. See example command below:

      kubectl -n logging get secret elastic-certificates -o yaml

      Decode the secret data that you get from above using base64 -d and see if it has your certificate.

  6. logs attached here for reference:
    {“type”: “server”, “timestamp”: “2023-04-14T09:28:22,379Z”, “level”: “ERROR”, “component”: “o.e.b.ElasticsearchUncaughtExceptionHandler”, “cluster.name”: “elasticsearch”, “node.name”: “elasticsearch-master-0”, “message”: “uncaught exception in thread [main]”,
    “stacktrace”: [“org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL KeyManagerFactory]; nested: MalformedInputException[Input length = 1];”,
    “at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) ~[elasticsearch-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) ~[elasticsearch-cli-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.cli.Command.main(Command.java:79) ~[elasticsearch-cli-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.14.0.jar:7.14.0]”,
    “at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) ~[elasticsearch-7.14.0.jar:7.14.0]”,
    “Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]”,
    “at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]”,

    Reply

  7. Hi ,
    After decoding the secrets we got like this but still facing ssl authentication issue , anything do we need to add it
    apiVersion: v1
    data:
    elastic-ca.crt: MIID6TCCAtGgAwIBAgIJANVcM6ZYRpA7MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYDVQQGEwJJTjELMAkGA1UECAwCS04xEjAQBgNVBAcMCUJBTkdBTE9SRTERMA8GA1UECgwIRVJJQ1NTT04xDTALBgNVBAsMBElEVU4xEDAOBgNVBAMMB2hhaG4xMzAxJjAkBgkqhkiG9w0BCQEWF3NhcmFsYS5rOTlAZXJpY3Nzb24uY29tMB4XDTIzMDQxNDA2MzUxOFoXDTMzMDQxMTA2MzUxOFowgYoxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJLTjESMBAGA1UEBwwJQkFOR0FMT1JFMREwDwYDVQQKDAhFUklDU1NPTjENMAsGA1UECwwESURVTjEQMA4GA1UEAwwHaGFobjEzMDEmMCQGCSqGSIb3DQEJARYXc2FyYWxhLms5OUBlcmljc3Nvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeBGr/D05pn5HIPN7rbUgL+7Txr0OEgZKBigG/EC1c6uQkv69NzvgSzzqnAyWmgbnDxDixuSKyeqyFXWoSUF3/FdCHUSVdBHsxP1lY0uaqp8JPit4Ym/lihZXCtczbHExlhFbsUqu30BI3D4s3QljwhCsy6LaEsAUKeMFgTWBYy8z3qSYlEzqntePbGfEMYPWGEslkFu05kiGcMs/FoWzbdp2hA+qOCGeRy1DXkvzGrEIsP3IX5+S1eBUYiVfm/yWVihPy9h5HcMapQ9nUI49L3cWWq2QPTRLC7epwfbC+uSxV1jDeLQmJ296jSYsm48izvQFGPSfcDegQkd/3rDXlAgMBAAGjUDBOMB0GA1UdDgQWBBReynQAkqa1GsvTULUJMSOK66Ks5TAfBgNVHSMEGDAWgBReynQAkqa1GsvTULUJMSOK66Ks5TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBBNI7c6skjCpH5N08J9ezqIaNYtdo8aGCXCcAEOYRXer2mtLhE9OAzrHIWMSdHC/BUIhMmnJXBWGyjLzVJkdKD133sfk1y9XKqqVTfzo9+GKYRjfAdS5zdKi8PXVAivsnUeJZ9IpzLEznCEbhlrVA3AEkv0/zSvSqHwtWnAo459t1TZbku7esKfnGbhlz3d6+CL2tReuLDPJx9l4XLRS1w965j/mJoLaWhNerEDU4aogrKJxD+5rubRxIFezLh7ZjFcKlR6SsTgGnAAVNokAxGfBRIvs22uJTX7+0ecEJ5XyXMm1gIfrDFCjF3eHXG5Ci2u7mKXpQMBIImG7HPfhx2
    tls.crt: MIIDlDCCAnwCCQC4dEuHK0c6zzANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAktOMRIwEAYDVQQHDAlCQU5HQUxPUkUxETAPBgNVBAoMCEVSSUNTU09OMQ0wCwYDVQQLDARJRFVOMRAwDgYDVQQDDAdoYWhuMTMwMSYwJAYJKoZIhvcNAQkBFhdzYXJhbGEuazk5QGVyaWNzc29uLmNvbTAeFw0yMzA0MTQwNzMwMzFaFw0yODA0MTIwNzMwMzFaMIGMMQswCQYDVQQGEwJJTjELMAkGA1UECAwCS04xEjAQBgNVBAcMCUJBTkdBTE9SRTERMA8GA1UECgwIRVJJQ1NTT04xDTALBgNVBAsMBElEVU4xEDAOBgNVBAMMB2hhaG4xMzAxKDAmBgkqhkiG9w0BCQEWGXNhcmFsYS5rLmV4dEBlcmljc3Nvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaUJr/RqvKYAHOEITeJTCsTxwwsEYKyKLAGSiAd5CHBM5nGRsoETEYbqypdJPtk9MgHrc84TmFgDdaiLA8ijH0XO8wmj0OaMK6W4MZLzFifjaPjn+3hvx401keqRt7NjGlCNy6ICTNfuMnYB1Ya0UNj6Edph+LrYTl56Te014amZyhqfr0vBjmUKTeafzVqp55JL1/3O9IQe5RihK5eq4qCDD7hLGRMmBmXtS1XLjyET4XPLYz4bhO+JxE3N+mYe9uuHUoHQYVKe8driM1Fn5qUMipxxAonFtGQ7QLSTE942iXgkwHDWFGXpAJfX/2O8bYTyFKh7Wf6wMJ5RDDyldzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHjL7Gqges0WAU5wY1PHK85KdURiSrVgDx/aQneghocXPlf/pGXt6IAJdnMoT2MLuV4Ic8/Vv0fedUFcgmF5zuWd3wM0wDtz3SkAheIZymkBK4lfXuDK1phIJ0Ak8I6Y/maKoQDXAT9WIfZIeScq3vwdqCweK3AXOXg/PCIKCSSTg46Y96PLRhZGyQ/pLjnCJg8A4R50eyK911EbdfYWb/rfdEzJqf3v1q0+UuKoxknHkHiMty2S3d4Wi7bJWz+9zfI0EFZO70bQahbChFE0CONHMMvVRNErLNRJpDDqpI8myyEq4hp2aLT52X4//SeumylrjRgrU0sqMF9zFhA42Aw=
    tls.key: MIIEpAIBAAKCAQEAmlCa/0arymABzhCE3iUwrE8cMLBGCsiiwBkogHeQhwTOZxkbKBExGG6sqXST7ZPTIB63POE5hYA3WoiwPIox9FzvMJo9DmjCuluDGS8xYn42j45/t4b8eNNZHqkbezYxpQjcuiAkzX7jJ2AdWGtFDY+hHaYfi62E5eek3tNeGpmcoan69LwY5lCk3mn81aqeeSS9f9zvSEHuUYoSuXquKggw+4SxkTJgZl7UtVy48hE+Fzy2M+G4TvicRNzfpmHvbrh1KB0GFSnvHa4jNRZ+alDIqccQKJxbRkO0C0kxPeNol4JMBw1hRl6QCX1/9jvG2E8hSoe1n+sDCeUQw8pXcwIDAQABAoIBAGPectFvPVL2G3TvP+49B2kcsdPY4RutiZblMU8jEkgvlh0nJGoj5jA3wErTBcGl/+czuccOxBlgR3KyL8yea4IIe0xrJcSjjBLrksbDwiRKJql1wbZXCCJyNaUgMIbnJe329FMI5oiP7BbZn2RP2BrUr6Lulk/hdrcL2anUBX0UmALvkZFz7MiuDuGQjsb51DxZvEpE++XRVDwL2iNw3mub+GuJ0DjSOkPg/RAGahJFZL9eNsf8Me4WanMCPIyzekSB6b798vnEoYBmU7S09TwVtrt6vatkBv84zWbC88Y5zoQdNL0MUqHq6uCago2Cf8hIOVdrGimrP66ZZTRTX+ECgYEAx88GRbtFNPkV1ED+ALUD3XtaR122xLkinHiIlk1n+LatNP5gvSy7xxzfa0VqZvuVNhuvK+HS/SO5C1NiHQaq6H0+li8MQxv5P/+4xB/ZmCkg19BuWKSiXIoaP3IBYe0YE58M1uMDNNFAQXVGoi/zuSWDAhwgHN0eCabhemB3JGkCgYEAxbZPa/fxhewgS+c+Cep+usYCOlTLGRMg8vUeqWSIzhLUVruv/D9EsE6JOGWUj3NqYGO8b+gsMrklgz7gtOSYPS43+7jDM9fvg7a8elWJ5175Vihk0U++u9n3t5kfFueLpn1hLzWJeCscXucKXSQCnEtO94dSEE/xrOcbFGp98XsCgYEAiaAibON53uv2yjVd/3SvTd4KJ//3xPbUTTyEsCpvBBQnp8nTLlpimNpdVZEBoh+F/jgBZ1NrtarmaVOsz9to2yxxcJbFdnANNbTZOlXJ1hH2KlDJwMrdfqotPCg1pZLes50pBdZlvfqnrK6v0UUANjYNT+W5hMgVSYal5loNlokCgYBXJwMhi91KdIjUDK4bPuP4PvqSbfhNKFJ45rZKY0eu1zwEs51i6xzDPwtb8eMnzO+SZ8ST69s3zMeNcDUraCz3ox0IeCyL+N7ax72Ti4tLk2EDqrCuV6GzOuToaLX8qbq0fEZPwiDD+PT7nIrD/fCspsG7eUoiaKsW1ZTpTfwQawKBgQC20xXN5O8sSoJ3RCbMjxjxibrqSNxvEnpGNQx+P+15zqMKByajO6zGkk5b8svtftm3pFVdUe3t0EoaUHEDoKbzTiNIUCeDQSjbtd/qyDciEkgrI1FAGBR1N7PpWpUX1CsZ27KVREgLND+VIK5gq++40ASGi7pqIErfkoIWRpYKKQ==
    kind: Secret
    metadata:
    annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
    {“apiVersion”:”v1″,”data”:{“elastic-ca.crt”:”MIID6TCCAtGgAwIBAgIJANVcM6ZYRpA7MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD\nVQQGEwJJTjELMAkGA1UECAwCS04xEjAQBgNVBAcMCUJBTkdBTE9SRTERMA8GA1UE\nCgwIRVJJQ1NTT04xDTALBgNVBAsMBElEVU4xEDAOBgNVBAMMB2hhaG4xMzAxJjAk\nBgkqhkiG9w0BCQEWF3NhcmFsYS5rOTlAZXJpY3Nzb24uY29tMB4XDTIzMDQxNDA2\nMzUxOFoXDTMzMDQxMTA2MzUxOFowgYoxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJL\nTjESMBAGA1UEBwwJQkFOR0FMT1JFMREwDwYDVQQKDAhFUklDU1NPTjENMAsGA1UE\nCwwESURVTjEQMA4GA1UEAwwHaGFobjEzMDEmMCQGCSqGSIb3DQEJARYXc2FyYWxh\nLms5OUBlcmljc3Nvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQCeBGr/D05pn5HIPN7rbUgL+7Txr0OEgZKBigG/EC1c6uQkv69NzvgSzzqnAyWm\ngbnDxDixuSKyeqyFXWoSUF3/FdCHUSVdBHsxP1lY0uaqp8JPit4Ym/lihZXCtczb\nHExlhFbsUqu30BI3D4s3QljwhCsy6LaEsAUKeMFgTWBYy8z3qSYlEzqntePbGfEM\nYPWGEslkFu05kiGcMs/FoWzbdp2hA+qOCGeRy1DXkvzGrEIsP3IX5+S1eBUYiVfm\n/yWVihPy9h5HcMapQ9nUI49L3cWWq2QPTRLC7epwfbC+uSxV1jDeLQmJ296jSYsm\n48izvQFGPSfcDegQkd/3rDXlAgMBAAGjUDBOMB0GA1UdDgQWBBReynQAkqa1GsvT\nULUJMSOK66Ks5TAfBgNVHSMEGDAWgBReynQAkqa1GsvTULUJMSOK66Ks5TAMBgNV\nHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBBNI7c6skjCpH5N08J9ezqIaNY\ntdo8aGCXCcAEOYRXer2mtLhE9OAzrHIWMSdHC/BUIhMmnJXBWGyjLzVJkdKD133s\nfk1y9XKqqVTfzo9+GKYRjfAdS5zdKi8PXVAivsnUeJZ9IpzLEznCEbhlrVA3AEkv\n0/zSvSqHwtWnAo459t1TZbku7esKfnGbhlz3d6+CL2tReuLDPJx9l4XLRS1w965j\n/mJoLaWhNerEDU4aogrKJxD+5rubRxIFezLh7ZjFcKlR6SsTgGnAAVNokAxGfBRI\nvs22uJTX7+0ecEJ5XyXMm1gIfrDFCjF3eHXG5Ci2u7mKXpQMBIImG7HPfhx2\n”,”tls.crt”:”MIIDlDCCAnwCCQC4dEuHK0c6zzANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMC\nSU4xCzAJBgNVBAgMAktOMRIwEAYDVQQHDAlCQU5HQUxPUkUxETAPBgNVBAoMCEVS\nSUNTU09OMQ0wCwYDVQQLDARJRFVOMRAwDgYDVQQDDAdoYWhuMTMwMSYwJAYJKoZI\nhvcNAQkBFhdzYXJhbGEuazk5QGVyaWNzc29uLmNvbTAeFw0yMzA0MTQwNzMwMzFa\nFw0yODA0MTIwNzMwMzFaMIGMMQswCQYDVQQGEwJJTjELMAkGA1UECAwCS04xEjAQ\nBgNVBAcMCUJBTkdBTE9SRTERMA8GA1UECgwIRVJJQ1NTT04xDTALBgNVBAsMBElE\nVU4xEDAOBgNVBAMMB2hhaG4xMzAxKDAmBgkqhkiG9w0BCQEWGXNhcmFsYS5rLmV4\ndEBlcmljc3Nvbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa\nUJr/RqvKYAHOEITeJTCsTxwwsEYKyKLAGSiAd5CHBM5nGRsoETEYbqypdJPtk9Mg\nHrc84TmFgDdaiLA8ijH0XO8wmj0OaMK6W4MZLzFifjaPjn+3hvx401keqRt7NjGl\nCNy6ICTNfuMnYB1Ya0UNj6Edph+LrYTl56Te014amZyhqfr0vBjmUKTeafzVqp55\nJL1/3O9IQe5RihK5eq4qCDD7hLGRMmBmXtS1XLjyET4XPLYz4bhO+JxE3N+mYe9u\nuHUoHQYVKe8driM1Fn5qUMipxxAonFtGQ7QLSTE942iXgkwHDWFGXpAJfX/2O8bY\nTyFKh7Wf6wMJ5RDDyldzAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHjL7Gqges0W\nAU5wY1PHK85KdURiSrVgDx/aQneghocXPlf/pGXt6IAJdnMoT2MLuV4Ic8/Vv0fe\ndUFcgmF5zuWd3wM0wDtz3SkAheIZymkBK4lfXuDK1phIJ0Ak8I6Y/maKoQDXAT9W\nIfZIeScq3vwdqCweK3AXOXg/PCIKCSSTg46Y96PLRhZGyQ/pLjnCJg8A4R50eyK9\n11EbdfYWb/rfdEzJqf3v1q0+UuKoxknHkHiMty2S3d4Wi7bJWz+9zfI0EFZO70bQ\nahbChFE0CONHMMvVRNErLNRJpDDqpI8myyEq4hp2aLT52X4//SeumylrjRgrU0sq\nMF9zFhA42Aw=\n”,”tls.key”:”MIIEpAIBAAKCAQEAmlCa/0arymABzhCE3iUwrE8cMLBGCsiiwBkogHeQhwTOZxkb\nKBExGG6sqXST7ZPTIB63POE5hYA3WoiwPIox9FzvMJo9DmjCuluDGS8xYn42j45/\nt4b8eNNZHqkbezYxpQjcuiAkzX7jJ2AdWGtFDY+hHaYfi62E5eek3tNeGpmcoan6\n9LwY5lCk3mn81aqeeSS9f9zvSEHuUYoSuXquKggw+4SxkTJgZl7UtVy48hE+Fzy2\nM+G4TvicRNzfpmHvbrh1KB0GFSnvHa4jNRZ+alDIqccQKJxbRkO0C0kxPeNol4JM\nBw1hRl6QCX1/9jvG2E8hSoe1n+sDCeUQw8pXcwIDAQABAoIBAGPectFvPVL2G3Tv\nP+49B2kcsdPY4RutiZblMU8jEkgvlh0nJGoj5jA3wErTBcGl/+czuccOxBlgR3Ky\nL8yea4IIe0xrJcSjjBLrksbDwiRKJql1wbZXCCJyNaUgMIbnJe329FMI5oiP7BbZ\nn2RP2BrUr6Lulk/hdrcL2anUBX0UmALvkZFz7MiuDuGQjsb51DxZvEpE++XRVDwL\n2iNw3mub+GuJ0DjSOkPg/RAGahJFZL9eNsf8Me4WanMCPIyzekSB6b798vnEoYBm\nU7S09TwVtrt6vatkBv84zWbC88Y5zoQdNL0MUqHq6uCago2Cf8hIOVdrGimrP66Z\nZTRTX+ECgYEAx88GRbtFNPkV1ED+ALUD3XtaR122xLkinHiIlk1n+LatNP5gvSy7\nxxzfa0VqZvuVNhuvK+HS/SO5C1NiHQaq6H0+li8MQxv5P/+4xB/ZmCkg19BuWKSi\nXIoaP3IBYe0YE58M1uMDNNFAQXVGoi/zuSWDAhwgHN0eCabhemB3JGkCgYEAxbZP\na/fxhewgS+c+Cep+usYCOlTLGRMg8vUeqWSIzhLUVruv/D9EsE6JOGWUj3NqYGO8\nb+gsMrklgz7gtOSYPS43+7jDM9fvg7a8elWJ5175Vihk0U++u9n3t5kfFueLpn1h\nLzWJeCscXucKXSQCnEtO94dSEE/xrOcbFGp98XsCgYEAiaAibON53uv2yjVd/3Sv\nTd4KJ//3xPbUTTyEsCpvBBQnp8nTLlpimNpdVZEBoh+F/jgBZ1NrtarmaVOsz9to\n2yxxcJbFdnANNbTZOlXJ1hH2KlDJwMrdfqotPCg1pZLes50pBdZlvfqnrK6v0UUA\nNjYNT+W5hMgVSYal5loNlokCgYBXJwMhi91KdIjUDK4bPuP4PvqSbfhNKFJ45rZK\nY0eu1zwEs51i6xzDPwtb8eMnzO+SZ8ST69s3zMeNcDUraCz3ox0IeCyL+N7ax72T\ni4tLk2EDqrCuV6GzOuToaLX8qbq0fEZPwiDD+PT7nIrD/fCspsG7eUoiaKsW1ZTp\nTfwQawKBgQC20xXN5O8sSoJ3RCbMjxjxibrqSNxvEnpGNQx+P+15zqMKByajO6zG\nkk5b8svtftm3pFVdUe3t0EoaUHEDoKbzTiNIUCeDQSjbtd/qyDciEkgrI1FAGBR1\nN7PpWpUX1CsZ27KVREgLND+VIK5gq++40ASGi7pqIErfkoIWRpYKKQ==\n”},”kind”:”Secret”,”metadata”:{“annotations”:{},”name”:”elastic-certificates”,”namespace”:”reg-eck”},”type”:”kubernetes.io/tls”}
    creationTimestamp: “2023-04-14T08:56:13Z”
    managedFields:
    – apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
    f:data:
    .: {}
    f:elastic-ca.crt: {}
    f:tls.crt: {}
    f:tls.key: {}
    f:metadata:
    f:annotations:
    .: {}
    f:kubectl.kubernetes.io/last-applied-configuration: {}
    f:type: {}
    manager: kubectl
    operation: Update
    time: “2023-04-14T08:56:13Z”
    name: elastic-certificates
    namespace: reg-eck
    resourceVersion: “203114252”
    uid: 755e3db4-a9ff-4b2d-8b1d-add16a2f5223
    type: kubernetes.io/tls

    Reply

    • When you decode your base64 data from the secret, do you get certificates/keys in plain text? If you don’t, then that would be the problem. You need to encode plain text certificates/keys using base64 and add them to the secret.

    • Used above commands for generating root ca certificates, domain crt and keys
      Passed Internal Certificate Authority (CA) commands for generating these crts and keys (domain.crt,domain.csr, root-ca.crt, root-ca.key and root-ca.srl) from these keys and crts converted to base.64 by using this command:

      After generating the crt.b64 files added to elasticertificate.yaml
      Applied to these secret to namespace .
      Did i missed any steps here

    • That looks OK to me. Have you verified that you can decode base64 encoded secret data and see plaintext content of you certificates/keys?

  8. Hi Lisenet,

    Decoded base64 to plain text .
    can see below text its showing valid details.

    Is there any other way to check this.

    Reply

  9. Have doubt on domain , which domain should provide whether it should be kibana url or elasticsearch url

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *