When i add TLS Certificates in elasticsearch my fleet-server has error as detail below.
{“log.level”:”error”,”@timestamp”:”2024-05-03T08:02:03.862Z”,”log.origin”:{“file.name”:”coordinator/coordinator.go”,”file.line”:558},”message”:”Unit state changed fleet-server-default (STARTING->FAILED): Error – failed version compatibility check with elasticsearch: tls: failed to verify certificate: x509: certificate is valid for *.thaibevapp.com, thaibevapp.com, not elasticsearch-es-http.default.svc”,”log”:{“source”:”elastic-agent”},”component”:{“id”:”fleet-server-default”,”state”:”HEALTHY”},”unit”:{“id”:”fleet-server-default”,”type”:”output”,”state”:”FAILED”,”old_state”:”STARTING”},”ecs.version”:”1.6.0″}
{“log.level”:”info”,”@timestamp”:”2024-05-03T08:02:05.019Z”,”log.origin”:{“file.name”:”cmd/run.go”,”file.line”:307},”message”:”signal “terminated” received”,”log”:{“source”:”elastic-agent”},”ecs.version”:”1.6.0″}
This is my Fleet-Server and Elasticsearch yaml file.
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: kibana
namespace: default
spec:
version: 8.11.0
count: 1
elasticsearchRef:
name: elasticsearch
http:
service:
spec:
type: LoadBalancer
loadBalancerIP: 10.111.0.138 #don't forget to change
config:
#xpack.security.transport.ssl.verification_mode: 'none'
#xpack.security.http.ssl.verification_mode: 'none'
#xpack.fleet.agents.elasticsearch.hosts: ["https://elasticsearch-es-http.default.svc:9200"]
xpack.fleet.agents.elasticsearch.hosts: ["https://elasticapm.thaibevapp.com:9200"] #don't forget to change
#xpack.fleet.agents.fleet_server.hosts: ["https://fleet-server-agent-http.default.svc:8220"]
xpack.fleet.agents.fleet_server.hosts: ["https://10.111.0.140:8220"] #don't forget to change
xpack.fleet.packages:
- name: system
version: latest
- name: elastic_agent
version: latest
- name: fleet_server
version: latest
- name: kubernetes
version: latest
xpack.fleet.agentPolicies:
- name: Fleet Server on ECK policy
id: eck-fleet-server
namespace: default
monitoring_enabled:
- logs
- metrics
unenroll_timeout: 900
is_default_fleet_server: true
package_policies:
- name: fleet_server-1
id: fleet_server-1
package:
name: fleet_server
- name: Elastic Agent on ECK policy
id: eck-agent
namespace: default
monitoring_enabled:
- logs
- metrics
unenroll_timeout: 900
is_default: true
package_policies:
- package:
name: system
name: system-1
- package:
name: kubernetes
name: kubernetes-1
---
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch
namespace: default
spec:
version: 8.11.0
nodeSets:
- name: default
count: 3
config:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
node.store.allow_mmap: false
volumeClaimTemplates:
- metadata:
name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi #don't forget to change
#storageClassName: hpe-standard
http:
tls:
certificate:
secretName: elastic-tls
service:
spec:
type: LoadBalancer
loadBalancerIP: 10.111.0.139 #don't forget to change
---
apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
name: fleet-server
spec:
version: 8.11.0
kibanaRef:
name: kibana
elasticsearchRefs:
- name: elasticsearch
mode: fleet
fleetServerEnabled: true
deployment:
replicas: 1
podTemplate:
spec:
serviceAccountName: fleet-server
automountServiceAccountToken: true
securityContext:
runAsUser: 0
http:
service:
spec:
type: LoadBalancer
loadBalancerIP: 10.111.0.140 #don't forget to change
tls:
certificate:
secretName: elastic-tls
---
apiVersion: agent.k8s.elastic.co/v1alpha1
kind: Agent
metadata:
name: elastic-agent
namespace: default
spec:
version: 8.11.0
kibanaRef:
name: kibana
fleetServerRef:
name: fleet-server
mode: fleet
daemonSet:
podTemplate:
spec:
serviceAccountName: elastic-agent
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
automountServiceAccountToken: true
securityContext:
runAsUser: 0
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: fleet-server
namespace: default
rules:
- apiGroups: [""]
resources:
- pods
- namespaces
- nodes
verbs:
- get
- watch
- list
- apiGroups: ["coordination.k8s.io"]
resources:
- leases
verbs:
- get
- create
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: fleet-server
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: fleet-server
subjects:
- kind: ServiceAccount
name: fleet-server
namespace: default
roleRef:
kind: ClusterRole
name: fleet-server
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elastic-agent
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs:
- get
- watch
- list
- create
- update
- nonResourceURLs:
- "/metrics"
verbs:
- get
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: elastic-agent
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: elastic-agent
subjects:
- kind: ServiceAccount
name: elastic-agent
namespace: default
roleRef:
kind: ClusterRole
name: elastic-agent
apiGroup: rbac.authorization.k8s.io
Nutsakorn Bass is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.