-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack Monitoring certificate validation on beats #5917
Comments
This is unfortunately a limitation of the current implementation. The problem is the I am not sure what the best way is to fix it. One way I could think of is to say whenever someone is using custom certificates for their Elasticsearch cluster that is the target of an stack monitoring configuration to switch to verification mode: @mens1205 until a fix is available I can think of a few workarounds that might be all somewhat unattractive:
|
@pebrc Doesn't it make sense to do the same verificantion mode: |
This seems like a good compromise to me to solve this without asking anything from the users. Another more involved idea I had is to propose a way to override the Beat config like it is possible for the Pod definition via the podTemplate. This is more powerful but has the downside of requiring users to have some knowledge of the existing Beat config, which I find unfortunate. spec:
monitoring:
metrics:
elasticsearchRefs:
- name: elasticsearch
configTemplate:
ouput:
ssl:
verification_mode: certificate |
I would prefere to set the default Beats output to |
@pebrc Thanks for your proposals. I implemented a variation of option 2. as a workaround for testing. So I can confirm that it is working. But indeed as you already mentioned the solution is not very attractive and won't go into production in our environment. So I'm looking forward to a fix for this issue. |
Bug Report
What did you do?
I setup Stack monitoring as described here: Stack Monitoring
Config looks like this:
What did you expect to see?
I expected that metricbeat and filebeat are able to connect to elasticsearch.
What did you see instead? Under which circumstances?
I received the following error message:
{"log.level":"error","@timestamp":"2022-07-28T13:26:36.239Z","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(https://elasticsearch-es-http.elastic.svc:9200)): Get \"https://elasticsearch-es-http.elastic.svc:9200\": x509: certificate is valid for REDACTED, REDACTED, not elasticsearch-es-http.elastic.svc","service.name":"metricbeat","ecs.version":"1.6.0"}
Due to the fact, that I'm providing my own certificate to elasticsearch which didn't include a SAN entry for
elasticsearch-es-http.elastic.svc
.I think this is a quite common usecase. Is it possible to disable the certificate validation or set it to
ssl.verification_mode: certificate
for the beats?Environment
ECK version:
2.3.0
ES version:
8.3.2
The text was updated successfully, but these errors were encountered: