New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Stack Monitoring with custom certificate without CA #5310
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick test with Elasticsearch and Kibana pub. certs signed by a well known CA. Metricbeat is failing with the following error:
2022-02-01T08:26:57.702Z ERROR module/wrapper.go:259 Error fetching data for metricset elasticsearch.index: error determining if connected Elasticsearch node is master: error making http request: Get "https://localhost:9200/_nodes/_local/nodes": x509: certificate is valid for my-public-hostname.com, not localhost
I think it is related to Peter's comment here.
Thanks for the feedback. All have been addressed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now. I did a test with a Let's encrypt certificate and Elasticsearch and one with the self-signed certs ECK uses by default.
I found a little bug. When disabling TLS, we generate certs for ES but not for KB. This means we shouldn't get the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found a little bug
Good catch. I did not test with Kibana initially, but it looks good now.
Stack Monitoring incorrectly assumed that if the monitored Elastic resource has TLS enabled, there is a CA to configure in the input section of the Metricbeat config. This overlooked that you can have a certificate issued by a well-known CA, so you don't always provide a CA when TLS is enabled. This is fixed by differentiating between isSSL/isTLS and HasCA.
Stack Monitoring incorrectly assumed that if the monitored Elastic resource has TLS enabled, there is a CA to configure in the input section of the Metricbeat config. This overlooked that you can have a certificate issued by a well-known CA, so you don't always provide a CA when TLS is enabled. This is fixed by differentiating between isSSL/isTLS and HasCA.
Stack Monitoring incorrectly assumed that if the monitored Elastic resource has TLS enabled, there is a CA to configure in the input section of the Metricbeat config. This overlooked that you can have a certificate issued by a well-known CA, so you don't always provide a CA when TLS is enabled. This is fixed by differentiating between isSSL/isTLS and HasCA.
Resolves #5309.