How to setup ES/Kibana with nginx ingress and SSL enabled?

[teebu]

I followed the secure example, and installed nginx ingress, but I can't seem to get it working with nginx. Without the TLS, I can connect to it, using http://es.

I'm able to port-forward connect to https://es:9200 but not directly through nginx. I suspect it's trying to connect to https on port 443, but ES https is running on 9200.

I tried a few things, none of them worked. Does anyone advice or a sample values file?

After creating secrets, I have these values set (snippet):

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/client-body-buffer-size: 10M
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  path: /
  #hosts:
  #  - es.localhost
  tls:
    - secretName: elastic-certificates
      hosts:
        - es.localhost

service:
  type: ClusterIP

protocol: https 

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

[ebuildy]

According ingress template, port is controlled via httpPort values field:

{{- $servicePort := .Values.httpPort -}}

[khanhvu161188]

@teebu do you have any luck with this issue? Cause I have the same issue here,
the nginx ingress controller shows that there is no active endpoint in the service of ElasticSearch

[teebu]

@khanhvu161188 no

[khanhvu161188]

@teebu I finally solved it now.
The reason it did not work is when we turn SSL for elasticsearch, the connection from ingress to service will be dropped cause TLS verification is failed.
You should modify the ingress in value.yaml like below

ingress:
  enabled: true
  annotations: 
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "resources/elastic-certificate-pem"  => need to point to ES certificate pem.
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"  => must be false if you use elasticsearch-utils to generate CA.
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" => must be HTTPS

[connorworkman]

@khanhvu161188 thank you -- adding the backend-protocol annotation worked for me!

[shamndor]

Greetings,

I still have same issue

this my ingress

this nginx ingress pod logs

this elasticsearch pod logs

ingress does not decrypt the traffic and send plain text to elasticsearch pod
any suggestion for that ,
thanks

[connorworkman]

@shamndor This is what works for me with ssl enabled (and a self-signed cert) on kibana and elasticsearch.
Elasticsearch:

...
protocol: https
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - elasticsearch.example.com
esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
...

Kibana:

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - kibana.example.com

You might try setting ingress class or removing some of the other configs to see if that works.

[shamndor]

Thank you very much @connorworkman
I am using another implementation nginxinc/kubernetes-ingress so that the annotations did not work for me.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This issue has been automatically closed because it has not had recent activity since being marked as stale.