Hi i would like to expose my elasticsearch cluster in kubernetes created using ECK (https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html) so it can be accessed externally.
I have a requriement to setup Functionbeat to ship aws lambda cloudwatch logs to elastcsearch.
Please see Step 2: Connect to the Elastic Stack https://www.elastic.co/guide/en/beats/functionbeat/current/functionbeat-installation-configuration.html
Attempt:
I have an elastic load balancer that has haproxy running on it which i use to expose other k8 services externally such as frontends. Ive attempted to modify this to also allow me to expose elasticsearch.
haproxy
frontend elasticsearch
bind *:9200
acl host_data_elasticsearch hdr(host) -i elasticsearch.acme.com
use_backend elasticsearchApp if host_data_elasticsearch
backend elasticsearchApp
server data-es data-es-es-http:9200 check rise 1 ssl verify none
Im attempting to see if i can connect using the following curl command:
curl -u "elastic:$ELASTIC_PASSWORD" -k "https://elasticsearch.acme.com:9200"
However i get the following error:
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
In the browser if i navigate to the url i get
This site can’t provide a secure connection
elasticsearch.acme.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Posting answer as community wiki based on #Joao Morais comment:
you added ssl to the server line which instructs haproxy to perform a ssl offload and you didn't add the ssl stuff in the frontend. it seems you should either remove the ssl+verify from the server, add ssl to the front or query a plain http request.
Additional information:
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number indicates that you are trying to reach website that is not secure.
To access it you should replace https: with http: in your curl command so it will look like this:
curl -u "elastic:$ELASTIC_PASSWORD" -k "http://elasticsearch.acme.com:9200"
Related
I am using Elassandra. I want to make setup(windows 10) and hit queries
from elastic search url. I have installed Elassandra and start it is working
fine but am not able to access elastic search url. I also tried to
configure host and http.port in elasticsearch.yml but it did not work.
From bin am running Cassandra -e. here is no error in logs but still not
able to access ES on localhost:9200
show the following error
curl: (7) Failed to connect to localhost port 9200: Connection refused
How can one connect elasticsearch in elassandra?
I am trying to run the solana logs command to see the logs.
But upon running this, it fails and doesn't connect to the localhost server. see below output:
As you will see from the screenshot above, I already have the solana-test-validator running.
But solana logs --url localhost ain't working or is unable to connect to the server
The solution in my case is the url specification,
kindly note that in this case, localhost translates to 127.0.0.1 but still in my case, I still needed to even specify the port:
Thus instead of using localhost, I used:
solana logs --url http://127.0.0.1:8899
I have a laravel application running which tries to upload files to a local minio server which runs on https on port 9001.
This happens on a server with a public domain name we shall call foo.bar.com.
In the host machine (outside my docker containers) if I do curl -k https://foo.bar.com:9001 or curl -k https://0.0.0.0:9001 it works, but if I try to run these commands inside my laravel container I get curl: (7) Failed to connect to 0.0.0.0 port 9001: Connection refused.
In the container I can do connect to my minio server by using the minio containers name since they are on the same network curl -k https://pan.api.minio:9001.
I wanted to use this but then running migrations in laravel fails with Error executing "PutObject" on "https://pan.api.minio:9001/pan-local/ab7d6e69-5e13-4582-8855-669dcb935591/OVVzTEZiOGhSR3J1MkVHSmlIa3VoSXNsTFdJVnNWWlNCb0U2dnlsWm13dmNGUjRvWlVIVVJRTWxqak1reVhMUm1hbmV0LTItMQ%3D%3D"; AWS HTTP error: cURL error 60: SSL: no alternative certificate subject name matches target host name 'pan.api.minio' (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)
I just want to upload files to my minio server from within my laravel container, but why can't I connect to it by doing foo.bar.com:9001 like I can outside of my docker containers?
I have an etcd cluster using TLS for security. I want other machines to use etcd proxy, so the localhost clients don't need to use TLS. Proxy is configured like this:
[Service]
Environment="ETCD_PROXY=on"
Environment="ETCD_INITIAL_CLUSTER=etcd1=https://master1.example.com:2380,etcd2=https://master2.example.com:2380"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/ssl/ca.pem"
Environment="ETCD_PEER_CERT_FILE=/etc/kubernetes/ssl/worker.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/kubernetes/ssl/worker-key.pem"
Environment="ETCD_TRUSTED_CA_FILE=/etc/kubernetes/ssl/ca.pem"
And it works, as far as the first connection goes. But the etcd client does an initial query to discover the full list of servers, and then it performs its real query against one of the servers in that list:
$ etcdctl --debug ls
start to sync cluster using endpoints(http://127.0.0.1:4001,http://127.0.0.1:2379)
cURL Command: curl -X GET http://127.0.0.1:4001/v2/members
got endpoints(https://1.1.1.1:2379,https://1.1.1.2:2379) after sync
Cluster-Endpoints: https://1.1.1.1:2379, https://1.1.1.2:2379
cURL Command: curl -X GET https://1.1.1.1:2379/v2/keys/?quorum=false&recursive=false&sorted=false
cURL Command: curl -X GET https://1.1.1.2:2379/v2/keys/?quorum=false&recursive=false&sorted=false
Error: client: etcd cluster is unavailable or misconfigured
error #0: x509: certificate signed by unknown authority
error #1: x509: certificate signed by unknown authority
If I change the etcd masters to --advertise-client-urls=http://localhost:2379, then the proxy will connect to itself and get into an infinite loop. And the proxy doesn't modify the traffic between the client and the master, so it doesn't rewrite the advertised client URLs.
I must not be understanding something, because the etcd proxy seems useless.
Turns out that most etcd clients (locksmith, flanneld, etc.) will work just fine with a proxy in this mode. It's only etcdctl that behaves differently. Because I was testing with etcdctl, I thought the proxy config wasn't working at all.
If etcdctl is run with --skip-sync, then it will communicate through the proxy rather than retrieving the list of public endpoints.
etcdctl cluster-health ignores --skip-sync and always touches the public etcd endpoints. It will never work with a proxy.
With option --endpoints "https://{YOUR_ETCD_ADVERTISE_CILENT_URL}:2379".
Because you configured TLS for etcd, you should add options --ca-file, --cert-file, --key-file.
I am trying to play around with kubernetes and specifically the REST API. The steps to connect with the cluster API are listed here. However Im stuck in the first step i.e. running kubectl proxy
I try running this:
kubectl --context='vagrant' proxy --port=8080 &
which returns error: couldn't read version from server: Get https://172.17.4.99:443/api: dial tcp 172.17.4.99:443: i/o timeout
What does this mean? How do overcome it connect to the API?
Check that your docker, proxy, kube-apiserver, kube-control-manager services are running without error. Check their status using systemclt status your-service-name. If the service is loaded but not running then restart the service by using systemctl restart your-service-name.