elasticsearch-operator icon indicating copy to clipboard operation
elasticsearch-operator copied to clipboard
verified publisher icon upmc-enterprises

How to expose resources created with the `operator` helm chart

Open kikulikov opened this issue 7 years ago • 8 comments

How can I expose resources created with the operator helm charts (on AWS) ?

kubectl expose deployment.extensions/kibana-database-cluster \
--type=LoadBalancer --name=kibana-access

kubectl expose service/elasticsearch-database-cluster \
--type=LoadBalancer --name=elasticsearch-access

Services and load balancers has been created but do not seem to work properly. Connection just hangs and brakes on timeout then.

NAME                                       TYPE           CLUSTER-IP       EXTERNAL-IP        PORT(S)                      AGE
elasticsearch-access                       LoadBalancer   100.65.247.239   af95c1a0046df...   9200:30255/TCP               33m
kibana-access                              LoadBalancer   100.71.244.196   af913a79646de...   5601:31385/TCP               40m

What could be wrong here? Am I missing something? Thank you.

kikulikov avatar Apr 23 '18 11:04 kikulikov

First of all i'd recommend exposing these type of services through Ingress. Which takes some (undocumented) effort, but it's probably different for each implementation anyway.

But if you do want to directly expose your ES/kibana access (bad idea) check if your expose rules actually selected the right backends. kubectl describe and kubectl get ep should get you somewhere.

pieterlange avatar Apr 23 '18 16:04 pieterlange

Thank you! I'll have a look.

kikulikov avatar Apr 24 '18 07:04 kikulikov

the Elasticsearch chart doesn't support ingress creation, a PR adding this feature are very welcome

gianrubio avatar Apr 25 '18 17:04 gianrubio

As @pieterlange mentioned exposing services without any authentication method is a really bad idea.

komljen avatar Apr 26 '18 07:04 komljen

@komljen exposing an ingress using internal load balancer + oauth proxy for services like kibana is a must. A note in the helm docs explaining how to do this will be required

gianrubio avatar Apr 26 '18 08:04 gianrubio

Yeah, I completely agree on that :)

komljen avatar Apr 26 '18 13:04 komljen

It would be great to have docs on this. =)

stevesloka avatar Jul 07 '18 03:07 stevesloka

I wrote a blog post on this topic a few days ago https://akomljen.com/protect-kubernetes-external-endpoints-with-oauth2-proxy/. We could add the same instructions in some docs in this repo for Kibana deployed with the operator.

komljen avatar Jul 19 '18 21:07 komljen