cloud-on-k8s
cloud-on-k8s copied to clipboard
Published
20 hours ago •
elastic
elastic
ECK with Istio guidance causes failure when using xpack saml
Bug Report
What did you do? Following the guidance for using ECK with Istio. causes a failure when implementing xpack SAML.
I'm looking to use SAML for use with Kibana which is exposed via an Istio ingress gateway. I'd also like to use an Istio ingress to expose the Elasticsearch API endpoint.
What did you expect to see?
Allow SAML to be used with Istio, following the instructions given on the ECK documentation.
Environment
- ECK version:
eck-operator:2.9.0
- Kubernetes information:
On prem - Vmware Tanzu K8s 1.23.17
Client Version: v1.28.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.23.17+vmware.1```
- Resource definition:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: monitoring
namespace: elastic
spec:
version: 8.10.4
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: default
count: 1
config:
node.roles: ["master", "data", "ingest", "transform"]
xpack.security.authc.realms:
saml:
saml1:
attributes.principal: upn
attributes.mail: email
attributes.name: name
idp.entity_id: <REDACTED>
idp.metadata.path: <REDACTED>
order: 2
sp.acs: <REDACTED>
sp.entity_id: <REDACTED>
sp.logout: <REDACTED>
- Logs:
│ elasticsearch [2023-12-05T15:30:25,098][INFO ][o.e.x.m.p.l.CppLogMessageHandler] [monitoring-es-default-0] [controller/96] [Main.cc@123] controller (64 bit): Version 8.10.4 (Build 92832804c6da01) Copyright (c) 2023 Elasticsearch BV │
│ elasticsearch {"timestamp": "2023-12-05T15:30:25+00:00", "message": "readiness probe failed", "curl_rc": "7"} │
│ elasticsearch [2023-12-05T15:30:25,261][INFO ][o.e.x.s.Security ] [monitoring-es-default-0] Security is enabled │
│ elasticsearch [2023-12-05T15:30:26,097][ERROR][o.e.b.Elasticsearch ] [monitoring-es-default-0] fatal exception while booting Elasticsearch java.lang.IllegalStateException: security initialization failed │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.Security.createComponents(Security.java:649) │
│ elasticsearch at [email protected]/org.elasticsearch.node.Node.lambda$new$16(Node.java:738) │
│ elasticsearch at [email protected]/org.elasticsearch.plugins.PluginsService.lambda$flatMap$1(PluginsService.java:261) │
│ elasticsearch at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) │
│ elasticsearch at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) │
│ elasticsearch at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722) │
│ elasticsearch at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) │
│ elasticsearch at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) │
│ elasticsearch at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) │
│ elasticsearch at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) │
│ elasticsearch at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) │
│ elasticsearch at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) │
│ elasticsearch at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) │
│ elasticsearch at [email protected]/org.elasticsearch.node.Node.<init>(Node.java:754) │
│ elasticsearch at [email protected]/org.elasticsearch.node.Node.<init>(Node.java:338) │
│ elasticsearch at [email protected]/org.elasticsearch.bootstrap.Elasticsearch$2.<init>(Elasticsearch.java:234) │
│ elasticsearch at [email protected]/org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:234) │
│ elasticsearch at [email protected]/org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:72) │
│ elasticsearch Caused by: java.lang.IllegalStateException: SAML requires that the token service be enabled (xpack.security.authc.token.enabled) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:204) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:162) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:287) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:108) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.Security.createComponents(Security.java:759) │
│ elasticsearch at [email protected]/org.elasticsearch.xpack.security.Security.createComponents(Security.java:637) │
│ elasticsearch ... 17 more │
│ elasticsearch │
│ elasticsearch ERROR: Elasticsearch did not exit normally - check the logs at /usr/share/elasticsearch/logs/monitoring.log │
│ elasticsearch │
│ elasticsearch ERROR: Elasticsearch exited unexpectedly, with exit code 1
