Search code examples
kuberneteselastic-stackcicd

K8s ECK Logstash Pod Connection Issue


Elasticsearch (v2.9) pod and Logstash Pod is running in same default namespace named elastic-system But elasticsearch pod is blocking all http request from Logstash Pod. This outputs is shared below:

Logstash Pod logs output:

[2023-11-03T10:57:39,092][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://elastic:xxxxxx@quickstart-es-http:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://quickstart-es-http:9200/][Manticore::ClientProtocolException] quickstart-es-http:9200 failed to respond"}

Elasticsearch Pod logs output:

{"@timestamp":"2023-11-03T11:04:55.719Z", "log.level": "WARN", "message":"received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/10.10.234.134:9200, remoteAddress=/10.10.234.158:60508}", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[quickstart-es-default-0][transport_worker][T#1]","log.logger":"org.elasticsearch.http.netty4.Netty4HttpServerTransport","elasticsearch.cluster.uuid":"cLtrkFiZSXGk9Y7Vkh1dIA","elasticsearch.node.id":"ixrbei6lTcKEJhIxmhemJw","elasticsearch.node.name":"quickstart-es-default-0","elasticsearch.cluster.name":"quickstart"}

I shared persistent volume and logstash yaml file below:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: logstash-data
  labels:
    type: local
spec:
  storageClassName: ls-scn
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/logstash/data"
---
apiVersion: logstash.k8s.elastic.co/v1alpha1
kind: Logstash
metadata:
  name: quickstart
spec:
  count: 1
  elasticsearchRefs:
    - name: quickstart
      clusterName: qs
  version: 8.10.2
  podTemplate:
    spec:
      containers:
        - name: logstash
          env:
            - name: ECK_CACRT
              value: 81FCA623ED460EA0832CB35AD73D9A87B2E9B323ACFF07B985451E815CABF3D2
  pipelines:
    - pipeline.id: main
      config.string: |
        input {
          beats {
            port => 5044
          }
        }
        output {
          elasticsearch {
            hosts => [ "quickstart-es-http" ]
            user => "elastic"
            password => "4PyI3513SR21cSHs7lj6GyN9"
            ca_trusted_fingerprint => "${ECK_CACRT}"
          }
        }
  services:
    - name: beats
      service:
        spec:
          type: NodePort
          ports:
            - port: 5044
              name: "filebeat"
              protocol: TCP
              targetPort: 5044
              nodePort: 32000

  volumeClaimTemplates:
    - metadata:
        name: logstash-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
        storageClassName: ls-scn

Solution

  • Solution: hosts in logstash.yaml should be like below:

    output {
      elasticsearch {
        hosts => [ "https://quickstart-es-http:9200" ]
        user => "elastic"
        password => "4PyI3513SR21cSHs7lj6GyN9"
        ca_trusted_fingerprint => "${ECK_CACRT}"
      }
    }