health check not working to elastic cloud | C2C Community
Solved

health check not working to elastic cloud

  • 6 September 2022
  • 12 replies
  • 58 views

Userlevel 3
Hello.I have an elastic cloud in kubernets and I would like to make the elastic service accessible from the internet, but I can't because elastic needs a token to return 200 in the health check but I couldn't find where to pass the token, so my backend, which is elastic, is always with unavailable status because whenever the health check hits /_cat/health the status returning is 401.
icon

Best answer by seijimanoan 8 September 2022, 21:05

View original

12 replies

Userlevel 6
Badge +6

@Julio_Costa How are you?

First off, I’m not sure if you can inject HTTP headers for Elasticsearch API key in the health check resource. Because your Elasticsearch has some security layer.

And Kubernetes services of Load Balancer type won’t require any health check.

IMHO the cluster health check shouldn’t be the health check for HTTP & HTTPS endpoints. You need to use the HTTP itself.

Userlevel 7
Badge +58

Hi @Julio_Costa,

have you checked @seijimanoan’s answer? Is it helpful?

Userlevel 3
I'm fine @seijimanoan and you?My elastic has a protection layer that requires an api token to make any query in the system, I tested a vm inside my vpc pointing to the elastic endpoint, I was only able to return a 200 in /_cat/health if I pass the authentication token.From what I saw there is no way to bypass the check, the google loadbalancer only activates if the health returns at least 1 time a 200 response.This is not an extremely important service for me so I would not like to implement this health in the loadblancer but it seems to be mandatory, today I get 502 when I try to access the elastic loadbalancer.
Userlevel 6
Badge +6

@Julio_Costa 

Why don’t you use a Kubernetes Service of LoadBalancer type on there?

Userlevel 3
Basically I expose via the node port of the deployment and after I create an ingress in the loadbalancer with this node port as the backend.I don't know if there is a simpler or better way to do this process but I've always done it this way and it works.
Userlevel 6
Badge +6

@Julio_Costa 

So you don’t use any ingress controller like Nginx, Istio etc. Is it?

The NodePort service itself could be useful in some other scenarios. You can use LoadBalancer instead of NodePort like this:

apiVersion: v1
kind: Service
metadata:
name: your-elk-svc
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
selector:
app: your-elk-deployment
ports:
- name: tcp-port
protocol: TCP
port: 8080
targetPort: 8080

In this manner, you don’t need to create a LB to NodePort. You just have the service as its own LB.

Thoughts?

Userlevel 3
I do it via ingress because then I can configure a certificate, register a backend a specific frontend, the certificate is the gcp itself that controls the renewal, so it becomes simpler via ingress loadblanacer, I know I can do the publication directly by a loadbalancer but I will have the later work to configure the certificate and keep updating it.
Userlevel 6
Badge +6

I got it now. So, I believe it has a limitation with that approach. Because

A valid Kubernetes readiness probe supports setting multiple HTTP headers in readinessProbe.httpGet. If readinessProbe.httpGet.httpHeaders specifies more than just the Host header, the load balancer's health check parameters are set to default values instead of values inferred from the readiness probe. This limitation exists because health checks only support setting the Host header.

 

Source at here.

If you find some way to go, let us know.

Userlevel 7
Badge +58

Hi @Julio_Costa,

have you found a way to go, as @seijimanoan wrote?

Your post will be really informative for everyone.

Userlevel 3

Hi @ilias 

Unfortunately via ingress loadbalancer no, I had to do it only via normal loadbalancer and register an ssl certificate manually.But I'm still looking to release a health endpoint in elastic that doesn't need authentication to return some status code 2xx.
Userlevel 7
Badge +58

Oh, I see.

@Julio_Costa  Let us know what is working for you, will you?

I’m really curious to see the solution to this problem. 🤔

Userlevel 3
@ilias What was done was a simple exposure of the loadbalancer type for port 9200 tcp of the pod, so there is an external ip that can reach the elastic interface. I didn't want to do it this way because I can't already configure an sl certificate on the loadbalancer, I would like to do it via loadbalancer ingress but it wasn't possible because of the health check.The configuration is basically:

apiVersion: v1

kind: Service

metadata:

    name: elastic-cloud

    labels:

        app: elastic

    annotations:

          cloud.google.com/neg: '{"exposed_ports": {"9200":{}}}'

spec:

   ports:

   - name: 9200-9200

     port: 9200

     protocol: TCP

     targetPort: 9200

   selector:

      app: elastic

type: LoadBalancer

Reply