Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Temporal can't connect to Elasticsearch with enabled TLS #4695

Closed
ganievs opened this issue Jul 27, 2023 · 7 comments
Closed

Temporal can't connect to Elasticsearch with enabled TLS #4695

ganievs opened this issue Jul 27, 2023 · 7 comments
Assignees
@rodrigozhou
Labels
potential-bug

Comments

@ganievs
Copy link

ganievs commented Jul 27, 2023

Expected Behavior

Temporal cluster establishes connection with Elasticsearch.

Actual Behavior

"no ElasticSearch node available"

Steps to Reproduce the Problem

  1. Setup elastic 8 version with enabled TLS on the HTTP layer
  2. Set scheme: "https" in Temporal server config
        elasticsearch:
          version: "v8"
          url:
            scheme: "https"

Specifications

  • Temporal Version: 1.21.3
  • Elasticsearch Version: 8.6.2
  • Platform: Kubernetes
@ganievs
Copy link
Author

ganievs commented Jul 27, 2023
edited
Loading

Hi all! Seems like the client library that you're using, doesn't have actual support for 8 version of Elasticsearch and not maintained anymore olivere/elastic#1533.
Do you have any plans to move to the official lib?

@alexshtin alexshtin changed the title Temporal can't connect to Elastic with enabled TLS Temporal can't connect to Elasticsearch with enabled TLS Jul 28, 2023
@rodrigozhou
Copy link
Contributor

rodrigozhou commented Jul 30, 2023
edited
Loading

Did you set up the certs correctly? Are they from a known issuer?
Please provide more details of how you tried set up.

@ganievs
Copy link
Author

ganievs commented Jul 31, 2023
edited
Loading

I do requests to the Elasticsearch API from my host with the same credentials and everything works.
Also, I use https://github.com/prometheus-community/elasticsearch_exporter which connects to the Elasticsearch instance and it also works well. Based on this, I can say that the certificates are configured correctly.

Are they from a known issuer?

Yes, I used Let's Encrypt for certificate request

@rodrigozhou
Copy link
Contributor

Can you share your config? Does it look like this?

      elasticsearch:
        version: "v8"
        url:
          scheme: "https"
          host: "127.0.0.1:9200"
        username: <username>
        password: <password>

@ganievs
Copy link
Author

ganievs commented Jul 31, 2023
edited
Loading

Can you share your config?

Unfortanly I destroyed a test environment with the setup. If it would help, I'll spin up the env later and give you debug info.

Does it look like this?

Yes, it is.

@rodrigozhou
Copy link
Contributor

I followed these steps to setup ES with certs and authentication, and it worked.

In those instructions, it uses the ES tool to generate certs which are not from a known issuer, so I had to set a custom http client to Temporal Server that skip this check. Something like this:

temporal.NewServer(
  temporal.WithElasticsearchHttpClient(
    &http.Client{
      Transport: &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
      },
    },
  ),
)

@ganievs
Copy link
Author

ganievs commented Aug 20, 2023

I also confirm that works! Would be helpful to mention the ability to define a custom HTTP client for Elasticsearch in server-opritons on docs.temporal.io

@ganievs ganievs closed this as completed Aug 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rodrigozhou rodrigozhou

Labels
potential-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rodrigozhou @ganievs