-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECK operator gets 401 Unauthorized when trying to setup Fleet Server #6144
Comments
Did you ever figure this out? I'm seeing the same issue |
I'm not sure what fixed it for me, but I:
Finally it somehow worked. |
I believe its still an issue for however our workaround is to just delete the ECK Operator pod after deploying the Agent resource and then after the ECK operator pod is recreated, Fleet server and then the regular agents are created without issue. Once I upgrade to 2.6.x, i'll have to see if its still something we have to do. |
Huh; I finally found I had some bad ServiceAccount definitions (wrong
namespace) which I fixed and then this issue went away, and the fleet
server and agents all started up, but kibana doesn't seem to know that
there is a fleet server. This is probably all just 'cause of stuff I don't
understand, though, so I'll keep tinkering.
Richard
…On Mon, Feb 6, 2023 at 3:02 AM Alex Resnick ***@***.***> wrote:
I believe its still an issue for however our workaround is to just delete
the ECK Operator pod after deploying the Agent resource and then after the
ECK operator pod is recreated, Fleet server and then the regular agents are
created without issue. Once I upgrade to 2.6.x, i'll have to see if its
still something we have to do.
—
Reply to this email directly, view it on GitHub
<#6144 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABWYTQ2UNHPPVFCISOKJNDWWDD4TANCNFSM6AAAAAARXPELPA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
I"m testing upgrade to 2.6.1 and it seems to have resolved the issue |
I have been on the 2.6.1 the whole time; it does seem to eventually resolve but I see it each time. I did have to roll back to an older fleet server version (8.5.3 instead of 8.6.1) to get it to come up, though |
I just use the RBAC configs straight from teh YAML from elastic so I don't seem to have an issue with Service Account stuff. IDK. I'm still seeing the 401s in the logs but it doesn't seem to be preventing Fleet server from coming up. |
#6331 Fleet/Agent on 8.6.x is a known issue, as it working to be resolved by the Agent team. When testing Fleet with ECK, the Fleet pod will restart a couple times on new installations as Kibana+Elasticsearch because fully healthy, but eventually this should succeed. If you continue to see issues once the above 2 issues are resolved, please feel free to re-open this issue. Thanks. |
THis issue was present with 8.5.1 as well and ECK 2.5 and I don't see how the issues u linked related to this issue. THis issue is with the ECK operator, not with the agents themselves as there is no agent, thats the whole issue. |
@legoguy1000 Perhaps I misunderstood the issue. I'll re-open and do some testing and update when I have more information. |
@legoguy1000 Can we get your full Kibana manifest/yaml to try an reproduce this please? also is there anything special about this certificate?
Also, are you bringing up ES/Kibana/Fleet all at the same time, or ES/Kibana first, then Fleet at a later date? |
We use Ansible to deploy everything. First Elasticsearch is deployed and we wait until the cluster is green. Then Kibana, the logstash (via a regulard k8s deployment). Then we deploy fleet server and once fleet server is green, we deploy an agent daemonset.
The certificate is just a plain server certificate issued by Cert Manager via a self signed internal CA
|
@legoguy1000 So I tested this again, and here's what I saw:
Upon laying down the fleet server manifest, I see the 401 errors in the operator logs
This is expected, as some "association" credentials are being reconciled to the ES instance, which takes some time, and in my case, eventually succeed:
NOTE that it does take a couple minutes for the agent pod to show up in the namespace, but it eventually does show up, and becomes healthy without any intervention from myself. And I see the agent
And the pod running
Now I am curious about the actual values in this block when things fail for you, as you're behind a cloud loadbalancer:
Could you possibly run this eck-diagnostics tool when things are in this state so we can get a full view on the state of things? |
So that may be difficult as once I upgraded to eck 2.6.1 I haven't seen the issue anymore. I'm able to deploy fleet server and it comes up within a min or so without any action on my part. The template values are just internal and external IPs for the various agents inside and outside the k8s cluster. |
I got the same error, even I upgrade my eck operator version from 2.5.0 to 2.6.1 ! |
finally I found that my kibana config security setting, if I remove this setting then this error no longer occurs. |
What setting? |
Ran my above manifests with 2.5.0 of ECK operator, and had the exact same results. Eventually worked and all became healthy with no interaction from me. Will eventual close this if no more configuration details come to light from @totoroliu0131 |
I am still seeing this issue with ECK Operator 2.6.2 and using ELK 8.6.2. I am hosting on Openshift 4.11. |
@gbschenkel 2.7.0 is now available. There was an issue with certified release on the RedHat side of things. If you have a similar issue to this, please give full details as to your configuration, including full reproducible manifests so we can replicate the problem. Thank you |
Hi All, helm install eck-cr eck-custom-resources/eck-custom-resources-operator - this line created the operator pod and it's healthy.. but when create this index-template yaml and create/apply I'm getting 401 unauthorized error.. I changed the elasticsearch URL details in the values.yaml file, and updated the secrets also.. I have cross checked the secret I used is correct, though it's not working.. any suggestions? |
I found the solution (for me). I was copying the example manifests here but all of them use:
I just updated the manifests to use the namespace I deployed to and everything started working wonderfully on ECK-operator version 2.14.0 |
Bug Report
What did you do?
See https://discuss.elastic.co/t/elastic-agent-fleet-setup-unauthorized/317406
We are deploying an ECK cluster on a bare metal k8s cluster. These clusters are short lived and are rebuilt many times so not a permanent environment. This issue is very inconsistent but a lot of times when we deploy, Elasticsearch and Kibana deploy via ECK with no issues BUT when I try to deploy fleet server, the pod for the fleet server agent is never created. When the operator tries to call the Kibana API to setup fleet it returns the below errors. First a bunch of 401s and then eventually it says timeouts.
I have found that most of the time if I delete the ECK operator pod, when the pod is recreated it eventually works and the Fleet Server pod is created. I don't have any issues with the regular agents deployed via ECK once the fleet server is deployed
Also this issue seems to be far more prevalent when I have ECK use a local offline docker registry and there is no access to the internet but IDK if that is just coincidence.
What did you expect to see?
The Fleet server pod is created without issues.
What did you see instead? Under which circumstances?
Environment
2.4.0 and 2.5.0 (current)
k8s BareMetal v1.23
The text was updated successfully, but these errors were encountered: