elasticsearch kibana google-kubernetes-engine kubernetes-ingress elastic-cloud

Exposing Kibana behind GCE ingress (UNHEALTHY state)

I'm trying to expose Kibana behind of a GCE ingress, but the ingress is reporting the kibana service as UNHEALTHY while it is healthy and ready. Just note that the healthcheck created by the Ingress is still using the default value HTTP on the root / and Port: ex:32021. Changing the healthcheck in GCP console to HTTPS on /login and Port: 5601 doesn't change anything and the service is still reported as Unhealthy. The healthcheck port is also being overwritten to the original value, which is strange. I'm using ECK 1.3.1 and below are my configs. I'm I missing anything? Thank you in advance.

apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
  name: d3m0
spec:
  version: 7.10.1
  nodeSets:
  - name: default
    count: 1
    config:
      node.store.allow_mmap: false
---
apiVersion: kibana.k8s.elastic.co/v1beta1
kind: Kibana
metadata:
  name: d3m0
spec:
  version: 7.10.1
  count: 1
  elasticsearchRef:
    name: d3m0
  podTemplate:
    metadata:
      labels:
        kibana: node
    spec:
      containers:
      - name: kibana
        resources:
          limits:
            memory: 1Gi
            cpu: 1
        readinessProbe:
          httpGet:
            scheme: HTTPS
            path: "/login"
            port: 5601
  http:
    service:
      spec:
        type: NodePort
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kibana-ingress
spec:
  backend:
      serviceName: d3m0-kb-http
      servicePort: 5601

Solution

When using ECK, all the security feature are enabled on ES and Kibana, which means that their services do not accept HTTP traffic used by the default GCP loadbalancer Healthcheck. You must add the required annotations to the services and override the healthcheck paths as in the code below. Please find more details here.

    apiVersion: kibana.k8s.elastic.co/v1
    kind: Kibana
    metadata:
      name: d3m0
    spec:
      version: 7.10.1
      count: 1
      elasticsearchRef:
        name: d3m0
      http:
        service:
          metadata:
            labels:
              app: kibana
            annotations:
              # Enable TLS between GCLB and the application
              cloud.google.com/app-protocols: '{"https":"HTTPS"}'
              service.alpha.kubernetes.io/app-protocols: '{"https":"HTTPS"}'
              # Uncomment the following line to enable container-native load balancing.
              cloud.google.com/neg: '{"ingress": true}'
    
      podTemplate:
        metadata:
          labels:
            name: kibana-fleet
        spec:
          containers:
          - name: kibana
            resources:
              limits:
                memory: 1Gi
                cpu: 1
            readinessProbe:
                  # Override the readiness probe as GCLB reuses it for its own healthchecks
                  httpGet:
                    scheme: HTTPS
                    path: "/login"
                    port: 5601