Chart version:
v7.3.2
Kubernetes version:
1.17.4
Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
Custom
Helm Version:
3.1.2
helm get release output
NAME: sec-elasticsearch-group-master
LAST DEPLOYED: Mon Apr 20 10:13:41 2020
NAMESPACE: environment-1-platform
STATUS: deployed
REVISION: 4
USER-SUPPLIED VALUES:
antiAffinity: hard
antiAffinityTopologyKey: kubernetes.io/hostname
clusterHealthCheckParams: wait_for_status=green&timeout=1s
clusterName: sec-easier-elasticsearch
esConfig:
elasticsearch.yml: |
path.repo: "/backup/easier-data/" # to allow data backup
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
esJavaOpts: -Xmx1g -Xms1g
esMajorVersion: ""
extraEnvs:
Describe the bug:
The cluster starts the creation but never ends. Looking into the logs, there seems to exist a problem retrieving the user "easier" in my case.
"level": "ERROR", "component": "o.e.x.s.a.e.NativeUsersStore", "cluster.name": "sec-easier-elasticsearch", "node.name": "sec-easier-elasticsearch-master-1", "cluster.uuid": "8xY15pq0SGiSdiF366INZA", "node.id": "AaszF7y3TdWX7Lv-1ESKzw", "message": "security index is unavailable. short circuiting retrieval of user [easier]" }
Even if in my values.yaml I have the lines for the user/password and the secrets created in my cluster:
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
If I connect manually to the cluster, node by node, creating the user/password manually:
bin/x-pack/users useradd admin -r superuser -p CHANGE-ME
Steps to reproduce:
1.helm install sec-elasticsearch-group-master -v values-master-secure.yaml ./
2.two nodes are created
3.look for the error in one of the nodes
Expected behavior:
The cluster is created with user and password from values.yaml and secrets.
by the way... internally in the container, I can see the two ENV Variables passed:
ELASTIC_USERNAME=easier
ELASTIC_PASSWORD=CHANGEME
by the way, is it secure to have user/password clear in ENV variables?
Yes, having them in the container is fine, they get mounted by K8's secret. You should setup rbac, so that unauthorized people can't exec into the container.
I had the exact same problem -- had to exec into the container and run
./elasticsearch-setup-passwords interactive -u https://[name].[namespace].svc.cluster.local:9200
After this
curl -k -u $ELASTIC_USERNAME:$ELASTIC_PASSWORD 'https://[name].[namespace].svc.cluster.local:9200/'
worked -- should not return an error but a valid json
The chart should probably be patched to handle this -- in the short term, it would be good to at least put info into the NOTES.txt to let people know that they need to do this. In the longer term, the chart (stateful set.yaml?) should be patched to do this automatically.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Yes, having them in the container is fine, they get mounted by K8's secret. You should setup rbac, so that unauthorized people can't exec into the container.
I had the exact same problem -- had to exec into the container and run
./elasticsearch-setup-passwords interactive -u https://[name].[namespace].svc.cluster.local:9200
After this
curl -k -u $ELASTIC_USERNAME:$ELASTIC_PASSWORD 'https://[name].[namespace].svc.cluster.local:9200/'
worked -- should not return an error but a valid json
I'm running into a similar issue. Everything works with the default username:password but when I exec into the container to change the password, I am getting Failed to establish SSL connection error.
I've looked at the trouble shooting guide and have the keystore mounts configured correctly I think. any ideas?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had recent activity since being marked as stale.
Most helpful comment
The chart should probably be patched to handle this -- in the short term, it would be good to at least put info into the NOTES.txt to let people know that they need to do this. In the longer term, the chart (stateful set.yaml?) should be patched to do this automatically.