Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[kibana] initContainer: configure-kibana-token: Back-off restarting failed container:

See original GitHub issue

Chart version: 8.4.1 (from the main branch in this point in history)

Kubernetes version: 1.21

Kubernetes provider: GKE (Google Kubernetes Engine)

Describe the bug: Kibana’s initContainer configure-kibana-token keep crashing forever.

Steps to reproduce:

  1. Deploy elasticsearch 8 helm chart and enable security features (username/password + SSL)
  2. Deploy kibana 8 helm chart and reference the appropriate elasticsearch credentials and certificates secrets
  3. After kibana’s pod successfully runs for the first time, delete it
  4. the new kibana pod will have its initContainer configure-kibana-token crashing forever.

Expected behavior: the new kibana pod will have its initContainer configure-kibana-token completes successfully.

Provide logs and/or server output (if relevant): configure-kibana-token initContainer logs before crashing:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 409 Conflict

this init container creates a token for kibana’s service account and saves it for kibana’s actual container.

if i run a similar command from within the elasticsearch pods: curl -k -u $ELASTIC_USERNAME:$ELASTIC_PASSWORD -XPOST https://localhost:9200/_security/service/elastic/kibana/credential/token/mykibana8-kibana?pretty I get the following response:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "version_conflict_engine_exception",
        "reason" : "[service_account_token-elastic/kibana/mykibana8-kibana]: version conflict, document already exists (current version [1])",
        "index_uuid" : "zwuGuJcSS2OUs1ClsFdThB",
        "shard" : "0",
        "index" : ".security-7"
      }
    ],
    "type" : "version_conflict_engine_exception",
    "reason" : "[service_account_token-elastic/kibana/mykibana8-kibana]: version conflict, document already exists (current version [1])",
    "index_uuid" : "zwuGuJcSS2OUs1ClsFdThB",
    "shard" : "0",
    "index" : ".security-7"
  },
  "status" : 409
}

if i manually delete that token: curl -k -u $ELASTIC_USERNAME:$ELASTIC_PASSWORD -XDELETE https://localhost:9200/_security/service/elastic/kibana/credential/token/mykibana8-kibana?pretty

{
  "found" : true
}

and then the pod can start. but again, if that pod dies, the next one will get stuck the same way.

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:9 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
jmlrtcommented, Nov 4, 2022

Indeed, I think the best solution is to use a pre-install job that:

  1. delete the existing token matching the Helm chart release name
  2. create a new token matching the Helm chart release name
  3. encode the token in base64
  4. call the K8S api to create a secret with the base64 encoded token

Then mount the secret into all kibana pods and finaly remove the token + secret in a post-delete job.

I was already able to test the secret creation from a pod using k8s api.

Now, I’m trying to write a node JS script to do all the pre-install steps. I’m struggling a bit since that’s my first time looking at node and javascript 😉. This would have been a lot easier in Python for example, however, node is the only language interpreter installed into the Kibana Docker image and there is no jq to parse json so using bash is not an option 😦

PR in progress => https://github.com/elastic/helm-charts/pull/1720 (still a few things to fix 🤞🏻)

1reaction
jmlrtcommented, Nov 3, 2022

Thanks, @mdnfiras for submitting this issue and PR 👍🏻

Indeed, it seems I forgot to handle the case where a pod is destroyed in https://github.com/elastic/helm-charts/pull/1679.

Read more comments on GitHub >

github_iconTop Results From Across the Web

helm-charts - bytemeta
Elasticsearch pod: exec /bin/tini: exec format error. ebuildy ... [kibana] initContainer: configure-kibana-token: Back-off restarting failed container:.
Read more >
elastic helm-charts Issues - Giters
Kibana helm installation fails with UNABLE_TO_GET_ISSUER_CERT ... [kibana] initContainer: configure-kibana-token: Back-off restarting failed container:.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error while installing kibana 8.5.1

Next page

Missing 7.17.x charts (chart version not aligned with image tag)?