.Values.secret.enabled is set to true but `elastic-credential` secret is not created
See original GitHub issueChart version: 7.15.0
Kubernetes version: 1.21
Kubernetes provider: LKE (Linode Kubernetes Engine)
Helm Version: version.BuildInfo{Version:"v3.7.0", GitCommit:"eeac83883cb4014fe60267ec6373570374ce770b", GitTreeState:"clean", GoVersion:"go1.16.8"}
helm get release
output
Output of helm get release
NAME: elasticsearch-master
LAST DEPLOYED: Wed Dec 29 12:45:36 2021
NAMESPACE: efk
STATUS: failed
REVISION: 2
USER-SUPPLIED VALUES:
clusterHealthCheckParams: wait_for_status=yellow&timeout=30s
clusterName: es-dev
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
gateway.auto_import_dangling_indices: true
nodeGroup: master
persistence:
enabled: false
replicas: 1
roles:
data: "false"
ingest: "false"
master: "true"
ml: "false"
remote_cluster_client: "false"
secret:
enabled: true
password: changethis
secretMounts:
- defaultMode: 493
name: es-certs
path: /usr/share/elasticsearch/config/certs
secretName: tlscertsecret
COMPUTED VALUES:
antiAffinity: hard
antiAffinityTopologyKey: kubernetes.io/hostname
clusterHealthCheckParams: wait_for_status=yellow&timeout=30s
clusterName: es-dev
enableServiceLinks: true
envFrom: []
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
gateway.auto_import_dangling_indices: true
esJavaOpts: ""
esMajorVersion: ""
extraContainers: []
extraEnvs: []
extraInitContainers: []
extraVolumeMounts: []
extraVolumes: []
fsGroup: ""
fullnameOverride: ""
healthNameOverride: ""
hostAliases: []
httpPort: 9200
image: docker.elastic.co/elasticsearch/elasticsearch
imagePullPolicy: IfNotPresent
imagePullSecrets: []
imageTag: 7.15.0
ingress:
annotations: {}
enabled: false
hosts:
- host: chart-example.local
paths:
- path: /
tls: []
initResources: {}
keystore: []
labels: {}
lifecycle: {}
masterService: ""
maxUnavailable: 1
minimumMasterNodes: 2
nameOverride: ""
networkHost: 0.0.0.0
networkPolicy:
http:
enabled: false
transport:
enabled: false
nodeAffinity: {}
nodeGroup: master
nodeSelector: {}
persistence:
annotations: {}
enabled: false
labels:
enabled: false
podAnnotations: {}
podManagementPolicy: Parallel
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
podSecurityPolicy:
create: false
name: ""
spec:
fsGroup:
rule: RunAsAny
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- secret
- configMap
- persistentVolumeClaim
- emptyDir
priorityClassName: ""
protocol: http
rbac:
create: false
serviceAccountAnnotations: {}
serviceAccountName: ""
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 3
timeoutSeconds: 5
replicas: 1
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 1000m
memory: 2Gi
roles:
data: "false"
ingest: "false"
master: "true"
ml: "false"
remote_cluster_client: "false"
schedulerName: ""
secret:
enabled: true
password: some-Password-Goes-Here
secretMounts:
- defaultMode: 493
name: es-certs
path: /usr/share/elasticsearch/config/certs
secretName: tlscertsecret
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
service:
annotations: {}
enabled: true
externalTrafficPolicy: ""
httpPortName: http
labels: {}
labelsHeadless: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
nodePort: ""
transportPortName: transport
type: ClusterIP
sysctlInitContainer:
enabled: true
sysctlVmMaxMapCount: 262144
terminationGracePeriod: 120
tests:
enabled: true
tolerations: []
transportPort: 9300
updateStrategy: RollingUpdate
volumeClaimTemplate:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 30Gi
HOOKS:
---
# Source: elasticsearch/templates/test/test-elasticsearch-health.yaml
apiVersion: v1
kind: Pod
metadata:
name: "elasticsearch-master-ggmqr-test"
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": hook-succeeded
spec:
securityContext:
fsGroup: 1000
runAsUser: 1000
containers:
- name: "elasticsearch-master-rspsc-test"
image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
imagePullPolicy: "IfNotPresent"
command:
- "sh"
- "-c"
- |
#!/usr/bin/env bash -e
curl -XGET --fail 'es-dev-master:9200/_cluster/health?wait_for_status=yellow&timeout=30s'
restartPolicy: Never
MANIFEST:
---
# Source: elasticsearch/templates/poddisruptionbudget.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: "es-dev-master-pdb"
spec:
maxUnavailable: 1
selector:
matchLabels:
app: "es-dev-master"
---
# Source: elasticsearch/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: es-dev-master-config
labels:
heritage: "Helm"
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
data:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
gateway.auto_import_dangling_indices: true
---
# Source: elasticsearch/templates/service.yaml
kind: Service
apiVersion: v1
metadata:
name: es-dev-master
labels:
heritage: "Helm"
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
annotations:
{}
spec:
type: ClusterIP
selector:
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
ports:
- name: http
protocol: TCP
port: 9200
- name: transport
protocol: TCP
port: 9300
---
# Source: elasticsearch/templates/service.yaml
kind: Service
apiVersion: v1
metadata:
name: es-dev-master-headless
labels:
heritage: "Helm"
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
annotations:
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
clusterIP: None # This is needed for statefulset hostnames like elasticsearch-0 to resolve
# Create endpoints also if the related pod isn't ready
publishNotReadyAddresses: true
selector:
app: "es-dev-master"
ports:
- name: http
port: 9200
- name: transport
port: 9300
---
# Source: elasticsearch/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es-dev-master
labels:
heritage: "Helm"
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
annotations:
esMajorVersion: "7"
spec:
serviceName: es-dev-master-headless
selector:
matchLabels:
app: "es-dev-master"
replicas: 1
podManagementPolicy: Parallel
updateStrategy:
type: RollingUpdate
template:
metadata:
name: "es-dev-master"
labels:
release: "elasticsearch-master"
chart: "elasticsearch"
app: "es-dev-master"
annotations:
configchecksum: f85d81b267bf8c791e8dd810a158606c66d1e38424c9cf453a958041336669e
spec:
securityContext:
fsGroup: 1000
runAsUser: 1000
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- "es-dev-master"
topologyKey: kubernetes.io/hostname
terminationGracePeriodSeconds: 120
volumes:
- name: es-certs
secret:
secretName: tlscertsecret
defaultMode: 493
- name: esconfig
configMap:
name: es-dev-master-config
enableServiceLinks: true
initContainers:
- name: configure-sysctl
securityContext:
runAsUser: 0
privileged: true
image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
imagePullPolicy: "IfNotPresent"
command: ["sysctl", "-w", "vm.max_map_count=262144"]
resources:
{}
containers:
- name: "elasticsearch"
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
imagePullPolicy: "IfNotPresent"
readinessProbe:
exec:
command:
- sh
- -c
- |
#!/usr/bin/env bash -e
# If the node is starting up wait for the cluster to be ready (request params: "wait_for_status=yellow&timeout=30s" )
# Once it has started only check that the node itself is responding
START_FILE=/tmp/.es_start_file
# Disable nss cache to avoid filling dentry cache when calling curl
# This is required with Elasticsearch Docker using nss < 3.52
export NSS_SDB_USE_CACHE=no
http () {
local path="${1}"
local args="${2}"
set -- -XGET -s
if [ "$args" != "" ]; then
set -- "$@" $args
fi
if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
fi
curl --output /dev/null -k "$@" "http://127.0.0.1:9200${path}"
}
if [ -f "${START_FILE}" ]; then
echo 'Elasticsearch is already running, lets check the node is healthy'
HTTP_CODE=$(http "/" "-w %{http_code}")
RC=$?
if [[ ${RC} -ne 0 ]]; then
echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} http://127.0.0.1:9200/ failed with RC ${RC}"
exit ${RC}
fi
# ready if HTTP code 200, 503 is tolerable if ES version is 6.x
if [[ ${HTTP_CODE} == "200" ]]; then
exit 0
elif [[ ${HTTP_CODE} == "503" && "7" == "6" ]]; then
exit 0
else
echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} http://127.0.0.1:9200/ failed with HTTP code ${HTTP_CODE}"
exit 1
fi
else
echo 'Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=yellow&timeout=30s" )'
if http "/_cluster/health?wait_for_status=yellow&timeout=30s" "--fail" ; then
touch ${START_FILE}
exit 0
else
echo 'Cluster is not yet ready (request params: "wait_for_status=yellow&timeout=30s" )'
exit 1
fi
fi
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 3
timeoutSeconds: 5
ports:
- name: http
containerPort: 9200
- name: transport
containerPort: 9300
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 1000m
memory: 2Gi
env:
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: cluster.initial_master_nodes
value: "es-dev-master-0,"
- name: discovery.seed_hosts
value: "es-dev-master-headless"
- name: cluster.name
value: "es-dev"
- name: network.host
value: "0.0.0.0"
- name: node.data
value: "false"
- name: node.ingest
value: "false"
- name: node.master
value: "true"
- name: node.ml
value: "false"
- name: node.remote_cluster_client
value: "false"
volumeMounts:
- name: es-certs
mountPath: /usr/share/elasticsearch/config/certs
- name: esconfig
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
NOTES:
1. Watch all cluster members come up.
$ kubectl get pods --namespace=efk -l app=es-dev-master -w2. Test cluster health using Helm test.
$ helm --namespace=efk test elasticsearch-master
Describe the bug: The elastic-credential
Secret
object is not created despite setting secret.enabled
to true
Steps to reproduce:
- Setup your
values.yaml
as shown here
clusterHealthCheckParams: "wait_for_status=yellow&timeout=30s"
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
gateway.auto_import_dangling_indices: true
secretMounts:
- name: es-certs
secretName: tlscertsecret
path: /usr/share/elasticsearch/config/certs
defaultMode: 0755
clusterName: es-dev
nodeGroup: "master"
replicas: 1
roles:
master: "true"
data: "false"
ingest: "false"
remote_cluster_client: "false"
ml: "false"
secret:
enabled: true
password: "some-Secret-Password-Goes-Here"
-
execute helm upgrade
-
execute
kubectl get secrets | grep elastic-secret
Expected behavior: The elastic-credential
secret gets created and is found when step 3 ☝️ is executed
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
[Elasticsearch] User not created when enabling security #589
The cluster is created with user and password from values.yaml and secrets.
Read more >How to setup X- PACK security feature for ES 7.1.0 installed ...
Hi All,. I am trying to install elasticsearch 7 using helm on kubernetes.. Below is the helm chart of elasticsearch I am using,....
Read more >Deploy a secure instance of Elasticsearch on Kubernetes
The changes in configuration have to be configured in a separate values file. Create this file outside the Elastic Helm repository and copy/ ......
Read more >ssl - Password protected Elasticsearch on Kubernetes cause ...
Deploying Elasticsearch and Kibana was easy using the official helm chart. ... kubectl create secret generic elastic-credentials ...
Read more >Injecting Secrets into Kubernetes Pods via Vault Agent ...
helm install vault hashicorp/vault --set "server.dev.enabled=true" NAME: vault ... To create this secret requires that a key-value secret engine is enabled ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This feature has not been released yet!
As you can see on https://github.com/elastic/helm-charts/blob/7.15/elasticsearch/values.yaml , there is no such values field!
I am having this problem in the current version. I want to set a password for elasticsearch. For port 9200. However, I tried the definitions above and failed. How can we set password to Elasticsearch?