After performing etcd encryption on a cluster with openshift self managed (onprem) 4.12, we have detected that every seven days the api server performs a key rotation that seems to be noticeable to the elasticsearch operators. This causes the ES operators to trigger a restart of the elasticsearch pods.
According with the redhat documentation https://docs.openshift.com/container-platform/4.12/security/encrypting-etcd.html seems that the encrytion has affect to some objects like secrets or configmap...We are understanding that the ES operator is sensitive to this process and cause a restart on the ES pods...
Is this the expected behaviour? Could we avoid this behaviour?
After performing etcd encryption on a cluster with openshift self managed (onprem) 4.12, we have detected that every seven days the api server performs a key rotation that seems to be noticeable to the elasticsearch operators. This causes the ES operators to trigger a restart of the elasticsearch pods. According with the redhat documentation https://docs.openshift.com/container-platform/4.12/security/encrypting-etcd.html seems that the encrytion has affect to some objects like secrets or configmap...We are understanding that the ES operator is sensitive to this process and cause a restart on the ES pods...
Is this the expected behaviour? Could we avoid this behaviour?
Here is the ES configuration:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1 kind: Elasticsearch metadata: name: elastic-elasticsearch spec: version: 7.10.1 nodeSets: ###################################################### #
MASTER NODE
# ######################################################
name: master-node count: 1 config: node.roles: ["master","data","ingest"] node.store.allow_mmap: true xpack.monitoring.enabled: true xpack.monitoring.collection.enabled: true podTemplate: metadata: name: elastic-elasticsearch spec: initContainers:
name: sysctl securityContext: privileged: true command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
containers:
http: service: spec: type: ClusterIP
Thanks in advance!