search

elastic / helm-charts

You know, for Kubernetes
Apache License 2.0
1.89k stars 1.93k forks source link

Readiness probe is failing because of bad SSL #1773

Open iRakic opened 1 year ago

iRakic commented 1 year ago

Chart version: 8.5.1 Kubernetes version: v1.25.5 Kubernetes provider: K8s (on prem / bare metal) Helm Version: "v3.9.4"

values.yaml

---
antiAffinity: "soft"

# Shrink default JVM heap.
esJavaOpts: "-Xmx128m -Xms128m"

resources:
  requests:
    cpu: "1000m"
    memory: "6Gi"
  limits:
    cpu: "2000m"
    memory: "6Gi"

volumeClaimTemplate:
  accessModes: ["ReadWriteOnce"]
  storageClassName: cstor-disk-pool
  resources:
    requests:
      storage: 20Gi

protocol: https

service:
  enabled: true
  labels: {}
  labelsHeadless: {}
  type: ClusterIP
  # Consider that all endpoints are considered "ready" even if the Pods themselves are not
  # https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec
  publishNotReadyAddresses: false
  nodePort: ""
  annotations: {}
  httpPortName: http
  transportPortName: transport
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""

updateStrategy: RollingUpdate

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate

Provide logs and/or server output (if relevant):

Events:
  Type     Reason     Age                     From     Message
  ----     ------     ----                    ----     -------
  Warning  Unhealthy  2m13s (x19360 over 3d)  kubelet  Readiness probe failed: Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )
Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )

Inside the pod (exec): It's failing with https because the certificate is invalid:

[1] 144779
elasticsearch@elasticsearch-master-0:~$ curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

On http it's not working as well:

elasticsearch@elasticsearch-master-0:~$ curl http://localhost:9200/_cluster/health?wait_for_status=green&timeout=1s
[1] 144849
elasticsearch@elasticsearch-master-0:~$ curl: (52) Empty reply from server
iRakic commented 1 year ago

I have created a pull request to address this: https://github.com/elastic/helm-charts/pull/1774