elasticsearch: podSecurityContext etc.

Nach 17e3df562ac25c30c90b6e7d97258277c10b8910

Event:

3s          Warning   FailedCreate       statefulset/elasticsearch-master                                    create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: pods "elasticsearch-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]

``` mb@nbo00370518:~/dave2/helm-charts/charts/dave$ oc get events LAST SEEN TYPE REASON OBJECT MESSAGE 6s Normal FailedBinding persistentvolumeclaim/elasticsearch-master-elasticsearch-master-0 no persistent volumes available for this claim and no storage class is set 13s Normal SuccessfulCreate statefulset/elasticsearch-master create Claim elasticsearch-master-elasticsearch-master-0 Pod elasticsearch-master-0 in StatefulSet elasticsearch-master success 3s Warning FailedCreate statefulset/elasticsearch-master create Pod elasticsearch-master-0 in StatefulSet elasticsearch-master failed error: pods "elasticsearch-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount] ```

Bei elasticsearch 7.17.9 gibt es kein podSecurityContext: enabled: false etc. Die Einstellungen dazu aus den examples/openshift funktionieren nicht:

elasticsearch:
  # ES version
  imageTag: "7.17.9"
  # from examples/openshift
  securityContext:
    runAsUser: null
  podSecurityContext:
    fsGroup: null
    runAsUser: null
  sysctlInitContainer:
    enabled: false

Hier die vanilla values von ES 7.17.9, ganz anders als ES8:

``` --- clusterName: "elasticsearch" nodeGroup: "master" # The service that non master groups will try to connect to when joining the cluster # This should be set to clusterName + "-" + nodeGroup for your master group masterService: "" # Elasticsearch roles that will be applied to this nodeGroup # These will be set as environment variables. E.g. node.master=true roles: master: "true" ingest: "true" data: "true" remote_cluster_client: "true" ml: "true" replicas: 3 minimumMasterNodes: 2 esMajorVersion: "" clusterDeprecationIndexing: "false" # Allows you to add any config files in /usr/share/elasticsearch/config/ # such as elasticsearch.yml and log4j2.properties esConfig: {} # elasticsearch.yml: | # key: # nestedkey: value # log4j2.properties: | # key = value esJvmOptions: {} # processors.options: | # -XX:ActiveProcessorCount=3 # Extra environment variables to append to this nodeGroup # This will be appended to the current 'env:' key. You can use any of the kubernetes env # syntax here extraEnvs: [] # - name: MY_ENVIRONMENT_VAR # value: the_value_goes_here # Allows you to load environment variables from kubernetes secret or config map envFrom: [] # - secretRef: # name: env-secret # - configMapRef: # name: config-map # A list of secrets and their paths to mount inside the pod # This is useful for mounting certificates for security and for mounting # the X-Pack license secretMounts: [] # - name: elastic-certificates # secretName: elastic-certificates # path: /usr/share/elasticsearch/config/certs # defaultMode: 0755 hostAliases: [] #- ip: "127.0.0.1" # hostnames: # - "foo.local" # - "bar.local" image: "docker.elastic.co/elasticsearch/elasticsearch" imageTag: "7.17.3" imagePullPolicy: "IfNotPresent" podAnnotations: {} # iam.amazonaws.com/role: es-cluster # additionals labels labels: {} esJavaOpts: "" # example: "-Xmx1g -Xms1g" resources: requests: cpu: "1000m" memory: "2Gi" limits: cpu: "1000m" memory: "2Gi" initResources: {} # limits: # cpu: "25m" # # memory: "128Mi" # requests: # cpu: "25m" # memory: "128Mi" networkHost: "0.0.0.0" volumeClaimTemplate: accessModes: ["ReadWriteOnce"] resources: requests: storage: 30Gi rbac: create: false serviceAccountAnnotations: {} serviceAccountName: "" automountToken: true podSecurityPolicy: create: false name: "" spec: privileged: true fsGroup: rule: RunAsAny runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - secret - configMap - persistentVolumeClaim - emptyDir persistence: enabled: true labels: # Add default labels for the volumeClaimTemplate of the StatefulSet enabled: false annotations: {} extraVolumes: [] # - name: extras # emptyDir: {} extraVolumeMounts: [] # - name: extras # mountPath: /usr/share/extras # readOnly: true extraContainers: [] # - name: do-something # image: busybox # command: ['do', 'something'] extraInitContainers: [] # - name: do-something # image: busybox # command: ['do', 'something'] # This is the PriorityClass settings as defined in # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" # By default this will make sure two pods don't end up on the same node # Changing this to a region would allow you to spread pods across regions antiAffinityTopologyKey: "kubernetes.io/hostname" # Hard means that by default pods will only be scheduled if there are enough nodes for them # and that they will never end up on the same node. Setting this to soft will do this "best effort" antiAffinity: "hard" # This is the node affinity settings as defined in # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature nodeAffinity: {} # The default is to deploy all pods serially. By setting this to parallel all pods are started at # the same time when bootstrapping the cluster podManagementPolicy: "Parallel" # The environment variables injected by service links are not used, but can lead to slow Elasticsearch boot times when # there are many services in the current namespace. # If you experience slow pod startups you probably want to set this to `false`. enableServiceLinks: true protocol: http httpPort: 9200 transportPort: 9300 service: enabled: true labels: {} labelsHeadless: {} type: ClusterIP # Consider that all endpoints are considered "ready" even if the Pods themselves are not # https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec publishNotReadyAddresses: false nodePort: "" annotations: {} httpPortName: http transportPortName: transport loadBalancerIP: "" loadBalancerSourceRanges: [] externalTrafficPolicy: "" updateStrategy: RollingUpdate # This is the max unavailable setting for the pod disruption budget # The default value of 1 will make sure that kubernetes won't allow more than 1 # of your pods to be unavailable during maintenance maxUnavailable: 1 podSecurityContext: fsGroup: 1000 runAsUser: 1000 securityContext: capabilities: drop: - ALL # readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 # How long to wait for elasticsearch to stop gracefully terminationGracePeriod: 120 sysctlVmMaxMapCount: 262144 readinessProbe: failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 3 timeoutSeconds: 5 # https://www.elastic.co/guide/en/elasticsearch/reference/7.17/cluster-health.html#request-params wait_for_status clusterHealthCheckParams: "wait_for_status=green&timeout=1s" ## Use an alternate scheduler. ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" imagePullSecrets: [] nodeSelector: {} tolerations: [] # Enabling this will publicly expose your Elasticsearch instance. # Only enable this if you have security enabled on your cluster ingress: enabled: false annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" className: "nginx" pathtype: ImplementationSpecific hosts: - host: chart-example.local paths: - path: / tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local nameOverride: "" fullnameOverride: "" healthNameOverride: "" lifecycle: {} # preStop: # exec: # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] # postStart: # exec: # command: # - bash # - -c # - | # #!/bin/bash # # Add a template to adjust number of shards/replicas # TEMPLATE_NAME=my_template # INDEX_PATTERN="logstash-*" # SHARD_COUNT=8 # REPLICA_COUNT=1 # ES_URL=http://localhost:9200 # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}' sysctlInitContainer: enabled: true keystore: [] networkPolicy: ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. ## In order for a Pod to access Elasticsearch, it needs to have the following label: ## {{ template "uname" . }}-client: "true" ## Example for default configuration to access HTTP port: ## elasticsearch-master-http-client: "true" ## Example for default configuration to access transport port: ## elasticsearch-master-transport-client: "true" http: enabled: false ## if explicitNamespacesSelector is not set or set to {}, only client Pods being in the networkPolicy's namespace ## and matching all criteria can reach the DB. ## But sometimes, we want the Pods to be accessible to clients from other namespaces, in this case, we can use this ## parameter to select these namespaces ## # explicitNamespacesSelector: # # Accept from namespaces with all those different rules (only from whitelisted Pods) # matchLabels: # role: frontend # matchExpressions: # - {key: role, operator: In, values: [frontend]} ## Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed. ## # additionalRules: # - podSelector: # matchLabels: # role: frontend # - podSelector: # matchExpressions: # - key: role # operator: In # values: # - frontend transport: ## Note that all Elasticsearch Pods can talk to themselves using transport port even if enabled. enabled: false # explicitNamespacesSelector: # matchLabels: # role: frontend # matchExpressions: # - {key: role, operator: In, values: [frontend]} # additionalRules: # - podSelector: # matchLabels: # role: frontend # - podSelector: # matchExpressions: # - key: role # operator: In # values: # - frontend tests: enabled: true # Deprecated # please use the above podSecurityContext.fsGroup instead fsGroup: "" ```

@klml Bitte Hilfe bezügl. SecurityContext etc. @DanielOber Bitte Hilfe bezügl. Einstellungen vom internal Elasticsearch oder dem von dave-c (daveelastick001.srv.muenchen.de), da komm ich nicht ran

changed ES charts.bitnami.com/bitnami

4fad2e44418bfeb4b445fe1e47d4245fa860b29a

so we have the same with postgres and ES starts now:

klml@houdini capk/dave-external [0] : ~/develop/helm-charts-gislab/charts/dave
$ oc get po
NAME                                    READY   STATUS    RESTARTS      AGE
dave-backend-service-84554bcff9-ds9vn   1/1     Running   2 (27s ago)   2m11s
dave-elasticsearch-master-0             1/1     Running   0             2m11s
dave-postgresql-0                       1/1     Running   0             2m11s

c&p from https://github.com/zammad/zammad-helm/blob/main/zammad/values.yaml#L435 🙏

Ok, cool, jetzt haben wir nicht mehr den Error aus #17. Aber die Einstellungen von Zammad und den Bitnami chart hatte ich doch vor der Änderung zu ES 7.17.9 auch: 17e3df5, außer `cluster_name: zammad´

Und jetzt haben wir wieder ES Version 8.12.0, wir sollten doch 7.17.9 verwenden? 🤔

sh-4.4$ curl dave-elasticsearch:9200
{
  "name" : "dave-elasticsearch-master-0",
  "cluster_name" : "zammad",
  "cluster_uuid" : "KkOERAtqQ9O6y-BiGwmdgQ",
  "version" : {
    "number" : "8.12.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "1665f706fd9354802c02146c1e6b5c0fbcddfbc9",
    "build_date" : "2024-01-11T10:05:27.953830042Z",
    "build_snapshot" : false,
    "lucene_version" : "9.9.1",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Aber egal, wenn es so funktioniert, ist ja gut, ich check bloß nicht woran #17 gelegen hat.

@klml Ich wollte neu deployen nach Änderungen von values/ envVars für die anderen Pods (admin-portal etc.), gab Fehler, hab es nochmal zzurückgerollt auf Version 4fad2e44418bfeb4b445fe1e47d4245fa860b29a (nach deinen zwei Commits), da kommt jetzt bei mir folgendes:

mb@nbo00370518:~/dave2/helm-charts/charts/dave$ helm upgrade --install -f values.yaml -f values-lhm.yaml -f values-secret.yaml dave .
Release "dave" does not exist. Installing it now.
W0327 17:52:56.757135    1041 warnings.go:70] would violate PodSecurity "baseline:v1.24": privileged (container "configure-sysctl" must not set securityContext.privileged=true)
NAME: dave
LAST DEPLOYED: Wed Mar 27 17:52:54 2024
NAMESPACE: dave-external
STATUS: deployed
REVISION: 1

mb@nbo00370518:~/dave2/helm-charts/charts/dave$ oc get events
LAST SEEN   TYPE      REASON                   OBJECT                                                     MESSAGE
5m25s       Normal    WaitForFirstConsumer     persistentvolumeclaim/data-dave-elasticsearch-data-0       waiting for first consumer to be created before binding
10s         Normal    WaitForFirstConsumer     persistentvolumeclaim/data-dave-elasticsearch-data-0       waiting for first consumer to be created before binding
3m49s       Normal    WaitForFirstConsumer     persistentvolumeclaim/data-dave-postgresql-0               waiting for first consumer to be created before binding
3m49s       Normal    ExternalProvisioning     persistentvolumeclaim/data-dave-postgresql-0               waiting for a volume to be created, either by external provisioner "csi.vsphere.vmware.com" or manually created by system administrator
3m49s       Normal    Provisioning             persistentvolumeclaim/data-dave-postgresql-0               External provisioner is provisioning volume for claim "dave-external/data-dave-postgresql-0"
3m47s       Normal    ProvisioningSucceeded    persistentvolumeclaim/data-dave-postgresql-0               Successfully provisioned volume pvc-a426c7a6-e5b2-4a73-a1e4-69dc260069fc
5m30s       Normal    Pulled                   pod/dave-adminportal-apigateway-service-69f6f74bb5-qxkpm   Container image "ghcr.io/gislab-augsburg/dave-admin-portal:main-ls1" already present on machine
5m29s       Normal    Created                  pod/dave-adminportal-apigateway-service-69f6f74bb5-qxkpm   Created container admin-portal
5m29s       Normal    Started                  pod/dave-adminportal-apigateway-service-69f6f74bb5-qxkpm   Started container admin-portal
4m50s       Warning   BackOff                  pod/dave-adminportal-apigateway-service-69f6f74bb5-qxkpm   Back-off restarting failed container admin-portal in pod dave-adminportal-apigateway-service-69f6f74bb5-qxkpm_dave-external(8d56a6a5-baea-4a47-8575-41ff4603d0e1)
3m48s       Normal    Scheduled                pod/dave-backend-service-84554bcff9-tv4ww                  Successfully assigned dave-external/dave-backend-service-84554bcff9-tv4ww to capk-wzlvw-worker-stargate-k30-v2-nt2cq
3m47s       Normal    AddedInterface           pod/dave-backend-service-84554bcff9-tv4ww                  Add eth0 [10.138.30.184/23] from openshift-sdn
57s         Normal    Pulling                  pod/dave-backend-service-84554bcff9-tv4ww                  Pulling image "ghcr.io/gislab-augsburg/dave-backend:main-ls1"
3m46s       Normal    Pulled                   pod/dave-backend-service-84554bcff9-tv4ww                  Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 495.321635ms (495.336514ms including waiting)
56s         Normal    Created                  pod/dave-backend-service-84554bcff9-tv4ww                  Created container backend
56s         Normal    Started                  pod/dave-backend-service-84554bcff9-tv4ww                  Started container backend
3m          Normal    Pulled                   pod/dave-backend-service-84554bcff9-tv4ww                  Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 574.832872ms (574.852819ms including waiting)
15s         Warning   BackOff                  pod/dave-backend-service-84554bcff9-tv4ww                  Back-off restarting failed container backend in pod dave-backend-service-84554bcff9-tv4ww_dave-external(83fb16fd-80f1-4910-a4d8-e868979a0847)
2m5s        Normal    Pulled                   pod/dave-backend-service-84554bcff9-tv4ww                  Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 537.909138ms (537.921861ms including waiting)
57s         Normal    Pulled                   pod/dave-backend-service-84554bcff9-tv4ww                  Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 526.421865ms (526.43581ms including waiting)
3m49s       Normal    SuccessfulCreate         replicaset/dave-backend-service-84554bcff9                 Created pod: dave-backend-service-84554bcff9-tv4ww
5m31s       Normal    Pulling                  pod/dave-backend-service-cb74f5bf8-ww8bz                   Pulling image "ghcr.io/gislab-augsburg/dave-backend:main-ls1"
5m30s       Normal    Created                  pod/dave-backend-service-cb74f5bf8-ww8bz                   Created container backend
5m30s       Normal    Started                  pod/dave-backend-service-cb74f5bf8-ww8bz                   Started container backend
6m25s       Normal    Pulled                   pod/dave-backend-service-cb74f5bf8-ww8bz                   Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 880.489282ms (880.519389ms including waiting)
4m51s       Warning   BackOff                  pod/dave-backend-service-cb74f5bf8-ww8bz                   Back-off restarting failed container backend in pod dave-backend-service-cb74f5bf8-ww8bz_dave-external(26b0cba2-5cbc-4377-8367-c671b60aaf15)
5m31s       Normal    Pulled                   pod/dave-backend-service-cb74f5bf8-ww8bz                   Successfully pulled image "ghcr.io/gislab-augsburg/dave-backend:main-ls1" in 617.457171ms (617.468242ms including waiting)
3m49s       Normal    ScalingReplicaSet        deployment/dave-backend-service                            Scaled up replica set dave-backend-service-84554bcff9 to 1
35s         Warning   FailedCreate             statefulset/dave-elasticsearch-data                        create Pod dave-elasticsearch-data-0 in StatefulSet dave-elasticsearch-data failed error: pods "dave-elasticsearch-data-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1003100000, 1003109999], provider restricted: .containers[0].seLinuxOptions.level: Invalid value: "": must be s0:c56,c10, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/elasticsearch]: Forbidden: seccomp may not be set, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]
35s         Normal    SuccessfulCreate         statefulset/dave-elasticsearch-data                        create Claim data-dave-elasticsearch-data-0 Pod dave-elasticsearch-data-0 in StatefulSet dave-elasticsearch-data success
4m49s       Normal    Killing                  pod/dave-postgresql-0                                      Stopping container postgresql
3m46s       Normal    Scheduled                pod/dave-postgresql-0                                      Successfully assigned dave-external/dave-postgresql-0 to capk-wzlvw-worker-holyplace-k30-v2-5k7pn
3m44s       Normal    SuccessfulAttachVolume   pod/dave-postgresql-0                                      AttachVolume.Attach succeeded for volume "pvc-a426c7a6-e5b2-4a73-a1e4-69dc260069fc"
3m37s       Normal    AddedInterface           pod/dave-postgresql-0                                      Add eth0 [10.138.50.250/23] from openshift-sdn
3m37s       Normal    Pulling                  pod/dave-postgresql-0                                      Pulling image "docker.io/bitnami/postgresql:16.2.0-debian-12-r5"
3m24s       Normal    Pulled                   pod/dave-postgresql-0                                      Successfully pulled image "docker.io/bitnami/postgresql:16.2.0-debian-12-r5" in 12.845647833s (12.845671317s including waiting)
3m23s       Normal    Created                  pod/dave-postgresql-0                                      Created container postgresql
3m23s       Normal    Started                  pod/dave-postgresql-0                                      Started container postgresql
3m49s       Normal    SuccessfulCreate         statefulset/dave-postgresql                                create Claim data-dave-postgresql-0 Pod dave-postgresql-0 in StatefulSet dave-postgresql success
3m49s       Normal    SuccessfulCreate         statefulset/dave-postgresql                                create Pod dave-postgresql-0 in StatefulSet dave-postgresql successful
35s         Normal    NoPods                   poddisruptionbudget/zammad-master-pdb                      No matching pods found
6m10s       Normal    FailedBinding            persistentvolumeclaim/zammad-master-zammad-master-0        no persistent volumes available for this claim and no storage class is set
10s         Normal    FailedBinding            persistentvolumeclaim/zammad-master-zammad-master-0        no persistent volumes available for this claim and no storage class is set
5m49s       Warning   FailedCreate             statefulset/zammad-master                                  create Pod zammad-master-0 in StatefulSet zammad-master failed error: pods "zammad-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .initContainers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1003100000, 1003109999], provider restricted: .initContainers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]
3m49s       Normal    SuccessfulCreate         statefulset/zammad-master                                  create Claim zammad-master-zammad-master-0 Pod zammad-master-0 in StatefulSet zammad-master success
35s         Warning   FailedCreate             statefulset/zammad-master                                  create Pod zammad-master-0 in StatefulSet zammad-master failed error: pods "zammad-master-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "zammad-scc": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1003100000, 1003109999], provider restricted-v2: .initContainers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted-v2: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group, provider restricted: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1003100000, 1003109999], provider restricted: .initContainers[0].privileged: Invalid value: true: Privileged containers are not allowed, provider restricted: .containers[0].runAsUser: Invalid value: 1000: must be in the ranges: [1003100000, 1003109999], provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "mattermost-team-edition": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "trident": Forbidden: not usable by user or serviceaccount]

Und elasticsearch kommt gar nicht mehr, nur ein zammad-master, der nicht hochfährt ???

@gislab-augsburg

Und jetzt haben wir wieder ES Version 8.12.0, wir sollten doch 7.17.9 verwenden? 🤔

warum 7.17.9 ? wo kommt das her, warum nicht latest and greatest

@gislab-augsburg

Und jetzt haben wir wieder ES Version 8.12.0, wir sollten doch 7.17.9 verwenden? 🤔

warum 7.17.9 ? wo kommt das her, warum nicht latest and greatest

Dave benutzt intern noch ne 7.12. und man ist gerade dabei die auf 7.17 zu heben. Ob Dave ohne Probleme mit 8.12 läuft kann ich nicht sagen.

@DanielOber

Dave benutzt intern noch ne 7.12. und man ist gerade dabei die auf 7.17 zu heben.

habt ihr dependency auf 7 oder warum nicht 8?

Ob Dave ohne Probleme mit 8.12 läuft kann ich nicht sagen.

aber du schliesst es auch nicht aus. dann probieren wir das mal :)

@klml also ich hab grad nachgeschaut und wir haben ne spring dependency für elastic mit drinnen. Heißt mit Spring 2.7 haben wir Springframework 5.3 und elastic version 8.x braucht springframework 6.x wenn ich das richtig versteh. Ihr könnt es gern mal testen und dann bescheid geben ob das klappt ^^

@klml @DanielOber Es scheint zu klappen mit ES 8.12

/helm-charts/charts/dave$ oc get po
NAME                                                         READY   STATUS    RESTARTS   AGE
dave-adminportal-apigateway-service-745478d8c7-tgpnb         1/1     Running   0          47m
dave-backend-service-84554bcff9-zbsrm                        1/1     Running   0          6d1h
dave-eai-service-7f6ddf7c5d-ftn2w                            1/1     Running   0          17m
dave-elasticsearch-master-0                                  1/1     Running   0          6d1h
dave-frontend-apigateway-service-765989ccdd-drk9b            1/1     Running   0          76m
dave-postgresql-0                                            1/1     Running   0          6d
dave-selfserviceportal-apigateway-service-6b54446fc6-xv87z   1/1     Running   0          9m40s

...

mb@nbo00370518:~/dave2/helm-charts/charts/dave$ oc logs dave-backend-service-84554bcff9-zbsrm | grep -B 1 "elastic"
2024.04.03 09:41:52.631 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data JPA - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.elasticsearch.CustomSuggestIndex; If you want this repository to be a JPA repository, consider annotating your entities with one of these annotations: javax.persistence.Entity, javax.persistence.MappedSuperclass (preferred), or consider extending one of the following types with your repository: org.springframework.data.jpa.repository.JpaRepository
2024.04.03 09:41:52.635 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data JPA - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.elasticsearch.ZaehlstelleIndex; If you want this repository to be a JPA repository, consider annotating your entities with one of these annotations: javax.persistence.Entity, javax.persistence.MappedSuperclass (preferred), or consider extending one of the following types with your repository: org.springframework.data.jpa.repository.JpaRepository
--
2024.04.03 09:41:53.911 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.InfoMessageRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.913 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.HochrechnungsfaktorRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.914 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.ChatMessageRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.915 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.PkwEinheitRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.915 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.ZeitintervallRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.916 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.EmailAddressRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
2024.04.03 09:41:53.916 | dave-backend | TraceId:  | SpanId: ] |
                    INFO | [main] | RepositoryConfigurationExtensionSupport | [RepositoryConfigurationExtensionSupport.java : 349] - Spring Data Reactive Elasticsearch - Could not safely identify store assignment for repository candidate interface de.muenchen.dave.repositories.relationaldb.DienstleisterRepository; If you want this repository to be a Reactive Elasticsearch repository, consider annotating your entities with one of these annotations: org.springframework.data.elasticsearch.annotations.Document (preferred), or consider extending one of the following types with your repository: org.springframework.data.elasticsearch.repository.ReactiveElasticsearchRepository
--
2024.04.03 09:42:33.727 | dave-backend | TraceId:  | SpanId: ] |
                    TRACE | [main] | AnnotationCacheOperationSource | [AbstractFallbackCacheOperationSource.java : 102] - Adding cacheable method 'delete' with attribute: [Builder[public final void com.sun.proxy.$Proxy234.delete(de.muenchen.dave.domain.elasticsearch.Zaehlstelle)] caches=[SUCHE_ZAEHLSTELLE, SUCHE_ZAEHLSTELLE_DATENPORTAL, LADE_BELASTUNGSPLAN_DTO, LADE_PROCESSED_ZAEHLDATEN, LADE_ZAEHLDATEN_ZEITREIHE_DTO, READ_ZAEHLSTELLE_DTO] | key='' | keyGenerator='' | cacheManager='' | cacheResolver='' | condition='',true,false]
mb@nbo00370518:~/dave2/helm-charts/charts/dave$

...

mb@nbo00370518:~/dave2/helm-charts/charts/dave$ oc logs dave-backend-service-84554bcff9-zbsrm | grep "error"
mb@nbo00370518:~/dave2/helm-charts/charts/dave$

Die Pods rennen jetzt alle :)

Die ganzen ... Spring Data Reactive Elasticsearch - Could not safely identify store assignment... Meldungen für ES kamen nach dem Startup, als ES wohl noh nicht hochgefahren war. Bei der letzten Meldung TRACE ... scheint es zu funktionieren und der Fehler von #17 taucht nicht mehr auf.

@DanielOber was denkst du, sieht das gut aus für dich?

gislab-augsburg / helm-charts

elasticsearch: podSecurityContext etc. #18

changed ES charts.bitnami.com/bitnami