App Framework: ITSI Installation fails with Invalid app contents

[SebastianDeiss]

Please select the type of request

Enhancement

Tell us more

Describe the request The App Framework should allow the installation of Splunk premium Apps such as Enterprise Security and IT Service Intelligence, which contain multiple apps in a single .spl file.

Expected behavior Installing a Splunk App via App Framework should allow the installation of Splunk apps, which contain multiple apps in a single .spl file.

Splunk setup on K8S

• Splunk Operator 2.2.1
• Splunk Image: splunk/splunk:9.0.3-openjdk11
• 1 License Master instance with a Splunk Enterprise and a Splunk ITSI License
• 1 Standalone instance

Reproduction/Testing steps

• Deploy Splunk Operator
• Deploy a Standalone Splunk instance which uses App Framework to install apps

Proposed changes(optional) Installing a Splunk App via App Framework should allow the installation of Splunk apps, which contain multiple apps in a single .spl file, especially because Splunk premiums apps like ITSI ship multiple apps in a single .spl file.

Additional context(optional)

2023-05-12T11:47:13.839483293Z  ERROR   localScopePlaybookContext.runPlaybook   app package installation error
{"controller": "standalone", "controllerGroup": "enterprise.splunk.com", "controllerKind": "Standalone", "Standalone":
{"name":"itsi-standalone","namespace":"splunk-operator"}, "namespace": "splunk-operator", "name": "itsi-standalone",
"reconcileID": "5b67f22c-0e77-4e1a-acaa-64d42e260c1b", "name": "itsi-standalone", "namespace": "splunk-operator",
"pod": "splunk-itsi-standalone-standalone-0", "app name": "splunk-it-service-intelligence_4151.spl", "error": "local
scoped app package install failed. stdOut: , stdErr: Invalid app contents: archive contains more than one immediate
subdirectory:  and SA-ITSI-ATAD\n, app pkg path:
/operator-staging/appframework/itsiSHApps/splunk-it-service-intelligence_4151.spl_af051439ff924ef15e55add67a0be2d1,
failCount: 2"}

[pogdin]

Hi @SebastianDeiss. We do support the installation of Enterprise Security using the Operator and Operator App Framework. Please see https://github.com/splunk/splunk-operator/blob/main/docs/PremiumApps.md ITSI is not supported or tested yet.

[SebastianDeiss]

Hi @pogdin, thank you for your feedback. To test a premium app deployment on k8s, I tried with Enterprise Security, but I get the following error:

FAILED - RETRYING: Test basic https endpoint (50 retries left).

This is my configuration

apiVersion: enterprise.splunk.com/v3
kind: Standalone
metadata:
  name: es-standalone
  namespace: splunk-operator
  finalizers:
  - enterprise.splunk.com/delete-pvc
spec:
  etcVolumeStorageConfig:
    ephemeralStorage: true
  varVolumeStorageConfig:
    ephemeralStorage: true
  appRepo:
    appsRepoPollIntervalSeconds: 60
    defaults:
      volumeName: volume_app_repo
      scope: local
    appSources:
      - name: esSHApps
        location: sh/
        scope: premiumApps
        premiumAppsProps:
          type: enterpriseSecurity
          esDefaults:
             sslEnablement: ignore
    volumes:
      - name: volume_app_repo
        storageType: s3
        provider: minio
        path: splunk-es/
        endpoint: https://minio.k8s-sandbox01.example.com
        region: us-east-1
        secretRef: s3-secret
  volumes:
    - name: ca
      secret:
        secretName: splunk-ca
    - name: cert
      secret:
        secretName: splunk-cert
  defaults: |-
    splunk:
      license_master_url: https://license.splunk.example.com:8089
      cluster_master_url: cluster-master.splunk.example.com
      ssl:
        enable: true
        cert: /mnt/cert/server.pem
        password: password
        ca: /mnt/ca/ca.pem
      s2s:
        enable: true
        port: 9997
        ssl: true
        cert: /mnt/cert/server.pem
        password: password
        ca: /mnt/ca/ca.pem

All referenced secrets exist

kubectlget secrets -n splunk-operator
NAME                                        TYPE     DATA   AGE
s3-secret                                   Opaque   2      26d
splunk-ca                                   Opaque   1      26d
splunk-cert                                 Opaque   1      26d
splunk-es-standalone-standalone-secret-v1   Opaque   6      6m32s
splunk-splunk-operator-secret               Opaque   5      26d

Do you have any advise for me? Thanks.

[SebastianDeiss]

@pogdin never mind. I solved it. Are there any plans to support ITSI deployments via the Operator?