Splunk Operator: app config for scientific python exceeding the default content length

tnycum commented 1 year ago

Please select the type of request

Bug

Tell us more

Please select the type of request

Bug

Tell us more

Describe the request

Can't push latest Enterprise Security app to search heads due to scientific python exceeding the default content length.

Sample error message:

2023-09-08T23:42:10.422670559Z  ERROR   isBundlePushComplete    SHC Bundle push status file reported an error while applying bundle {"controller": "searchheadcluster", "controllerGroup": "enterprise.splunk.com", "controllerKind": "SearchHeadCluster", "SearchHeadCluster": {"name":"sh","namespace":"splunk"}, "namespace": "splunk", "name": "sh", "reconcileID": "d1477562-eab7-49dd-b466-d07a717b0ced", "crName": "sh", "namespace": "splunk", "error": "there was an error in applying SHC Bundle, err=\"Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=Splunk_SA_Scientific_Python_linux_x86_64 on target=https://1.2.3.4:8089/: Non-200/201 status_code=413; {\"messages\":[{\"type\":\"ERROR\",\"text\":\"Content-Length of 2147500484 too large (maximum is 2147483648)\"}]}\n\""}
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*SHCPlaybookContext).isBundlePushComplete
    /workspace/pkg/splunk/enterprise/afwscheduler.go:1631
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*SHCPlaybookContext).runPlaybook
    /workspace/pkg/splunk/enterprise/afwscheduler.go:1770
github.com/splunk/splunk-operator/pkg/splunk/enterprise.(*PipelinePhase).installWorkerHandler
    /workspace/pkg/splunk/enterprise/afwscheduler.go:1233

As a workaround we have to modify this setting within server.conf on the search heads:

[httpServer]
max_content_length = 4294967296

YAML snippet used for helm values:

searchHeadCluster:
  defaults:
    splunk:
      conf:
      - key: server
        value:
          directory: /opt/splunk/etc/system/local
          content:
            httpServer:
              max_content_length: 4294967296

Expected behavior

The apps should be pushed to the search head cluster without errors

Splunk setup on K8S

Distributed Clustered Deployment + SHC with Multi-Site, deployed with Helm

Reproduction/Testing steps

Attempt to deploy latest Enterprise Security app to search heads

K8s environment

Running on AWS EKS

Proposed changes(optional)

Proposed change, if any.

K8s collector data(optional)

n/a

Additional context(optional)

n/a

vivekr-splunk commented 1 year ago

@tnycum we will look into this issue and update you soon.

vivekr-splunk commented 1 year ago

CSPL-2458

vivekr-splunk commented 1 month ago

@tnycum , any conf changes to splunk is through app configurations. if ES apps needs new changes to configuration, please use app to push those changes. please refer https://github.com/splunk/splunk-operator/blob/main/docs/AppFramework.md for more info

vivekr-splunk commented 1 month ago

@tnycum let me know if we can close this issue

splunk / splunk-operator