Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Cannot Create "data_frozen" using elasticsearch 7.15 helm charts #1430

Closed
aydasraf opened this issue Oct 24, 2021 · 5 comments
Closed

Cannot Create "data_frozen" using elasticsearch 7.15 helm charts #1430

aydasraf opened this issue Oct 24, 2021 · 5 comments
Assignees
@framsouza
Labels
elasticsearch enhancement New feature or request won't fix This will not be worked on

Comments

@aydasraf
Copy link

Chart version:
7.15.0

Kubernetes version:
1.21

Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
AWS EKS

Helm Version:
3.6.3

helm get release output

Output of helm get release 
NAME: elastic-frozen
LAST DEPLOYED: Sun Oct 24 13:41:31 2021
NAMESPACE: elastic-system
STATUS: failed
REVISION: 1
USER-SUPPLIED VALUES:
antiAffinityTopologyKey: topology.kubernetes.io/zone
clusterName: qa-elasticsearch
esConfig:
elasticsearch.yml: |
  xpack.license.self_generated.type: trial
  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true
  xpack.security.http.ssl.enabled: true
  xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12

  xpack.security.authc.token.enabled: true

  xpack.security.authc.realms.saml.saml1:
     order: 2
     idp.metadata.path: /usr/share/elasticsearch/config/certs-gen/idp-external.xml
     idp.entity_id: "http://www.xxxx.com/yyyy"
     sp.entity_id:  "https://kibana.xxx.com:443/"
     sp.acs: "https://kibana.xxx.com:443/api/security/v1/saml"
     sp.logout: "https://kibana.xxx.com:443/logout"
     attributes.principal: "nameid"
     attributes.groups: "groups"

  xpack:
    security:
      authc:
        realms:
          native:
            native1:
              order: 0
esJavaOpts: -Xmx12288m -Xms12288m
extraEnvs:
- name: ELASTIC_PASSWORD
  value: zzzzzzz
- name: ELASTIC_USERNAME
  value: yyyyyyy
extraInitContainers:
- command:
    - sh
    - -c
    - |
      #!/usr/bin/env bash
      set -euo pipefail
      [ -e /usr/share/elasticsearch/config/certs-gen/keystore.p12 ] && rm /usr/share/elasticsearch/config/certs-gen/keystore.p12
      elasticsearch-certutil cert \
        --name ${NODE_NAME} \
        --days 1000 \
        --ip ${POD_IP} \
        --dns ${NODE_NAME},${POD_SERVICE_NAME},${POD_SERVICE_NAME_HEADLESS},localhost,127.0.0.1 \
        --ca-cert /usr/share/elasticsearch/config/certs/tls.crt \
        --ca-key /usr/share/elasticsearch/config/certs/tls.key  \
        --ca-pass "" \
        --pass "" \
        --out /usr/share/elasticsearch/config/certs-gen/keystore.p12

      if [[ $(bin/elasticsearch-plugin list | grep repository-s3) ]]; then
           echo "Plugin Installed!"
      else
           bin/elasticsearch-plugin install --batch repository-s3
      fi

      echo '<?xml version="1.0" encoding="UTF-8"?><!--Removed SAML Metadata-->' >> /usr/share/elasticsearch/config/certs-gen/idp-external.xml
  env:
    - name: NODE_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: POD_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    - name: POD_SERVICE_NAME
      value: qa-elasticsearch-frozen
    - name: POD_SERVICE_NAME_HEADLESS
      value: qa-elasticsearch-frozen-headless
  image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
  name: setup-tls-cert
  volumeMounts:
    - mountPath: /usr/share/elasticsearch/config/certs
      name: elastic-certificates
    - mountPath: /usr/share/elasticsearch/config/certs-gen
      name: tls-certificates
    - mountPath: /usr/share/elasticsearch/plugins
      name: plugins
extraVolumeMounts: |
- name: tls-certificates
  mountPath: /usr/share/elasticsearch/config/certs-gen
- name: plugins
  mountPath: /usr/share/elasticsearch/plugins
extraVolumes: |
- name: tls-certificates
  emptyDir: {}
- name: plugins
  emptyDir: {}
image: docker.elastic.co/elasticsearch/elasticsearch
imageTag: 7.15.0
masterService: qa-elasticsearch-master
nodeGroup: frozen
nodeSelector:
role: es_frozen
protocol: https
rbac:
create: true
serviceAccountAnnotations:
  eks.amazonaws.com/role-arn: arn:aws:iam::account_id:role/role_name
serviceAccountName: ""
replicas: 2
resources:
limits:
  cpu: 3500m
  memory: 14Gi
requests:
  cpu: 3500m
  memory: 14Gi
roles:
data: "false"
data_frozen: "true"
ingest: "false"
master: "false"
ml: "false"
remote_cluster_client: "false"
secretMounts:
- name: elastic-certificates
  path: /usr/share/elasticsearch/config/certs
  secretName: eck-ca
volumeClaimTemplate:
accessModes:
  - ReadWriteOnce
resources:
  requests:
    storage: 500Gi

COMPUTED VALUES:
antiAffinity: hard
antiAffinityTopologyKey: topology.kubernetes.io/zone
clusterHealthCheckParams: wait_for_status=green&timeout=1s
clusterName: qa-elasticsearch
enableServiceLinks: true
envFrom: []
esConfig:
elasticsearch.yml: |
  xpack.license.self_generated.type: trial
  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true
  xpack.security.http.ssl.enabled: true
  xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12

  xpack.security.authc.token.enabled: true

  xpack.security.authc.realms.saml.saml1:
     order: 2
     idp.metadata.path: /usr/share/elasticsearch/config/certs-gen/idp-external.xml
     idp.entity_id: "http://www.xxxx.com/yyy"
     sp.entity_id:  "https://kibana.xxx.com:443/"
     sp.acs: "https://kibana.xxx.com:443/api/security/v1/saml"
     sp.logout: "https://kibana.xxx.com:443/logout"
     attributes.principal: "nameid"
     attributes.groups: "groups"

  xpack:
    security:
      authc:
        realms:
          native:
            native1:
              order: 0
esJavaOpts: -Xmx12288m -Xms12288m
esMajorVersion: ""
extraContainers: []
extraEnvs:
- name: ELASTIC_PASSWORD
  value:xxxxxxxx
- name: ELASTIC_USERNAME
  value: yyyyyyy
extraInitContainers:
- command:
    - sh
    - -c
    - |
      #!/usr/bin/env bash
      set -euo pipefail
      [ -e /usr/share/elasticsearch/config/certs-gen/keystore.p12 ] && rm /usr/share/elasticsearch/config/certs-gen/keystore.p12
      elasticsearch-certutil cert \
        --name ${NODE_NAME} \
        --days 1000 \
        --ip ${POD_IP} \
        --dns ${NODE_NAME},${POD_SERVICE_NAME},${POD_SERVICE_NAME_HEADLESS},localhost,127.0.0.1 \
        --ca-cert /usr/share/elasticsearch/config/certs/tls.crt \
        --ca-key /usr/share/elasticsearch/config/certs/tls.key  \
        --ca-pass "" \
        --pass "" \
        --out /usr/share/elasticsearch/config/certs-gen/keystore.p12

      if [[ $(bin/elasticsearch-plugin list | grep repository-s3) ]]; then
           echo "Plugin Installed!"
      else
           bin/elasticsearch-plugin install --batch repository-s3
      fi

      echo '<?xml version="1.0" encoding="UTF-8"?><!--Removed SAML Metadata-->' >> /usr/share/elasticsearch/config/certs-gen/idp-external.xml
  env:
    - name: NODE_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name
    - name: POD_IP
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
    - name: POD_SERVICE_NAME
      value: qa-elasticsearch-frozen
    - name: POD_SERVICE_NAME_HEADLESS
      value: qa-elasticsearch-frozen-headless
  image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
  name: setup-tls-cert
  volumeMounts:
    - mountPath: /usr/share/elasticsearch/config/certs
      name: elastic-certificates
    - mountPath: /usr/share/elasticsearch/config/certs-gen
      name: tls-certificates
    - mountPath: /usr/share/elasticsearch/plugins
      name: plugins
extraVolumeMounts: |
- name: tls-certificates
  mountPath: /usr/share/elasticsearch/config/certs-gen
- name: plugins
  mountPath: /usr/share/elasticsearch/plugins
extraVolumes: |
- name: tls-certificates
  emptyDir: {}
- name: plugins
  emptyDir: {}
fsGroup: ""
fullnameOverride: ""
healthNameOverride: ""
hostAliases: []
httpPort: 9200
image: docker.elastic.co/elasticsearch/elasticsearch
imagePullPolicy: IfNotPresent
imagePullSecrets: []
imageTag: 7.15.0
ingress:
annotations: {}
enabled: false
hosts:
  - host: chart-example.local
    paths:
      - path: /
tls: []
initResources: {}
keystore: []
labels: {}
lifecycle: {}
masterService: qa-elasticsearch-master
maxUnavailable: 1
minimumMasterNodes: 2
nameOverride: ""
networkHost: 0.0.0.0
networkPolicy:
http:
  enabled: false
transport:
  enabled: false
nodeAffinity: {}
nodeGroup: frozen
nodeSelector:
role: es_frozen
persistence:
annotations: {}
enabled: true
labels:
  enabled: false
podAnnotations: {}
podManagementPolicy: Parallel
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
podSecurityPolicy:
create: false
name: ""
spec:
  fsGroup:
    rule: RunAsAny
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
    - secret
    - configMap
    - persistentVolumeClaim
    - emptyDir
priorityClassName: ""
protocol: https
rbac:
create: true
serviceAccountAnnotations:
  eks.amazonaws.com/role-arn: arn:aws:iam::account_id:role/role
serviceAccountName: ""
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 3
timeoutSeconds: 5
replicas: 2
resources:
limits:
  cpu: 3500m
  memory: 14Gi
requests:
  cpu: 3500m
  memory: 14Gi
roles:
data: "false"
data_frozen: "true"
ingest: "false"
master: "false"
ml: "false"
remote_cluster_client: "false"
schedulerName: ""
secretMounts:
- name: elastic-certificates
  path: /usr/share/elasticsearch/config/certs
  secretName: eck-ca
securityContext:
capabilities:
  drop:
    - ALL
runAsNonRoot: true
runAsUser: 1000
service:
annotations: {}
enabled: true
externalTrafficPolicy: ""
httpPortName: http
labels: {}
labelsHeadless: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
nodePort: ""
transportPortName: transport
type: ClusterIP
sysctlInitContainer:
enabled: true
sysctlVmMaxMapCount: 262144
terminationGracePeriod: 120
tests:
enabled: true
tolerations: []
transportPort: 9300
updateStrategy: RollingUpdate
volumeClaimTemplate:
accessModes:
  - ReadWriteOnce
resources:
  requests:
    storage: 500Gi

HOOKS:
---
# Source: elasticsearch/templates/test/test-elasticsearch-health.yaml
apiVersion: v1
kind: Pod
metadata:
name: "elastic-frozen-yyhvi-test"
annotations:
  "helm.sh/hook": test
  "helm.sh/hook-delete-policy": hook-succeeded
spec:
securityContext:
  fsGroup: 1000
  runAsUser: 1000
containers:
  - name: "elastic-frozen-idikp-test"
    image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
    imagePullPolicy: "IfNotPresent"
    command:
      - "sh"
      - "-c"
      - |
        #!/usr/bin/env bash -e
        curl -XGET --fail 'qa-elasticsearch-frozen:9200/_cluster/health?wait_for_status=green&timeout=1s'
restartPolicy: Never
MANIFEST:
---
# Source: elasticsearch/templates/poddisruptionbudget.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: "qa-elasticsearch-frozen-pdb"
spec:
maxUnavailable: 1
selector:
  matchLabels:
    app: "qa-elasticsearch-frozen"
---
# Source: elasticsearch/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: "qa-elasticsearch-frozen"
annotations:
  eks.amazonaws.com/role-arn: arn:aws:iam::account_id:role/role
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch-7.15.0"
  app: "qa-elasticsearch-frozen"
---
# Source: elasticsearch/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: qa-elasticsearch-frozen-config
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch"
  app: "qa-elasticsearch-frozen"
data:
elasticsearch.yml: |
  xpack.license.self_generated.type: trial
  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true
  xpack.security.http.ssl.enabled: true
  xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12
  xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs-gen/keystore.p12

  xpack.security.authc.token.enabled: true

  xpack.security.authc.realms.saml.saml1:
     order: 2
     idp.metadata.path: /usr/share/elasticsearch/config/certs-gen/idp-external.xml
     idp.entity_id: "http://www.xxx.com/yyyy"
     sp.entity_id:  "https://kibana.xxx.com:443/"
     sp.acs: "https://kibana.xxx.com:443/api/security/v1/saml"
     sp.logout: "https://kibana.xxx.com:443/logout"
     attributes.principal: "nameid"
     attributes.groups: "groups"

  xpack:
    security:
      authc:
        realms:
          native:
            native1:
              order: 0
---
# Source: elasticsearch/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "qa-elasticsearch-frozen"
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch-7.15.0"
  app: "qa-elasticsearch-frozen"
rules:
- apiGroups:
    - extensions
  resources:
    - podsecuritypolicies
  resourceNames:
    - "qa-elasticsearch-frozen"
  verbs:
    - use
---
# Source: elasticsearch/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "qa-elasticsearch-frozen"
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch-7.15.0"
  app: "qa-elasticsearch-frozen"
subjects:
- kind: ServiceAccount
  name: "qa-elasticsearch-frozen"
  namespace: "elastic-system"
roleRef:
kind: Role
name: "qa-elasticsearch-frozen"
apiGroup: rbac.authorization.k8s.io
---
# Source: elasticsearch/templates/service.yaml
kind: Service
apiVersion: v1
metadata:
name: qa-elasticsearch-frozen
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch"
  app: "qa-elasticsearch-frozen"
annotations:
  {}
spec:
type: ClusterIP
selector:
  release: "elastic-frozen"
  chart: "elasticsearch"
  app: "qa-elasticsearch-frozen"
ports:
  - name: http
    protocol: TCP
    port: 9200
  - name: transport
    protocol: TCP
    port: 9300
---
# Source: elasticsearch/templates/service.yaml
kind: Service
apiVersion: v1
metadata:
name: qa-elasticsearch-frozen-headless
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch"
  app: "qa-elasticsearch-frozen"
annotations:
  service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
clusterIP: None # This is needed for statefulset hostnames like elasticsearch-0 to resolve
# Create endpoints also if the related pod isn't ready
publishNotReadyAddresses: true
selector:
  app: "qa-elasticsearch-frozen"
ports:
  - name: http
    port: 9200
  - name: transport
    port: 9300
---
# Source: elasticsearch/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: qa-elasticsearch-frozen
labels:
  heritage: "Helm"
  release: "elastic-frozen"
  chart: "elasticsearch"
  app: "qa-elasticsearch-frozen"
annotations:
  esMajorVersion: "7"
spec:
serviceName: qa-elasticsearch-frozen-headless
selector:
  matchLabels:
    app: "qa-elasticsearch-frozen"
replicas: 2
podManagementPolicy: Parallel
updateStrategy:
  type: RollingUpdate
volumeClaimTemplates:
  - metadata:
      name: qa-elasticsearch-frozen
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 500Gi
template:
  metadata:
    name: "qa-elasticsearch-frozen"
    labels:
      release: "elastic-frozen"
      chart: "elasticsearch"
      app: "qa-elasticsearch-frozen"
    annotations:

      configchecksum: 0b4b305fa955b7bfa88c931cdc99519f689628fe65734ade9c05e8a496eb631
  spec:
    securityContext:
      fsGroup: 1000
      runAsUser: 1000
    serviceAccountName: "qa-elasticsearch-frozen"
    nodeSelector:
      role: es_frozen
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
                - key: app
                  operator: In
                  values:
                    - "qa-elasticsearch-frozen"
            topologyKey: topology.kubernetes.io/zone
    terminationGracePeriodSeconds: 120
    volumes:
      - name: elastic-certificates
        secret:
          secretName: eck-ca
      - name: esconfig
        configMap:
          name: qa-elasticsearch-frozen-config
      # Currently some extra blocks accept strings
      # to continue with backwards compatibility this is being kept
      # whilst also allowing for yaml to be specified too.
      - name: tls-certificates
        emptyDir: {}
      - name: plugins
        emptyDir: {}

    enableServiceLinks: true
    initContainers:
      - name: configure-sysctl
        securityContext:
          runAsUser: 0
          privileged: true
        image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
        imagePullPolicy: "IfNotPresent"
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
        resources:
          {}

      # Currently some extra blocks accept strings
      # to continue with backwards compatibility this is being kept
      # whilst also allowing for yaml to be specified too.
      - command:
          - sh
          - -c
          - |
            #!/usr/bin/env bash
            set -euo pipefail
            [ -e /usr/share/elasticsearch/config/certs-gen/keystore.p12 ] && rm /usr/share/elasticsearch/config/certs-gen/keystore.p12
            elasticsearch-certutil cert \
              --name ${NODE_NAME} \
              --days 1000 \
              --ip ${POD_IP} \
              --dns ${NODE_NAME},${POD_SERVICE_NAME},${POD_SERVICE_NAME_HEADLESS},localhost,127.0.0.1 \
              --ca-cert /usr/share/elasticsearch/config/certs/tls.crt \
              --ca-key /usr/share/elasticsearch/config/certs/tls.key  \
              --ca-pass "" \
              --pass "" \
              --out /usr/share/elasticsearch/config/certs-gen/keystore.p12

            if [[ $(bin/elasticsearch-plugin list | grep repository-s3) ]]; then
                 echo "Plugin Installed!"
            else
                 bin/elasticsearch-plugin install --batch repository-s3
            fi

            echo '<?xml version="1.0" encoding="UTF-8"?><!--SAML Metdata Removed-->' >> /usr/share/elasticsearch/config/certs-gen/idp-external.xml
        env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: POD_SERVICE_NAME
            value: qa-elasticsearch-frozen
          - name: POD_SERVICE_NAME_HEADLESS
            value: qa-elasticsearch-frozen-headless
        image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
        name: setup-tls-cert
        volumeMounts:
          - mountPath: /usr/share/elasticsearch/config/certs
            name: elastic-certificates
          - mountPath: /usr/share/elasticsearch/config/certs-gen
            name: tls-certificates
          - mountPath: /usr/share/elasticsearch/plugins
            name: plugins
    containers:
      - name: "elasticsearch"
        securityContext:
          capabilities:
            drop:
              - ALL
          runAsNonRoot: true
          runAsUser: 1000
        image: "docker.elastic.co/elasticsearch/elasticsearch:7.15.0"
        imagePullPolicy: "IfNotPresent"
        readinessProbe:
          exec:
            command:
              - sh
              - -c
              - |
                #!/usr/bin/env bash -e
                # If the node is starting up wait for the cluster to be ready (request params: "wait_for_status=green&timeout=1s" )
                # Once it has started only check that the node itself is responding
                START_FILE=/tmp/.es_start_file

                # Disable nss cache to avoid filling dentry cache when calling curl
                # This is required with Elasticsearch Docker using nss < 3.52
                export NSS_SDB_USE_CACHE=no

                http () {
                  local path="${1}"
                  local args="${2}"
                  set -- -XGET -s

                  if [ "$args" != "" ]; then
                    set -- "$@" $args
                  fi

                  if [ -n "${ELASTIC_USERNAME}" ] && [ -n "${ELASTIC_PASSWORD}" ]; then
                    set -- "$@" -u "${ELASTIC_USERNAME}:${ELASTIC_PASSWORD}"
                  fi

                  curl --output /dev/null -k "$@" "https://127.0.0.1:9200${path}"
                }

                if [ -f "${START_FILE}" ]; then
                  echo 'Elasticsearch is already running, lets check the node is healthy'
                  HTTP_CODE=$(http "/" "-w %{http_code}")
                  RC=$?
                  if [[ ${RC} -ne 0 ]]; then
                    echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with RC ${RC}"
                    exit ${RC}
                  fi
                  # ready if HTTP code 200, 503 is tolerable if ES version is 6.x
                  if [[ ${HTTP_CODE} == "200" ]]; then
                    exit 0
                  elif [[ ${HTTP_CODE} == "503" && "7" == "6" ]]; then
                    exit 0
                  else
                    echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with HTTP code ${HTTP_CODE}"
                    exit 1
                  fi

                else
                  echo 'Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )'
                  if http "/_cluster/health?wait_for_status=green&timeout=1s" "--fail" ; then
                    touch ${START_FILE}
                    exit 0
                  else
                    echo 'Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )'
                    exit 1
                  fi
                fi
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 3
          timeoutSeconds: 5
        ports:
          - name: http
            containerPort: 9200
          - name: transport
            containerPort: 9300
        resources:
          limits:
            cpu: 3500m
            memory: 14Gi
          requests:
            cpu: 3500m
            memory: 14Gi
        env:
          - name: node.name
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: discovery.seed_hosts
            value: "qa-elasticsearch-master-headless"
          - name: cluster.name
            value: "qa-elasticsearch"
          - name: network.host
            value: "0.0.0.0"
          - name: ES_JAVA_OPTS
            value: "-Xmx12288m -Xms12288m"
          - name: node.data
            value: "false"
          - name: node.data_frozen
            value: "true"
          - name: node.ingest
            value: "false"
          - name: node.master
            value: "false"
          - name: node.ml
            value: "false"
          - name: node.remote_cluster_client
            value: "false"
          - name: ELASTIC_PASSWORD
            value: xxxxxxx
          - name: ELASTIC_USERNAME
            value: yyyyyyy
        volumeMounts:
          - name: "qa-elasticsearch-frozen"
            mountPath: /usr/share/elasticsearch/data

          - name: elastic-certificates
            mountPath: /usr/share/elasticsearch/config/certs
          - name: esconfig
            mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
            subPath: elasticsearch.yml
          # Currently some extra blocks accept strings
          # to continue with backwards compatibility this is being kept
          # whilst also allowing for yaml to be specified too.
          - name: tls-certificates
            mountPath: /usr/share/elasticsearch/config/certs-gen
          - name: plugins
            mountPath: /usr/share/elasticsearch/plugins

NOTES:
1. Watch all cluster members come up.
$ kubectl get pods --namespace=elastic-system -l app=qa-elasticsearch-frozen -w2. Test cluster health using Helm test.
$ helm --namespace=elastic-system test elastic-frozen

Describe the bug:
Using elastisearch 7.15.0 [imageTag: "7.15.0"] , you cannot create frozen data_frozen dedicated node, adding "data_frozen: "true" yeilds in the below error on elasticsearch pod:

{"type": "deprecation.elasticsearch", "timestamp": "2021-10-24T11:42:12,686Z", "level": "DEPRECATION", "component": "o.e.d.n.Node", "cluster.name": "qa-elasticsearch", "node.name": "qa-elasticsearch-frozen-0", "message": "legacy role settings [node.data_frozen, node.data, node.remote_cluster_client, node.ingest, node.master, node.ml] are deprecated, use [node.roles=[data_frozen]]", "key": "legacy role settings" }
{"type": "server", "timestamp": "2021-10-24T11:42:15,321Z", "level": "ERROR", "component": "o.e.b.ElasticsearchUncaughtExceptionHandler", "cluster.name": "qa-elasticsearch", "node.name": "qa-elasticsearch-frozen-0", "message": "uncaught exception in thread [main]",
 "stacktrace": ["org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown setting [node.data_frozen] please check that any required plugins are installed, or check the breaking changes documentation for removed settings",
                "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:171) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:158) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:114) ~[elasticsearch-cli-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.cli.Command.main(Command.java:79) ~[elasticsearch-cli-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:123) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "Caused by: java.lang.IllegalArgumentException: unknown setting [node.data_frozen] please check that any required plugins are installed, or check the breaking changes documentation for removed settings",
                "at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:533) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:478) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:449) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:420) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:138) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.node.Node.<init>(Node.java:452) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.node.Node.<init>(Node.java:288) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:167) ~[elasticsearch-7.15.0.jar:7.15.0]",
                "... 6 more"] }
uncaught exception in thread [main]
java.lang.IllegalArgumentException: unknown setting [node.data_frozen] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:533)
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:478)
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:449)
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:420)
at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:138)
at org.elasticsearch.node.Node.<init>(Node.java:452)
at org.elasticsearch.node.Node.<init>(Node.java:288)
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:219)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:219)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:399)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:167)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:158)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:114)
at org.elasticsearch.cli.Command.main(Command.java:79)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:123)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81)
For complete error details, refer to the log at /usr/share/elasticsearch/logs/qa-elasticsearch.log

Trying to use node.roles: [ data_frozen ] yields another error of : can not explicitly configure node roles and use legacy role setting as the chart seems to explicitly use the legacy settings for node roles using the environment variables, I can see roles have changed and it looks it support data_cold ( but still cannot see data_frozen) but this is available on version 8.0.0 of image tag which I won't use as my cluster is 7.15.0

Steps to reproduce:

  1. Deploy elasticsearch 7.15.0 cluster using helm chart.
  2. Try to deploy "Frozen Data Tier dedicated nodes" using either the roles tag in the values.yamlor node.roles: [ data_frozen ] settings, both will fail

Expected behavior:
Able to deploy and create data_frozen nodes using the 7.15.0 helm chart, looks doable in the 8.0.0-Snapshot ( not tested though!)
@framsouza framsouza added the enhancement New feature or request label Oct 25, 2021
@framsouza framsouza self-assigned this Oct 25, 2021
@nickbabkin
Copy link

nickbabkin commented Nov 9, 2021
edited
Loading

Similar issue here. We can't really use frozen node anymore with our k8s setup due to a buggy chart.

I tried the following options in values.yaml:

roles:
  master: "false"
  ingest: "false"
  data_frozen: "true"

In this case, Elasticsearch node crashes with the following FATAL error:

"Caused by: java.lang.IllegalArgumentException: unknown setting
[node.data_frozen] please check that any required plugins are installed, or
check the breaking changes documentation for removed settings",

Trying to set it in elasticsearch.yml. also doesn't work:

esConfig:
  elasticsearch.yml: |
    node.roles: ["data_frozen"]

In this case, Elasticsearch node crashes with the following:

"at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:167)
~[elasticsearch-7.15.1.jar:7.15.1]",
"... 6 more"] }
uncaught exception in thread [main]
java.lang.IllegalArgumentException: can not explicitly configure node roles
and use legacy role setting [node.data]=[true]

@VanessaLi917
Copy link

Elasticsearch 7.15.0 with helm chart version 7.15.0, wondering how to use data_hot, data_warm, data_cold as well.

When configure with

roles:
  master: "true"
  ingest: "true"
  data: "true"
  remote_cluster_client: "false"
  ml: "false"
  data_hot: "true"

Elasticsearch crashes with

"Suppressed: java.lang.IllegalArgumentException: unknown setting [node.data_hot] please check that any required plugins are installed, or check the breaking changes documentation for removed settings"

@duclm2609
Copy link

I had the same issue when specify node data role with "data_hot".

@anjia0532
Copy link

I had the same issue when specify node data role with "data_hot". es version: 7.16.2

@jmlrt
Copy link
Member

jmlrt commented Feb 2, 2022

Hi, data_frozen and data_hot roles aren't supported yet with this chart.
The only roles supported are: master, ingest, data, ml and remote_cluster_client.

The other roles will be supported with 8.0.0 as this required a refactoring which is a breaking change.

If you really need to use some other roles, you can still fork the chart and add backport #1186 on your fork.

@jmlrt jmlrt closed this as completed Feb 2, 2022
@jmlrt jmlrt added elasticsearch won't fix This will not be worked on labels Feb 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@framsouza framsouza

Labels
elasticsearch enhancement New feature or request won't fix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@duclm2609 @jmlrt @anjia0532 @framsouza @VanessaLi917 @nickbabkin @aydasraf