Elasticsearch fails readiness probe due to escaping issue

The readiness probe for the elasticsearch StatefulSet is implemented without proper escaping:

In my case:
```yaml
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: elastic
  namespace: monitoring
spec:
  chart: elasticsearch
  repo: https://helm.elastic.co
  targetNamespace: monitoring
  valuesContent: |
    antiAffinity: soft
    roles:
      master: "true"
      ingest: "true"
      data: "true"
    protocol: http
    esConfig:
      elasticsearch.yml: |
        xpack.security.enabled: true
        xpack.security.transport.ssl.enabled: false
        xpack.security.http.ssl.enabled: false
    extraEnvs:
      - name: ELASTIC_PASSWORD
        valueFrom:
          secretKeyRef:
            name: elastic-credentials
            key: password
      - name: ELASTIC_USERNAME
        valueFrom:
          secretKeyRef:
            name: elastic-credentials
            key: username
```

```bash
$ k get secrets elastic-credentials -o jsonpath={.data.password} | base64 -d
S(fMW|(iS6Z"k"@nRK(:
```

(don't worry, the password is a dummy one)


This is the line where I think the error is generated from:
https://github.com/elastic/helm-charts/blob/e0cf8c1137a1c2f39555c948063dbba78db44ef5/elasticsearch/templates/statefulset.yaml#L221

And this is the event log:
```
curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' http://127.0.0.1:9200/ failed with RC 7
8m34s       Warning   Unhealthy                         pod/elasticsearch-master-2                                          Readiness probe failed: Elasticsearch is already running, lets check the node is healthy
curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' http://127.0.0.1:9200/ failed with RC 7
8m33s       Warning   Unhealthy                         pod/elasticsearch-master-0                                          Readiness probe failed: Elasticsearch is already running, lets check the node is healthy
curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' http://127.0.0.1:9200/ failed with RC 7
4m33s       Warning   Unhealthy                         pod/elasticsearch-master-0                                          Readiness probe failed: Elasticsearch is already running, lets check the node is healthy
curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' http://127.0.0.1:9200/ failed with HTTP code 401
4m15s       Warning   Unhealthy                         pod/elasticsearch-master-1                                          Readiness probe failed: Elasticsearch is already running, lets check the node is healthy
curl -XGET -s -k ${BASIC_AUTH} -o /dev/null -w '%{http_code}' http://127.0.0.1:9200/ failed with HTTP code 401
4m14s       Warning   Unhealthy                         pod/elasticsearch-master-2   
```

I'll propose a fix ASAP

---

I stand corrected, simply quoting `$BASIC_AUTH` here should be enough:
https://github.com/elastic/helm-charts/blob/e0cf8c1137a1c2f39555c948063dbba78db44ef5/elasticsearch/templates/statefulset.yaml#L228

The following curl calls will probably need the same treatment too:

https://github.com/elastic/helm-charts/blob/e0cf8c1137a1c2f39555c948063dbba78db44ef5/elasticsearch/templates/statefulset.yaml#L246


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Elasticsearch fails readiness probe due to escaping issue #625

denysvitali
openedon May 17, 2020

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Elasticsearch fails readiness probe due to escaping issue #625

Description

denysvitaliopenedon May 17, 2020

Metadata