# Source: elasticsearch/templates/test/test-elasticsearch-health.yaml apiVersion: v1 kind: Pod metadata: name: "elasticsearch2-csamz-test" annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": hook-succeeded spec: securityContext: fsGroup: 1000 runAsUser: 1000 containers: - name: "elasticsearch2-tfkxl-test" env: - name: ELASTIC_PASSWORD valueFrom: secretKeyRef: name: elasticsearch-master-credentials key: password image: "docker.elastic.co/elasticsearch/elasticsearch:8.5.1" imagePullPolicy: "IfNotPresent" command: - "sh" - "-c" - | #!/usr/bin/env bash -e curl -XGET --fail --cacert /usr/share/elasticsearch/config/certs/tls.crt -u "elastic:${ELASTIC_PASSWORD}" https://'elasticsearch-master:9200/_cluster/health?wait_for_status=green&timeout=1s' volumeMounts: - name: elasticsearch-certs mountPath: /usr/share/elasticsearch/config/certs readOnly: true restartPolicy: Never volumes: - name: elasticsearch-certs secret: secretName: elasticsearch-master-certs --- # Source: elasticsearch/templates/poddisruptionbudget.yaml apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: "elasticsearch-master-pdb" spec: maxUnavailable: 1 selector: matchLabels: app: "elasticsearch-master" --- # Source: elasticsearch/templates/secret-cert.yaml apiVersion: v1 kind: Secret type: kubernetes.io/tls metadata: name: elasticsearch-master-certs labels: app: elasticsearch-master chart: "elasticsearch" heritage: Helm release: elasticsearch2 data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoekNDQW0rZ0F3SUJBZ0lRS21yYStRNkNVZDVoalg1ODQyKy81ekFOQmdrcWhraUc5dzBCQVFzRkFEQWIKTVJrd0Z3WURWUVFERXhCbGJHRnpkR2xqYzJWaGNtTm9MV05oTUI0WERUSXpNVEF4TnpJek5UYzBPRm9YRFRJMApNVEF4TmpJek5UYzBPRm93SHpFZE1Cc0dBMVVFQXhNVVpXeGhjM1JwWTNObFlYSmphQzF0WVhOMFpYSXdnZ0VpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREkyRFJ1WStzU2FQS25nanJuRHFaZE91KzcKK0s4WEVhbjdnNGx6cHY1SmF5elBOTmljWkFyR05WYjBZSHlSaEJ4ODl2VXNaV1hYbU0wZU5jMkJMWEh4Q2tESApBUmhQQUVhTXFYUmQ0RFgxR2pUTGJkYldkN1NKU1lmRTFGTFRzSjFWRkVzWDhKSVBRUEpwd2UvZTJOalFKNGtnClR1eU5CeTBNUGk2MXkrRFdRQkt3UFQxRUd5dGlVWmErNWJDcDlWV1QzbU5qS2QrR3hRREVMNngvS05WRVFGVHgKWVlMR3JTUlIzendnencybVgvNFZKcmc3Vnd6cVpSUGFzaU85dmttWlAyT2ZLbVAyUTRIY2V0bjBaSlJNTldIeApPZ2wzeTdpMkdWS1lFNy9JcUlteUttUHg2aW8xTVIvYVVBRElKRjZVWTF1RkREYi9QTE5qelo2WHdDeHZBZ01CCkFBR2pnY0l3Z2I4d0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1COEdBMVVkSXdRWU1CYUFGSW94WXZEZzZpbDBWaEFVMzR1OAptR2hQM1VJSU1GOEdBMVVkRVFSWU1GYUNGR1ZzWVhOMGFXTnpaV0Z5WTJndGJXRnpkR1Z5Z2h4bGJHRnpkR2xqCmMyVmhjbU5vTFcxaGMzUmxjaTVrWldaaGRXeDBnaUJsYkdGemRHbGpjMlZoY21Ob0xXMWhjM1JsY2k1a1pXWmgKZFd4MExuTjJZekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWDF3UjE1OVNUUWZHMmkxNDkxZEdxZ0xvbTB5NQovL0QrbzBwc2hoVzljT29OQktqd3VoTEQ2N3hYYUlxM3pzaGpia1ROcENMM21UYjVRSG5vbkUyNjJwSGI3WEtMCmZiRGpSYUtxbFhTalJ3M1lBb3FtdHNDamN4a2ZGRnA5TXpjdzBaanE5WG4vWktnTzFLUG5hOVl1WGl2R3hjOUgKUzJ2b2tyOHc3SmNtc3dUNHlodDdXT3hOWnVBUFM3dDI2QlRMd3BLUXgwWHlicDVURnBicUxRVkwzQnRHUTdzNwp2dEJaRHFmM2toQ3AzQ3ptRFlpdHNjUTloT3I5eGl6ZWFQc2dJUkRvTXdVcUsrR3hGRklEamF5ZnVETXpueklmCkI0dmRJc2l2Uk4vMFd0R2JoUFhZTlhOTVFSMS90ZTBiZ0IrMEIyVjFmbVd5bXV1MlJFYXdqNkpMT1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeU5nMGJtUHJFbWp5cDRJNjV3Nm1YVHJ2dS9pdkZ4R3ArNE9KYzZiK1NXc3N6elRZCm5HUUt4alZXOUdCOGtZUWNmUGIxTEdWbDE1ak5IalhOZ1MxeDhRcEF4d0VZVHdCR2pLbDBYZUExOVJvMHkyM1cKMW5lMGlVbUh4TlJTMDdDZFZSUkxGL0NTRDBEeWFjSHYzdGpZMENlSklFN3NqUWN0REQ0dXRjdmcxa0FTc0QwOQpSQnNyWWxHV3Z1V3dxZlZWazk1all5bmZoc1VBeEMrc2Z5alZSRUJVOFdHQ3hxMGtVZDg4SU04TnBsLytGU2E0Ck8xY002bVVUMnJJanZiNUptVDlqbnlwajlrT0IzSHJaOUdTVVREVmg4VG9KZDh1NHRobFNtQk8veUtpSnNpcGoKOGVvcU5URWYybEFBeUNSZWxHTmJoUXcyL3p5elk4MmVsOEFzYndJREFRQUJBb0lCQUEwUzFjYmh4aWw2bjJENwoveTJQTEpFaEJ2M3JZQ3BXUWdSWE9abEhvNEhQOGlqQ3ZkN2dQRHRPdVl4S3c1RU5VblZuOWVtZjZCTXlwUmQwClZSNDFnUmM1bmFIV2xtaCtFaG1SNWpzK0h3VUhZYXhrUi9uSjdQeUt4c1d2TkgwSElCYXJyWCt2YnpLQy9jU1kKbFM2aVd1cWh5REZNTWVXME0rQjZJN3c5dXpMMjl6YXhMWHVmNlVzdEZOUjlXbXN2VmwrSENKTTBleXJNNEhRZQpUWS94OFZtRTNSSUY2UmQ2aVRURSs4NXd3WjcxaURIN3NLYVdhRFlibFNhMTN2b2hYMzNiZlkvaXcyc2dBd3QxCmIrdXZFeTVxSVRieHdXTGRNWnBkMkJ3TWx4K0FXczRjazc1a1lPZkJ3WlZPZFlHZW5ZbkNHS1VHdEMwV2RCdEUKQTVtZjVZRUNnWUVBNnNZTFNmeTdnUEZpb1pyakNkZlFqbkhIMHN4UzNPM2pXVkc0NlVwbi9ZdmNwRktqZ1ZMegpWaDkwMnk4OWhINk1OQUJKcjh6MENlbURnK20yZzFMZXZLMFVnQS9iaWEyZnJ6K29hWkN4YjJ3ckViYktMazNZCjBnR3dleXRGVTc0SHZzRWZaaXhJdHgwM0JpTTVEc2kvMEF2ZDhBb1NWSWg0c0tQcGZXL1piU0VDZ1lFQTJ3RGEKN1J3VlVhNlp2bkFYWEVIR2x2UW9GTlhvQjgwV1JGODNLL2V4aGNlZWRyZkVhM2NiMGRiVWNOSVcvakRoS1lhSApMblhpYkhnU2RGSEcxazVKcTNRWEFDbGtmMit1SWxZNDJpM0FhZ2xlT285NDFuSXFVbU5QWG5QWWJ1cWRTemF3CjNhczRIWU1kTDM2dG85eFhDNUlHUzdwaWxyNmVma1FHU0d4MlY0OENnWUVBaFpXT1V0ajFMNWNwa2Q1NWxONHgKa3Z0MndhRDAvVFIyaWhvUDV0NHBjWUVsV0hLVkNqN1Nxb3hYaDJmSHp4M2FWTFJkT1NTYkx4Q3BmbU43TUJuMQpGdEk4dWVsTDkzak5SWUFwS1hmbEhnc2tMbjRkYUY5dklYOUlsYXkzVThEcTAwVTd3bjBzR3RVS3UvbEt1L2pKCisyemxLWEh4b0J2TzRHTkR0ZFh3bDBFQ2dZRUFsdXhqOHZ0amhjTDVtTS9PaVhtYXpmUzhtbjgvUkFFRjAyQjYKdVFZZGhNQW9hRkFFUUxyNHBRZVRwNXhnMUJRRFY0YXFLazU3RjUwM3VvbVFxYWVTQldJZlo3RWUzT090OFdQUwpFaWx0YktYQUZrTkJWeWVlR3VEdGxYM29MYWZwZGlmZWd5UzNxejdzSWdyK3h1blY0dGRqRjFUL0ZEdVJKaHJpCjZZNDFqK2tDZ1lFQTFiTFlZRVpEQzBqKzlWM0xKbXpId056a1pKbVhzZjNNVlZuK1ViNXJUNUwzanhyNlB5aXAKakdSNFYzVXprYlhDOGlDOEJ6SWRYMUtIajhQaFNCb2MvcS94V3ZnUjY5VkpTN0RCRnZFR3pacUcxbEFpRVE1cwpKd2FhRG4wNkx1MlNHZVhlUmtFc3lpaUM3Q1RCRmhTajJFUlRZcGxyOGRKYzlCbFpwdWVEdHdvPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJakNDQWdxZ0F3SUJBZ0lSQU5oOTl5aU5WUmJ1Yk13dy9UajIzTmd3RFFZSktvWklodmNOQVFFTEJRQXcKR3pFWk1CY0dBMVVFQXhNUVpXeGhjM1JwWTNObFlYSmphQzFqWVRBZUZ3MHlNekV3TVRjeU16VTNORGRhRncweQpOREV3TVRZeU16VTNORGRhTUJzeEdUQVhCZ05WQkFNVEVHVnNZWE4wYVdOelpXRnlZMmd0WTJFd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDd0pKSVVaWm5ScWcrTkpyZmx4QmIxUDZqdFBvUkUKTThaQ1JhUG0vcDE1YWJISGZ0aFk2ZWl6Q3Q3dkR5Mnc5bnpHbGhUWDlKRWk2YzN6UjhBWDNtazZ2a09qMUxtUQpmMzlpZzZqRmJlOVF0bWRGN1gxT3RVUldESHprMEhkUE9QVS9jd0g3aWxPTVlEVHRIbjdkREZYYzZ0V0FDTXozCjZacHFBajJGczdPbTNHNGRFUkg5eEhPMzlsT0xSbGpBRUhXbTg0RTBjWFhLSXlEOHVIQ0hGU0lzWmlYZXJ2YXEKY3RCc3NVcjlEVndoQVF0QzgveTNaVHVnU3Y0VXdjM2NEZktGZjdzQmZPQ1B5Z0oyZ3ZMTXliN09JQ0VkOXdwbQpIamh5OVpvTmlrUmM3YnMvcjROTnU3Wm5NWkJiRFNsZHNPLzRia2tzUzRDOW9JZndtMEYwSnFqSEFnTUJBQUdqCllUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUgKQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWlqRmk4T0RxS1hSV0VCVGZpN3lZYUUvZApRZ2d3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUFERUFFZW1UaUo3QmJoL3VHVFY5YkJ1MTFKZmFyWS9ReGR2CkRxOTJ0UnlKa2x5alBSQnNuWi9xK2xZdjZnUmt4b2UxcUd0LzdDUzkxWlJPbTRiUGoxVTVWQkxYQzRTUWs4d2IKTDFWY0ZtUitrdXdBNmpjeEZDVndXcFl0V0NWUUJUYk00SGdkTFd3NmJvRTA5T1VaWklqL2pkM0V6c0FLdHljZApmZ3FLR2poT2t3eW9odFFabE5oRUxLTjhjd0FQdzFQeFQ3SVlsOHoxbFRvdlYyVGczMkM3ZzBuN3hjMGNCS2sxCmZ5MGkzby9HSm9pbmdzZ3RXL2NvUHRvRmdPNmxCZHJjdC9rS1JiTWQ1U1pPTEVFZTlHdnZVcHBPZjVvempRRjkKaDV0cVNUY0U4bVdTWFJFeFpzY3ZocWlnOUtwL2xhWWpRdHpDS3IrZ1hiV3d1RVpmYlhnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== --- # Source: elasticsearch/templates/secret.yaml apiVersion: v1 kind: Secret metadata: name: elasticsearch-master-credentials labels: heritage: "Helm" release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" type: Opaque data: username: ZWxhc3RpYw== password: "UEVtVk0xRjQyVFZyRHZoNA==" --- # Source: elasticsearch/templates/service.yaml kind: Service apiVersion: v1 metadata: name: elasticsearch-master labels: heritage: "Helm" release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" annotations: {} spec: type: ClusterIP selector: release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" publishNotReadyAddresses: false ports: - name: http protocol: TCP port: 9200 - name: transport protocol: TCP port: 9300 --- # Source: elasticsearch/templates/service.yaml kind: Service apiVersion: v1 metadata: name: elasticsearch-master-headless labels: heritage: "Helm" release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" spec: clusterIP: None # This is needed for statefulset hostnames like elasticsearch-0 to resolve # Create endpoints also if the related pod isn't ready publishNotReadyAddresses: true selector: app: "elasticsearch-master" ports: - name: http port: 9200 - name: transport port: 9300 --- # Source: elasticsearch/templates/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: elasticsearch-master labels: heritage: "Helm" release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" annotations: esMajorVersion: "8" spec: serviceName: elasticsearch-master-headless selector: matchLabels: app: "elasticsearch-master" replicas: 3 podManagementPolicy: Parallel updateStrategy: type: RollingUpdate volumeClaimTemplates: - metadata: name: elasticsearch-master spec: accessModes: - ReadWriteOnce resources: requests: storage: 30Gi template: metadata: name: "elasticsearch-master" labels: release: "elasticsearch2" chart: "elasticsearch" app: "elasticsearch-master" annotations: spec: securityContext: fsGroup: 1000 runAsUser: 1000 automountServiceAccountToken: true affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - "elasticsearch-master" topologyKey: kubernetes.io/hostname terminationGracePeriodSeconds: 120 volumes: - name: elasticsearch-certs secret: secretName: elasticsearch-master-certs enableServiceLinks: true initContainers: - name: configure-sysctl securityContext: runAsUser: 0 privileged: true image: "docker.elastic.co/elasticsearch/elasticsearch:8.5.1" imagePullPolicy: "IfNotPresent" command: ["sysctl", "-w", "vm.max_map_count=262144"] resources: {} containers: - name: "elasticsearch" securityContext: capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000 image: "docker.elastic.co/elasticsearch/elasticsearch:8.5.1" imagePullPolicy: "IfNotPresent" readinessProbe: exec: command: - bash - -c - | set -e # Exit if ELASTIC_PASSWORD in unset if [ -z "${ELASTIC_PASSWORD}" ]; then echo "ELASTIC_PASSWORD variable is missing, exiting" exit 1 fi # If the node is starting up wait for the cluster to be ready (request params: "wait_for_status=green&timeout=1s" ) # Once it has started only check that the node itself is responding START_FILE=/tmp/.es_start_file # Disable nss cache to avoid filling dentry cache when calling curl # This is required with Elasticsearch Docker using nss < 3.52 export NSS_SDB_USE_CACHE=no http () { local path="${1}" local args="${2}" set -- -XGET -s if [ "$args" != "" ]; then set -- "$@" $args fi set -- "$@" -u "elastic:${ELASTIC_PASSWORD}" curl --output /dev/null -k "$@" "https://127.0.0.1:9200${path}" } if [ -f "${START_FILE}" ]; then echo 'Elasticsearch is already running, lets check the node is healthy' HTTP_CODE=$(http "/" "-w %{http_code}") RC=$? if [[ ${RC} -ne 0 ]]; then echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with RC ${RC}" exit ${RC} fi # ready if HTTP code 200, 503 is tolerable if ES version is 6.x if [[ ${HTTP_CODE} == "200" ]]; then exit 0 elif [[ ${HTTP_CODE} == "503" && "8" == "6" ]]; then exit 0 else echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with HTTP code ${HTTP_CODE}" exit 1 fi else echo 'Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )' if http "/_cluster/health?wait_for_status=green&timeout=1s" "--fail" ; then touch ${START_FILE} exit 0 else echo 'Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )' exit 1 fi fi failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 3 timeoutSeconds: 5 ports: - name: http containerPort: 9200 - name: transport containerPort: 9300 resources: limits: cpu: 1000m memory: 2Gi requests: cpu: 1000m memory: 2Gi env: - name: node.name valueFrom: fieldRef: fieldPath: metadata.name - name: cluster.initial_master_nodes value: "elasticsearch-master-0,elasticsearch-master-1,elasticsearch-master-2," - name: node.roles value: "master,data,data_content,data_hot,data_warm,data_cold,ingest,ml,remote_cluster_client,transform," - name: discovery.seed_hosts value: "elasticsearch-master-headless" - name: cluster.name value: "elasticsearch" - name: network.host value: "0.0.0.0" - name: ELASTIC_PASSWORD valueFrom: secretKeyRef: name: elasticsearch-master-credentials key: password - name: xpack.security.enabled value: "true" - name: xpack.security.transport.ssl.enabled value: "true" - name: xpack.security.http.ssl.enabled value: "true" - name: xpack.security.transport.ssl.verification_mode value: "certificate" - name: xpack.security.transport.ssl.key value: "/usr/share/elasticsearch/config/certs/tls.key" - name: xpack.security.transport.ssl.certificate value: "/usr/share/elasticsearch/config/certs/tls.crt" - name: xpack.security.transport.ssl.certificate_authorities value: "/usr/share/elasticsearch/config/certs/ca.crt" - name: xpack.security.http.ssl.key value: "/usr/share/elasticsearch/config/certs/tls.key" - name: xpack.security.http.ssl.certificate value: "/usr/share/elasticsearch/config/certs/tls.crt" - name: xpack.security.http.ssl.certificate_authorities value: "/usr/share/elasticsearch/config/certs/ca.crt" volumeMounts: - name: "elasticsearch-master" mountPath: /usr/share/elasticsearch/data - name: elasticsearch-certs mountPath: /usr/share/elasticsearch/config/certs readOnly: true