hi iam using helm to deploy elasticsearch
this is my statefulset.yml file
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
esMajorVersion: "8"
meta.helm.sh/release-name: esarticle
meta.helm.sh/release-namespace: default
creationTimestamp: "2023-12-05T04:57:47Z"
generation: 1
labels:
app: elasticsearch-master
app.kubernetes.io/managed-by: Helm
chart: elasticsearch
heritage: Helm
release: esarticle
name: elasticsearch-master
namespace: default
resourceVersion: "3686059"
uid: d938b8ea-f5b1-44f5-ae85-a6769d731141
spec:
podManagementPolicy: Parallel
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: elasticsearch-master
serviceName: elasticsearch-master-headless
template:
metadata:
creationTimestamp: null
labels:
app: elasticsearch-master
chart: elasticsearch
release: esarticle
name: elasticsearch-master
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- elasticsearch-master
topologyKey: kubernetes.io/hostname
automountServiceAccountToken: true
containers:
- env:
- name: node.name
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: cluster.initial_master_nodes
value: elasticsearch-master-0,elasticsearch-master-1,elasticsearch-master-2,
- name: node.roles
value: master,data,data_content,data_hot,data_warm,data_cold,ingest,ml,remote_cluster_client,transform,
- name: discovery.seed_hosts
value: elasticsearch-master-headless
- name: cluster.name
value: elasticsearch
- name: network.host
value: 0.0.0.0
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: elasticsearch-master-credentials
- name: xpack.security.enabled
value: "true"
- name: xpack.security.transport.ssl.enabled
value: "true"
- name: xpack.security.http.ssl.enabled
value: "true"
- name: xpack.security.transport.ssl.verification_mode
value: certificate
- name: xpack.security.transport.ssl.key
value: /usr/share/elasticsearch/config/certs/tls.key
- name: xpack.security.transport.ssl.certificate
value: /usr/share/elasticsearch/config/certs/tls.crt
- name: xpack.security.transport.ssl.certificate_authorities
value: /usr/share/elasticsearch/config/certs/ca.crt
- name: xpack.security.http.ssl.key
value: /usr/share/elasticsearch/config/certs/tls.key
- name: xpack.security.http.ssl.certificate
value: /usr/share/elasticsearch/config/certs/tls.crt
- name: xpack.security.http.ssl.certificate_authorities
value: /usr/share/elasticsearch/config/certs/ca.crt
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.1
imagePullPolicy: IfNotPresent
name: elasticsearch
ports:
- containerPort: 9200
name: http
protocol: TCP
- containerPort: 9300
name: transport
protocol: TCP
readinessProbe:
exec:
command:
- bash
- -c
- |
set -e
# Exit if ELASTIC_PASSWORD in unset
if [ -z "${ELASTIC_PASSWORD}" ]; then
echo "ELASTIC_PASSWORD variable is missing, exiting"
exit 1
fi
# If the node is starting up wait for the cluster to be ready (request params: "wait_for_status=green&timeout=1s" )
# Once it has started only check that the node itself is responding
START_FILE=/tmp/.es_start_file
# Disable nss cache to avoid filling dentry cache when calling curl
# This is required with Elasticsearch Docker using nss < 3.52
export NSS_SDB_USE_CACHE=no
http () {
local path="${1}"
local args="${2}"
set -- -XGET -s
if [ "$args" != "" ]; then
set -- "$@" $args
fi
set -- "$@" -u "elastic:${ELASTIC_PASSWORD}"
curl --output /dev/null -k "$@" "https://127.0.0.1:9200${path}"
}
echo 'Elasticsearch is already uunning, lets check the node is healthy'
HTTP_CODE=$(http "/" "-w %{http_code}")
RC=$?
if [[ ${RC} -ne 0 ]]; then
echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with RC ${RC}"
exit ${RC}
fi
# ready if HTTP code 200, 503 is tolerable if ES version is 6.x
if [[ ${HTTP_CODE} == "200" ]]; then
exit 0
elif [[ ${HTTP_CODE} == "503" && "8" == "6" ]]; then
exit 0
else
echo "curl --output /dev/null -k -XGET -s -w '%{http_code}' \${BASIC_AUTH} https://127.0.0.1:9200/ failed with HTTP code ${HTTP_CODE}"
exit 1
fi
failureThreshold: 3
initialDelaySeconds: 200
periodSeconds: 100
successThreshold: 3
timeoutSeconds: 50
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/share/elasticsearch/data
name: elasticsearch-master
- mountPath: /usr/share/elasticsearch/config/certs
name: elasticsearch-certs
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
volumes:
- name: es-local-pv
initContainers:
- command:
- sysctl
- -w
- vm.max_map_count=262144
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.1
imagePullPolicy: IfNotPresent
name: configure-sysctl
resources: {}
securityContext:
runAsUser: 1000
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000
runAsUser: 1000
terminationGracePeriodSeconds: 120
volumes:
- name: elasticsearch-certs
secret:
defaultMode: 420
secretName: elasticsearch-master-certs
- name: elastic-cm
configMap:
name: elastic-cm
updateStrategy:
type: RollingUpdate
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
creationTimestamp: null
name: elasticsearch-master
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 30Gi
storageClassName: local-storage
volumeMode: Filesystem
volumeName: es-local-pv
status:
availableReplicas: 0
replicas: 0
the pod is comming up and there are three certificates ca.crt tls.crt and tls.p12 in certs folder using which iam not able to perform
curl --cacert /usr/shar/elasticsearch/config/certs ca.crt -u elastic:$ELASTIC_PASSWORD ://localhost:9200
iam able to do it with -k flag
this is the helm chart i used
helm repo add elastic ://helm.elastic.co
elastic/elasticsearch
the error i get is
elasticsearch@elasticsearch-master-0:~$ curl --cacert config/certs/ca.crt -u elastic:$ELASTIC_PASSWORD ://localhost:9200
curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
iam using https
any help would be appreciated thank you