Setup snapshot for s3 plugin

dg_hivebrite · December 12, 2019, 2:12pm

Hi,

I'm trying to setup the s3 plugin but I have an issue.
I don't how to format the secret for aws credentials for the operator.
Actually I tried that (with terraform):
resource "kubernetes_secret" "aws_credentials_datawarehouse" {
type = "kubernetes.io/generic"

  metadata {
    name = "datawarehouse-aws-credentials"
  }

  data = {
    "s3.client.default.access_key" = "....."
    "s3.client.default.secret_key" = "....."
  }
}

The operator log an error:
E1212 13:40:26.641312 1 reflector.go:126] pkg/mod/k8s.io/client-go@v11.0.1-0.20190409021438-1a26190bd76a+incompatible/tools/cache/reflector.go:94: Failed to list *v1beta1.Elasticsearch: v1beta1.ElasticsearchList.Items: []v1beta1.Elasticsearch: v1beta1.Elasticsearch.Spec: v1beta1.ElasticsearchSpec.SecureSettings: []v1beta1.SecretSource: readObjectStart: expect { or n, but found ", error found in #10 byte of ...|ttings":["datawareho|..., bigger context ...|rageClassName":"standard"}}]}],"secureSettings":["datawarehouse-aws-credentials"],"updateStrategy":{|...

I tried to check in the github repository but I'm not sure of which format is expected inside the secret

sebgl · December 12, 2019, 2:30pm

The error looks more like a bug in the Elasticsearch resource itself.
Can you share your elasticsearch yaml manifest which references the secure settings secrets?

Anya_Sabo · December 12, 2019, 2:54pm

That error looks very similar to the one we sometimes see v1beta1 resources using the v1alpha1 format:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-upgrading-eck.html#k8s-convert-manifests

dg_hivebrite · December 13, 2019, 2:11pm

Thank you @Anya_Sabo , I forgot secureSettings is a list of map, in my case it was a list of string (the secret name).

dg_hivebrite · December 13, 2019, 2:58pm

Ok so the elasticsearch cluster take the secure settings but it seems it don't read or don't understand the secure settings.
error: https://gist.github.com/Dudesons/48e30a2b909c3330ec84a2e4c8791089
The payload to create the snapshot:
{
"schedule": "0 0 * * * ?",
"name": "<hourly-snap-{now/d{yyyy.MM.dd.HH}}>",
"repository": "s3_repository",
"config": {
"indices": ["*"]
},
"retention": {
"expire_after": "30d",
"min_count": 240,
"max_count": 750
}
}

dg_hivebrite · December 17, 2019, 8:57am

any idea ? @Anya_Sabo @sebgl

sebgl · December 17, 2019, 9:18am

Looking at the error log: http://169.254.169.254/latest/meta-data/iam/security-credentials
It looks like the S3 repository plugin is trying to retrieve some metadata from aws metadata server, which does not seem to be accessible from where you're using this plugin?

I'm still wondering whether secure settings are setup correctly. Can you share the content of your Elasticsearch yaml manifest and the content of your secure settings secret (kubectl get secret datawarehouse-aws-credentials -o yaml). Please strip out any secret information from there, including the base64 payload in the secret (we're only interested in the secret keys).

dg_hivebrite · December 17, 2019, 3:21pm

The cluster is running inside GKE.
Our snapshot are stored inside S3.
The es, secure settings and script manifests: https://gist.github.com/Dudesons/e7107413785972391d7d034b6b155c2a
The script was running as kubernetes job and everything was in success

dg_hivebrite · December 19, 2019, 9:59am

Do you have an idea @sebgl why ILM don't read my secure setings ?

sebgl · December 19, 2019, 12:04pm

@dg_hivebrite I don't see the secureSettings field set in your elasticsearch.yaml manifest.
See https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html.
It should probably look like:

spec:
  secureSettings:
  - secretName: datawarehouse-aws-credentials

dg_hivebrite · December 20, 2019, 8:49am

@sebgl yes good catch in my helm template there was an error.
Now I can see the secure settings but the error is not fixed
the elasticsearch manifests + some request on the cluster about slm: https://gist.github.com/Dudesons/1ed9e6cae1c4cd3a81fce566b2f40082

sebgl · December 20, 2019, 10:53am

I'm not very familiar with the s3 repository, but by looking around I guess:

either there is a problem with secure settings themselves (wrong value or not set correctly), see Error while creating snapshot to s3 repository
Can you double-check your s3.client.default.access_key and s3.client.default.secret_key are correct? Note their value should be base64-encoded in the Kubernetes secret.
either the host on which Elasticsearch is running cannot reach aws metadata server, see https://stackoverflow.com/questions/58378329/aws-instance-metadata-for-iam-is-not-found

dg_hivebrite · December 20, 2019, 2:44pm

ok the last problem was my secret weren't in b64.
Everything works well and the operator upgrade everything

sebgl · December 20, 2019, 3:15pm

Happy we got things sorted out @dg_hivebrite

Jamshid · January 15, 2020, 5:27pm

Just curious where is the base64 requirement for the secret documented? That doesn't add any security, seems like a weird requirement?

Anya_Sabo · January 15, 2020, 5:51pm

@Jamshid that not specific to ECK but rather to Kubernetes secrets, see the docs here: https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret-manually