Elasticsearch version: 7.6.2
Running it with Helm on AWS EKS
Old setup (v1): cert-util is run manually (some makefile/script) before helm install in CI. Not using InitContainers
Current setup (v2): helm chart now creates Certificate and Issuer resources that create the necessary secrets using cert-manager API
Upgrading from v1 to v2 fails with the following errors:
"stacktrace": ["io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
If I do a clean install of v2 when either there are no helm releases of this chart or v2 is running, the upgrade works fine. It fails to upgrade only when v1 is running. I suspect there is an issue where elasticsearch cannot switch to the new ca/cert.
Has anyone come across this before?
