Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm chart checks for wrong Elasticsearch credentials #63

Closed
orbatschow opened this issue Oct 5, 2020 · 2 comments · Fixed by #64
Closed

Helm chart checks for wrong Elasticsearch credentials #63

orbatschow opened this issue Oct 5, 2020 · 2 comments · Fixed by #64
Assignees
@monotek

Comments

@orbatschow
Copy link

orbatschow commented Oct 5, 2020
edited
Loading

Is this a request for help?:
No

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Bug

Version of Helm and Kubernetes:
v2

What happened:
Zammad is unable to verify against the Elasticsearch API, because the user and password are not set properly.

What you expected to happen:
The helm template should not verify against .Values.elasticsearch.pass, but Values.envConfig.elasticsearch.pass and user respectively.

How to reproduce it (as minimally and precisely as possible):

  1. Deploy chart version 2.6.1 with an external Elasticsearch cluster configured
  2. Check the "elasticsearch-init" container:
I, [2020-10-05T15:00:18.539348 #6-47041080449380]  INFO -- : Setting.set('models_searchable', ["Organization", "KnowledgeBase::Answer::Translation", "User", "Chat::Session", "Ticket"])
I, [2020-10-05T15:00:19.430781 #6-47041080449380]  INFO -- : Setting.set('es_url', "https://elasticsearch-es-master.elk.svc.cluster.local:9200")
rake aborted!
Unable to process GET request to elasticsearch URL 'https://elasticsearch-es-master.elk.svc.cluster.local:9200'. Check the response and payload for detailed information: 

Response:
#<UserAgent::Result:0x00005625c2492878 @success=false, @body="{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\"security\\\"\",\"ApiKey\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}}],\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\"security\\\"\",\"ApiKey\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}},\"status\":401}", @data=nil, @code="401", @content_type=nil, @error="Client Error: #<Net::HTTPUnauthorized 401 Unauthorized readbody=true>!">

The Elasticsearch configmap-init.yaml does not contain the relevant section for setting the user and the password, because the evaluation always fails. Either a default has to be added or (IMHO the better way) the check should default to Values.envConfig.elasticsearch.user

apiVersion: v1
kind: ConfigMap
  name: zammad-cluster-dev-01-init
  namespace: default
data:
  elasticsearch-init: >-
    #!/bin/bash

    set -e

    bundle exec rails r 'Setting.set("es_url",
    "https://elasticsearch-es-master.elk.svc.cluster.local:9200")'

    bundle exec rake searchindex:rebuild


    echo "elasticsearch init complete :)"
...
@monotek monotek self-assigned this Oct 5, 2020
@monotek monotek mentioned this issue Oct 6, 2020
Merged
2 tasks
@monotek
Copy link
Member

monotek commented Oct 6, 2020

will be fixed with: #64

@monotek monotek closed this as completed Oct 6, 2020
@orbatschow orbatschow mentioned this issue Oct 6, 2020
Closed
2 tasks
@orbatschow
Copy link
Author

I created a PR before I saw yours. The default credentials should contain a valid string, as I think Helm evaluates an empty string to false.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@monotek monotek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix es auth monotek/zammad-helm
2 participants
@monotek @orbatschow