[bitnami/elasticsearch] remove copyTlsCerts init container

Remove the initContainer that copies TLS certificates from the secret to the emptyDir volume and revert to mounting the secret directly into the various statefulset pods.  This fixes #31872, but will break #25280 until bitnami/containers#77525 is fixed

Signed-off-by: Ian Roberts <[email protected]>

Author: ianroberts

bitnami/elasticsearch/README.md

@@ -952,13 +952,6 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
 | `sysctlImage.pullSecrets`             | Kernel settings modifier image pull secrets                                                                                                                                                                                                           | `[]`                       |
 | `sysctlImage.resourcesPreset`         | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if sysctlImage.resources is set (sysctlImage.resources is recommended for production).             | `nano`                     |
 | `sysctlImage.resources`               | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                                     | `{}`                       |
-| `copyTlsCerts.image.registry`         | Copy TLS certificates image registry                                                                                                                                                                                                                  | `REGISTRY_NAME`            |
-| `copyTlsCerts.image.repository`       | Copy TLS certificates image repository                                                                                                                                                                                                                | `REPOSITORY_NAME/os-shell` |
-| `copyTlsCerts.image.digest`           | Copy TLS certificates image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag                                                                                                                                 | `""`                       |
-| `copyTlsCerts.image.pullPolicy`       | Copy TLS certificates image pull policy                                                                                                                                                                                                               | `IfNotPresent`             |
-| `copyTlsCerts.image.pullSecrets`      | Copy TLS certificates image pull secrets                                                                                                                                                                                                              | `[]`                       |
-| `copyTlsCerts.resourcesPreset`        | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if copyTlsCerts.resources is set (copyTlsCerts.resources is recommended for production).           | `nano`                     |
-| `copyTlsCerts.resources`              | Set container requests and limits for different resources like CPU or memory (essential for production workloads)                                                                                                                                     | `{}`                       |
 
 ### Kibana Parameters
 

bitnami/elasticsearch/templates/NOTES.txt

@@ -135,11 +135,10 @@ In order to replicate the container startup scripts execute this command:
 
 {{- include "common.warnings.rollingTag" .Values.image }}
 {{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
-{{- include "common.warnings.rollingTag" .Values.copyTlsCerts.image }}
 {{- include "common.warnings.rollingTag" .Values.sysctlImage }}
 
 {{- end }}
 {{ include "elasticsearch.validateValues" . }}
-{{- include "common.warnings.resources" (dict "sections" (list "coordinating" "copyTlsCerts" "data" "ingest" "master" "metrics" "sysctlImage" "volumePermissions") "context" $) }}
-{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.copyTlsCerts.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctlImage ) "context" $) }}
-{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.copyTlsCerts.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctlImage ) "context" $) }}
+{{- include "common.warnings.resources" (dict "sections" (list "coordinating" "data" "ingest" "master" "metrics" "sysctlImage" "volumePermissions") "context" $) }}
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctlImage ) "context" $) }}
+{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctlImage ) "context" $) }}

bitnami/elasticsearch/templates/_helpers.tpl

@@ -40,13 +40,6 @@ Return the proper image name (for the init container volume-permissions image)
 {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
 {{- end -}}
 
-{{/*
-Return the proper Copy TLS Certificates image name
-*/}}
-{{- define "elasticsearch.copyTlsCerts.image" -}}
-{{ include "common.images.image" (dict "imageRoot" .Values.copyTlsCerts.image "global" .Values.global) }}
-{{- end -}}
-
 {{/*
 Name for the Elasticsearch service
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

bitnami/elasticsearch/templates/coordinating/statefulset.yaml

@@ -105,40 +105,6 @@ spec:
           resources: {{- include "common.resources.preset" (dict "type" .Values.sysctlImage.resourcesPreset) | nindent 12 }}
           {{- end }}
         {{- end }}
-        {{- if .Values.security.enabled }}
-        - name: copy-tls-certificates
-          image: {{ include "elasticsearch.copyTlsCerts.image" . }}
-          imagePullPolicy: {{ .Values.copyTlsCerts.image.pullPolicy | quote }}
-          command:
-            - /bin/sh
-            - -c
-            - |
-              ls -l /
-              ls -l /certs
-              for file in /certs/*; do
-                  if [ -f "$file" ]; then
-                      filename=$(basename "$file")
-                      dst_file="/tmp/$filename"
-                      cat "$file" > "$dst_file"
-                      echo "Copied $file to $dst_file"
-                  fi
-              done
-              echo "All files have been copied." 
-          volumeMounts:
-            - name: elasticsearch-certificates
-              mountPath: /certs
-            - name: empty-dir
-              mountPath: /tmp
-              subPath: certs
-          {{- if .Values.coordinating.containerSecurityContext.enabled }}
-          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.coordinating.containerSecurityContext "context" $) | nindent 12 }}
-          {{- end }}
-          {{- if .Values.copyTlsCerts.resources }}
-          resources: {{- toYaml .Values.copyTlsCerts.resources | nindent 12 }}
-          {{- else if ne .Values.copyTlsCerts.resourcesPreset "none" }}
-          resources: {{- include "common.resources.preset" (dict "type" .Values.copyTlsCerts.resourcesPreset) | nindent 12 }}
-          {{- end }}
-        {{- end }}
         - name: copy-default-plugins
           image: {{ include "elasticsearch.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
@@ -328,9 +294,9 @@ spec:
               subPath: my_elasticsearch.yml
             {{- end }}
             {{- if .Values.security.enabled }}
-            - name: empty-dir
+            - name: elasticsearch-certificates
               mountPath: /opt/bitnami/elasticsearch/config/certs
-              subPath: certs
+              readOnly: true
             {{- end }}
             {{- if .Values.initScripts }}
             - name: custom-init-scripts

bitnami/elasticsearch/templates/data/statefulset.yaml

@@ -130,40 +130,6 @@ spec:
             - name: data
               mountPath: /bitnami/elasticsearch/data
         {{- end }}
-        {{- if .Values.security.enabled }}
-        - name: copy-tls-certificates
-          image: {{ include "elasticsearch.copyTlsCerts.image" . }}
-          imagePullPolicy: {{ .Values.copyTlsCerts.image.pullPolicy | quote }}
-          command:
-            - /bin/sh
-            - -c
-            - |
-              ls -l /
-              ls -l /certs
-              for file in /certs/*; do
-                  if [ -f "$file" ]; then
-                      filename=$(basename "$file")
-                      dst_file="/tmp/$filename"
-                      cat "$file" > "$dst_file"
-                      echo "Copied $file to $dst_file"
-                  fi
-              done
-              echo "All files have been copied." 
-          volumeMounts:
-            - name: elasticsearch-certificates
-              mountPath: /certs
-            - name: empty-dir
-              mountPath: /tmp
-              subPath: certs
-          {{- if .Values.data.containerSecurityContext.enabled }}
-          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.data.containerSecurityContext "context" $) | nindent 12 }}
-          {{- end }}
-          {{- if .Values.copyTlsCerts.resources }}
-          resources: {{- toYaml .Values.copyTlsCerts.resources | nindent 12 }}
-          {{- else if ne .Values.copyTlsCerts.resourcesPreset "none" }}
-          resources: {{- include "common.resources.preset" (dict "type" .Values.copyTlsCerts.resourcesPreset) | nindent 12 }}
-          {{- end }}
-        {{- end }}
         - name: copy-default-plugins
           image: {{ include "elasticsearch.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
@@ -357,9 +323,9 @@ spec:
               subPath: my_elasticsearch.yml
             {{- end }}
             {{- if .Values.security.enabled }}
-            - name: empty-dir
+            - name: elasticsearch-certificates
               mountPath: /opt/bitnami/elasticsearch/config/certs
-              subPath: certs
+              readOnly: true
             {{- end }}
             {{- if .Values.initScripts }}
             - name: custom-init-scripts

bitnami/elasticsearch/templates/ingest/statefulset.yaml

@@ -105,40 +105,6 @@ spec:
           resources: {{- include "common.resources.preset" (dict "type" .Values.sysctlImage.resourcesPreset) | nindent 12 }}
           {{- end }}
         {{- end }}
-        {{- if .Values.security.enabled }}
-        - name: copy-tls-certificates
-          image: {{ include "elasticsearch.copyTlsCerts.image" . }}
-          imagePullPolicy: {{ .Values.copyTlsCerts.image.pullPolicy | quote }}
-          command:
-            - /bin/sh
-            - -c
-            - |
-              ls -l /
-              ls -l /certs
-              for file in /certs/*; do
-                  if [ -f "$file" ]; then
-                      filename=$(basename "$file")
-                      dst_file="/tmp/$filename"
-                      cat "$file" > "$dst_file"
-                      echo "Copied $file to $dst_file"
-                  fi
-              done
-              echo "All files have been copied." 
-          volumeMounts:
-            - name: elasticsearch-certificates
-              mountPath: /certs
-            - name: empty-dir
-              mountPath: /tmp
-              subPath: certs
-          {{- if .Values.ingest.containerSecurityContext.enabled }}
-          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ingest.containerSecurityContext "context" $) | nindent 12 }}
-          {{- end }}
-          {{- if .Values.copyTlsCerts.resources }}
-          resources: {{- toYaml .Values.copyTlsCerts.resources | nindent 12 }}
-          {{- else if ne .Values.copyTlsCerts.resourcesPreset "none" }}
-          resources: {{- include "common.resources.preset" (dict "type" .Values.copyTlsCerts.resourcesPreset) | nindent 12 }}
-          {{- end }}
-        {{- end }}
         - name: copy-default-plugins
           image: {{ include "elasticsearch.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
@@ -328,9 +294,9 @@ spec:
               subPath: my_elasticsearch.yml
             {{- end }}
             {{- if .Values.security.enabled }}
-            - name: empty-dir
+            - name: elasticsearch-certificates
               mountPath: /opt/bitnami/elasticsearch/config/certs
-              subPath: certs
+              readOnly: true
             {{- end }}
             {{- if .Values.initScripts }}
             - name: custom-init-scripts

bitnami/elasticsearch/templates/master/statefulset.yaml

@@ -105,40 +105,6 @@ spec:
           resources: {{- include "common.resources.preset" (dict "type" .Values.sysctlImage.resourcesPreset) | nindent 12 }}
           {{- end }}
         {{- end }}
-        {{- if .Values.security.enabled }}
-        - name: copy-tls-certificates
-          image: {{ include "elasticsearch.copyTlsCerts.image" . }}
-          imagePullPolicy: {{ .Values.copyTlsCerts.image.pullPolicy | quote }}
-          command:
-            - /bin/sh
-            - -c
-            - |
-              ls -l /
-              ls -l /certs
-              for file in /certs/*; do
-                  if [ -f "$file" ]; then
-                      filename=$(basename "$file")
-                      dst_file="/tmp/$filename"
-                      cat "$file" > "$dst_file"
-                      echo "Copied $file to $dst_file"
-                  fi
-              done
-              echo "All files have been copied." 
-          volumeMounts:
-            - name: elasticsearch-certificates
-              mountPath: /certs
-            - name: empty-dir
-              mountPath: /tmp
-              subPath: certs
-          {{- if .Values.master.containerSecurityContext.enabled }}
-          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.containerSecurityContext "context" $) | nindent 12 }}
-          {{- end }}
-          {{- if .Values.copyTlsCerts.resources }}
-          resources: {{- toYaml .Values.copyTlsCerts.resources | nindent 12 }}
-          {{- else if ne .Values.copyTlsCerts.resourcesPreset "none" }}
-          resources: {{- include "common.resources.preset" (dict "type" .Values.copyTlsCerts.resourcesPreset) | nindent 12 }}
-          {{- end }}
-        {{- end }}
         {{- if and .Values.volumePermissions.enabled .Values.master.persistence.enabled }}
         - name: volume-permissions
           image: {{ include "elasticsearch.volumePermissions.image" . }}
@@ -358,6 +324,7 @@ spec:
             {{- if .Values.security.enabled }}
             - name: elasticsearch-certificates
               mountPath: /opt/bitnami/elasticsearch/config/certs
+              readOnly: true
             {{- end }}
             {{- if .Values.initScripts }}
             - name: custom-init-scripts

bitnami/elasticsearch/values.yaml

@@ -2707,55 +2707,6 @@ sysctlImage:
   ##
   resources: {}
 
-## copy-tls-certificates init container definition
-##
-copyTlsCerts:
-  ## @param copyTlsCerts.image.registry [default: REGISTRY_NAME] Copy TLS certificates image registry
-  ## @param copyTlsCerts.image.repository [default: REPOSITORY_NAME/os-shell] Copy TLS certificates image repository
-  ## @skip copyTlsCerts.image.tag Copy TLS certificates image tag
-  ## @param copyTlsCerts.image.digest Copy TLS certificates image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
-  ## @param copyTlsCerts.image.pullPolicy Copy TLS certificates image pull policy
-  ## @param copyTlsCerts.image.pullSecrets Copy TLS certificates image pull secrets
-  ##
-  image:
-    registry: docker.io
-    repository: bitnami/os-shell
-    tag: 12-debian-12-r40
-    digest: ""
-    ## Specify a imagePullPolicy
-    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
-    ##
-    pullPolicy: IfNotPresent
-    ## Optionally specify an array of imagePullSecrets.
-    ## Secrets must be manually created in the namespace.
-    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-    ## e.g:
-    ## pullSecrets:
-    ##   - myRegistryKeySecretName
-    ##
-    pullSecrets: []
-  ## Init container' resource requests and limits
-  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## We usually recommend not to specify default resources and to leave this as a conscious
-  ## choice for the user. This also increases chances charts run on environments with little
-  ## resources, such as Minikube. If you do want to specify resources, uncomment the following
-  ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  ## @param copyTlsCerts.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if copyTlsCerts.resources is set (copyTlsCerts.resources is recommended for production).
-  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
-  ##
-  resourcesPreset: "nano"
-  ## @param copyTlsCerts.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-  ## Example:
-  ## resources:
-  ##   requests:
-  ##     cpu: 2
-  ##     memory: 512Mi
-  ##   limits:
-  ##     cpu: 3
-  ##     memory: 1024Mi
-  ##
-  resources: {}
-
 ## @section Kibana Parameters
 
 ## Bundled Kibana parameters