Skip to content
This repository was archived by the owner on May 16, 2023. It is now read-only.
This repository was archived by the owner on May 16, 2023. It is now read-only.

Readiness probe is failing because of bad SSL #1773

Open
Open
Readiness probe is failing because of bad SSL#1773
@iRakic

Description

@iRakic
iRakic
opened on Feb 13, 2023

Chart version:
8.5.1
Kubernetes version:
v1.25.5
Kubernetes provider:
K8s (on prem / bare metal)
Helm Version:
"v3.9.4"

values.yaml

---
antiAffinity: "soft"

# Shrink default JVM heap.
esJavaOpts: "-Xmx128m -Xms128m"

resources:
  requests:
    cpu: "1000m"
    memory: "6Gi"
  limits:
    cpu: "2000m"
    memory: "6Gi"

volumeClaimTemplate:
  accessModes: ["ReadWriteOnce"]
  storageClassName: cstor-disk-pool
  resources:
    requests:
      storage: 20Gi

protocol: https

service:
  enabled: true
  labels: {}
  labelsHeadless: {}
  type: ClusterIP
  # Consider that all endpoints are considered "ready" even if the Pods themselves are not
  # https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec
  publishNotReadyAddresses: false
  nodePort: ""
  annotations: {}
  httpPortName: http
  transportPortName: transport
  loadBalancerIP: ""
  loadBalancerSourceRanges: []
  externalTrafficPolicy: ""

updateStrategy: RollingUpdate

podSecurityContext:
  fsGroup: 1000
  runAsUser: 1000

securityContext:
  capabilities:
    drop:
      - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate

Provide logs and/or server output (if relevant):

Events:
  Type     Reason     Age                     From     Message
  ----     ------     ----                    ----     -------
  Warning  Unhealthy  2m13s (x19360 over 3d)  kubelet  Readiness probe failed: Waiting for elasticsearch cluster to become ready (request params: "wait_for_status=green&timeout=1s" )
Cluster is not yet ready (request params: "wait_for_status=green&timeout=1s" )

Inside the pod (exec):
It's failing with https because the certificate is invalid:

[1] 144779
elasticsearch@elasticsearch-master-0:~$ curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

On http it's not working as well:

elasticsearch@elasticsearch-master-0:~$ curl http://localhost:9200/_cluster/health?wait_for_status=green&timeout=1s
[1] 144849
elasticsearch@elasticsearch-master-0:~$ curl: (52) Empty reply from server

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions