Healthcheck fails when using the latest SearchGuard 6 on ES 6.3+
while1eq1 opened this issue · comments
as mentioned here - #247
This operator depends on use of the searchguard-ssl plugin for TLS encryption. However searchguard-ssl is no longer distributed as a standalone plugin past ES version 6.2.4 - https://docs.search-guard.com/latest/search-guard-versions
it has been rolled into the main searchguard plugin.
In order to support ES versions 6.3+ the full blown searchguard plugin needs to be used.
This requires additional steps such as initializing sgadmin prior to any endpoint on port 9200 being available (including _cluster/health and so on) .
This creates an issue as sgadmin itself will not initialize until the masters can reach quorum. And the masters will never reach quorum as discovery.zen.ping.unicast.hosts: ${DISCOVERY_SERVICE}
is pointing to a kubernetes service in which all endpoints are failing due to sgadmin not being initialized.
Ive written a quick patch that changes the healthcheck to a TCP port 9300 check to resolve this.
Im open to feedback for better solutions.
Ive made a custom elasticsearch docker image that handles the sgadmin initialization here - https://github.com/while1eq1/elasticsearch-kubernetes-searchguard