Hi Manu, thanks for you response.
I made the changes you suggested and reinstalled elastic. Here are my results:
root@nginx:/# curl -v -k -u "elastic:Cv2------------------" -X GET "https://eck-elasticsearch-es-http.elastic:9200/_cat/plugins?v"
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 10.0.2.43:9200...
* Connected to eck-elasticsearch-es-http.elastic (10.0.2.43) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: OU=eck-elasticsearch; CN=eck-elasticsearch-es-http.elastic.es.local
* start date: Jan 13 10:54:27 2025 GMT
* expire date: Jan 13 11:04:27 2026 GMT
* issuer: OU=eck-elasticsearch; CN=eck-elasticsearch-http
* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'elastic'
> GET /_cat/plugins?v HTTP/1.1
> Host: eck-elasticsearch-es-http.elastic:9200
> Authorization: Basic ZWxhc3RpYzpDdjJ2MzBvUTNWYUZMM3ExNXYyVDZGSTU=
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: text/plain; charset=UTF-8
< Transfer-Encoding: chunked
<
name component version
* Connection #0 to host eck-elasticsearch-es-http.elastic left intact
I note, no plugins are returned in the list.
Looking at the container logs shows no mention of the federate plugin:
azureuser@bayleaf-bastion:~/.traiano/eck-deployment/bayleaf/infrastructure/azure-aks/helm-charts/elastic$ kubectl logs eck-elasticsearch-es-default-0 -n elastic | egrep -i federate
Defaulted container "elasticsearch" out of: elasticsearch, elastic-internal-init-filesystem (init), elastic-internal-suspend (init)
Here is the values.yml as you requested, perhaps you could test it on a mock install and confirm?
---
# Default values for eck-elasticsearch.
# This is a YAML-formatted file.
# Overridable names of the Elasticsearch resource.
# By default, this is the Release name set for the chart,
# followed by 'eck-elasticsearch'.
#
# nameOverride will override the name of the Chart with the name set here,
# so nameOverride: quickstart, would convert to '{{ Release.name }}-quickstart'
#
# nameOverride: "quickstart"
#
# fullnameOverride will override both the release name, and the chart name,
# and will name the Elasticsearch resource exactly as specified.
#
# fullnameOverride: "quickstart"
# Version of Elasticsearch.
#
version: 8.17.0
# Elasticsearch Docker image to deploy
#
# image:
image: docker.elastic.co/elasticsearch/elasticsearch:8.17.0
# Labels that will be applied to Elasticsearch.
#
labels: {}
# Annotations that will be applied to Elasticsearch.
#
annotations: {}
# Settings for configuring Elasticsearch users and roles.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-users-and-roles.html
#
auth: {}
# Settings for configuring stack monitoring.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-stack-monitoring.html
#
monitoring: {}
# metrics:
# elasticsearchRefs:
# - name: monitoring
# namespace: observability
# logs:
# elasticsearchRefs:
# - name: monitoring
# namespace: observability
# Control the Elasticsearch transport module used for internal communication between nodes.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-transport-settings.html
#
transport: {}
# service:
# metadata:
# labels:
# my-custom: label
# spec:
# type: LoadBalancer
# tls:
# subjectAltNames:
# - ip: 1.2.3.4
# - dns: hulk.example.com
# certificate:
# secretName: custom-ca
# Settings to control how Elasticsearch will be accessed.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-accessing-elastic-services.html
#
http: {}
# service:
# metadata:
# labels:
# my-custom: label
# spec:
# type: LoadBalancer
# tls:
# selfSignedCertificate:
# # To fully disable TLS for the HTTP layer of Elasticsearch, simply
# # set the below field to 'true', removing all other fields.
# disabled: false
# subjectAltNames:
# - ip: 1.2.3.4
# - dns: hulk.example.com
# certificate:
# secretName: custom-ca
# Control Elasticsearch Secure Settings.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-es-secure-settings.html#k8s-es-secure-settings
#
secureSettings: []
# - secretName: one-secure-settings-secret
# Projection of secret keys to specific paths
# - secretName: gcs-secure-settings
# entries:
# - key: gcs.client.default.credentials_file # - key: gcs_client_1
# path: gcs.client.client_1.credentials_file
# - key: gcs_client_2
# path: gcs.client.client_2.credentials_file
# Settings for limiting the number of simultaneous changes to an Elasticsearch resource.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-update-strategy.html
#
updateStrategy: {}
# changeBudget:
# maxSurge: 3
# maxUnavailable: 1
# Controlling of connectivity between remote clusters within the same kubernetes cluster.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-remote-clusters.html
#
remoteClusters: {}
# - name: cluster-two
# elasticsearchRef:
# name: cluster-two
# namespace: ns-two
# VolumeClaimDeletePolicy sets the policy for handling deletion of PersistentVolumeClaims for all NodeSets.
# Possible values are DeleteOnScaledownOnly and DeleteOnScaledownAndClusterDeletion.
# By default, if not set or empty, the operator sets DeleteOnScaledownAndClusterDeletion.
#
volumeClaimDeletePolicy: ""
# Settings to limit the disruption when pods need to be rescheduled for some reason such as upgrades or routine maintenance.
# By default, if not set, the operator sets a budget that doesn't allow any pod to be removed in case the cluster is not green or if there is only one node of type `data` or `master`.
# In all other cases the default PodDisruptionBudget sets `minUnavailable` equal to the total number of nodes minus 1.
# To completely disable the pod disruption budget set `disabled` to true.
#
# podDisruptionBudget:
# spec:
# minAvailable: 2
# selector:
# matchLabels:
# elasticsearch.k8s.elastic.co/cluster-name: quickstart
# disabled: true
# Used to check access from the current resource to a resource (for ex. a remote Elasticsearch cluster) in a different namespace.
# Can only be used if ECK is enforcing RBAC on references.
#
# serviceAccountName: ""
# Number of revisions to retain to allow rollback in the underlying StatefulSets.
# By default, if not set, Kubernetes sets 10.
#
# revisionHistoryLimit: 2
# Node configuration settings.
# The node roles which can be configured here are:
# - "master"
# - "data_hot"
# - "data_cold"
# - "data_frozen"
# - "data_content"
# - "ml"
# - "ingest"
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-node-configuration.html
#
nodeSets:
- name: default
count: 1
config:
# Comment out when setting the vm.max_map_count via initContainer, as these are mutually exclusive.
# For production workloads, it is strongly recommended to increase the kernel setting vm.max_map_count to 262144
# and leave node.store.allow_mmap unset.
# ref: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-virtual-memory.html
#
node.store.allow_mmap: false
podTemplate:
# The following spec is exactly the Kubernetes Core V1 PodTemplateSpec. Any fields within the PodTemplateSpec
# are supported within the 'spec' field below. Please see below documentation for the exhaustive list of fields.
#
# https://v1-24.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#podtemplatespec-v1-core
#
# Only the commonly overridden/used fields will be noted below.
#
spec:
# If specified, the pod's scheduling constraints
# https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: topology.kubernetes.io/zone
# operator: In
# values:
# - antarctica-east1
# - antarctica-west1
# Containers array. Should only be used to customize the 'elasticsearch' container using the following fields.
containers:
- name: elasticsearch
# List of environment variables to set in the 'elasticsearch' container.
# https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
# env:
# - name: "my-env-var"
# value: "my-value"
# Compute Resources required by this container.
resources:
# Requests describes the minimum amount of compute resources required. If Requests is omitted for a container,
# it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value.
#
# Defaults used by the ECK Operator, if not specified, are below
limits:
# cpu: 1
memory: 2Gi
requests:
# cpu: 1
memory: 2Gi
# Example increasing both the requests and limits values:
# limits:
# cpu: 4
# memory: 8Gi
# requests:
# cpu: 1
# memory: 8Gi
# SecurityContext defines the security options the container should be run with.
# If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
#
# These typically are set automatically by the ECK Operator, and should only be adjusted
# with the full knowledge of the effects of each field.
#
# securityContext:
# Whether this container has a read-only root filesystem. Default is false.
# readOnlyRootFilesystem: false
# The GID to run the entrypoint of the container process. Uses runtime default if unset.
# runAsGroup: 1000
# Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure
# that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed.
# runAsNonRoot: true
# The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified.
# runAsUser: 1000
# ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
# https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
# imagePullSecrets:
# - name: "image-pull-secret"
# List of initialization containers belonging to the pod.
#
# Common initContainers include setting sysctl, or in 7.x versions of Elasticsearch,
# installing Elasticsearch plugins.
#
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
# initContainers:
# - command:
# - sh
# - "-c"
# - bin/elasticsearch-plugin install --batch https://download.support.siren.io/federate/8.15.5-37.1.zip
# name: install-plugins
# securityContext:
# privileged: true
initContainers:
- command:
- sh
- "-c"
- bin/elasticsearch-plugin install --batch https://download.support.siren.io/federate/8.15.5-37.1.zip
name: install-plugins
securityContext:
privileged: true
volumeMounts:
- name: plugins
mountPath: /usr/share/elasticsearch/plugins
# NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
# https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html
# nodeSelector:
# diskType: ssd
# environment: production
# If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority.
# Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
# https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
# priorityClassName: ""
# See previously defined 'securityContext' within 'podTemplate' for all available fields.
# securityContext: {}
# ServiceAccountName is the name of the ServiceAccount to use to run this pod.
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
# serviceAccountName: ""
# Optional duration in seconds to wait for the Elasticsearch pod to terminate gracefully.
# terminationGracePeriodSeconds: 30s
# If specified, the pod's tolerations that will apply to all containers within the pod.
# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
# tolerations:
# - key: "node-role.kubernetes.io/elasticsearch"
# effect: "NoSchedule"
# operator: "Exists"
# TopologySpreadConstraints describes how a group of pods ought to spread across topology domains.
# Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.
#
# These settings are generally applied within each `nodeSets[].podTemplate` field to apply to a specific Elasticsearch nodeset.
#
# https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html
# topologySpreadConstraints: {}
# List of volumes that can be mounted by containers belonging to the pod.
# https://kubernetes.io/docs/concepts/storage/volumes
# volumes: []
# Settings for controlling Elasticsearch ingress. Enabling ingress will expose your Elasticsearch instance
# to the public internet, and as such is disabled by default.
#
# Each Cloud Service Provider has different requirements for setting up Ingress. Some links to common documentation are:
# - AWS: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
# - GCP: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
# - Azure: https://learn.microsoft.com/en-us/azure/aks/app-routing
# - Nginx: https://kubernetes.github.io/ingress-nginx/
#
ingress:
enabled: false
# Annotations that will be applied to the Ingress resource. Note that some ingress controllers are controlled via annotations.
#
# Nginx Annotations: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
#
# Common annotations:
# kubernetes.io/ingress.class: gce # Configures the Ingress resource to use the GCE ingress controller and create an external Application Load Balancer.
# kubernetes.io/ingress.class: gce-internal # Configures the Ingress resource to use the GCE ingress controller and create an internal Application Load Balancer.
# kubernetes.io/ingress.class: nginx # Configures the Ingress resource to use the NGINX ingress controller.
#
annotations: {}
# Labels that will be applied to the Ingress resource.
#
labels: {}
# Some ingress controllers require the use of a specific class name to route traffic to the correct controller, notably AKS and EKS, which
# replaces the use of the 'kubernetes.io/ingress.class' annotation.
#
# className: webapprouting.kubernetes.azure.com | alb
# Ingress paths are required to have a corresponding path type. Defaults to 'Prefix'.
#
# There are 3 supported path types:
# - ImplementationSpecific
# - Prefix
# - Exact
#
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
#
pathType: Prefix
# Hosts are a list of hosts included in the Ingress definition, with a corresponding path at which the default Elasticsearch service
# will be exposed. Each host in the list should be a fully qualified DNS name that will resolve to the exposed Ingress object.
#
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting
#
hosts:
- host: chart-example.local
path: /
# TLS defines whether TLS will be enabled on the Ingress resource.
#
# *NOTE* Many Cloud Service Providers handle TLS in a custom manner, and as such, it is recommended to consult their documentation.
# Notably GKE and Nginx Ingress Controllers seems to respect the Ingress TLS settings, AKS and EKS ignore it.
#
# - AKS: https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl
# - GKE: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress#options_for_providing_ssl_certificates
# - EKS: https://aws.amazon.com/blogs/containers/serve-distinct-domains-with-tls-powered-by-acm-on-amazon-eks/
# - Nginx: https://kubernetes.github.io/ingress-nginx/user-guide/tls/
#
# Kubernetes ingress TLS documentation:
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
#
tls:
enabled: false
# Optional Kubernetes secret name that contains a base64 encoded PEM certificate and private key that corresponds to the above 'hosts' definitions.
# If tls is enabled, but this field is not set, the self-signed certificate and key created by the ECK operator will be used.
# secretName: chart-example-tls
---