Tigera Secure EE Charm

DaemonSet elasticsearch-operator-sysctl does not use private registry

Bug #1818137 reported by Nick Niehoff on 2019-02-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Tigera Secure EE Charm	Triaged	Medium	Unassigned

Bug Description

When specifying the registry configuration option in the charm the majority of the containers are pulled from this registry. However, when Tigera applies the elasticsearch-operator-sysctl DaemonSet the Image is specified as busybox:1.26.2 instead of {registry}/busybox:1.26.2. This causes deployments to fail in an offline installation. I suspect this is actually tigera deploying this DaemonSet and not the charm itself.

Revision history for this message

George Kraft (cynerva) wrote on 2019-02-28:

Thanks for the report. It looks like elasticsearch-operator creates this DaemonSet. I'll see if there's an argument we can pass to it.

Changed in charm-tigera-secure-ee:
status:	New → In Progress
assignee:	nobody → George Kraft (cynerva)

Revision history for this message

George Kraft (cynerva) wrote on 2019-02-28:

It looks this will be hard to support. A busybox-image option was added[1] back in August, but the latest stable release (0.2.0) does not include this option.

Given that Tigera does not recommend elasticsearch-operator for production use[2], I think it would probably be best to document this as a limitation and provide a production-ready alternative.

FYI, you can disable elasticsearch-operator today:

juju config tigera-secure-ee enable-elasticsearch-operator=false

But that leaves you on your own for providing an ElasticSearch cluster and integrating Tigera Secure EE with it[3].

[1] https://github.com/upmc-enterprises/elasticsearch-operator/pull/236
[2] https://docs.tigera.io/v2.3/getting-started/kubernetes/installation/calico
[3] https://docs.tigera.io/v2.3/getting-started/kubernetes/installation/byo-elasticsearch

Revision history for this message

George Kraft (cynerva) wrote on 2019-02-28:

A potential workaround is mentioned here: https://github.com/upmc-enterprises/elasticsearch-operator/issues/139#issuecomment-414067572

> I had to use the following command to overcome the issue: kubectl set image ds elasticsearch-operator-sysctl sysctl-conf=privaterepo/busybox:latest && kubectl get po -l k8s-app=elasticsearch-operator -o name | cut -d"/" -f2 | while read p;do kubectl delete po $p;sleep 5;done

Revision history for this message

George Kraft (cynerva) wrote on 2019-02-28:

Please let me know if this is a high priority issue. For now, I'll be delaying this to prioritize other work.

Changed in charm-tigera-secure-ee:
status:	In Progress → Confirmed

George Kraft (cynerva) on 2019-06-24

Changed in charm-tigera-secure-ee:
assignee:	George Kraft (cynerva) → nobody

George Kraft (cynerva) on 2020-10-02

Changed in charm-tigera-secure-ee:
importance:	Undecided → Medium
status:	Confirmed → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-upmc-enterprises-elasticsearch-operator #139
[closed enhancement help wanted] Edit

Bug watches keep track of this bug in other bug trackers.