upgrade es and kb to version 8

config/enterprise_versions.yml

@@ -46,12 +46,12 @@ components:
     image: tigera/dex
     version: master
   eck-kibana:
-    version: 7.17.25
+    version: 8.15.3
   kibana:
     image: tigera/kibana
     version: master
   eck-elasticsearch:
-    version: 7.17.25
+    version: 8.15.3
   elasticsearch:
     image: tigera/elasticsearch
     version: master

pkg/components/enterprise.go

@@ -69,12 +69,12 @@ var (
 	}
 
 	ComponentEckElasticsearch = Component{
-		Version:  "7.17.25",
+		Version:  "8.15.3",
 		Registry: "",
 	}
 
 	ComponentEckKibana = Component{
-		Version:  "7.17.25",
+		Version:  "8.15.3",
 		Registry: "",
 	}
 

pkg/render/logstorage.go

@@ -40,6 +40,7 @@ import (
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/components"
 	"github.com/tigera/operator/pkg/dns"
+	"github.com/tigera/operator/pkg/ptr"
 	relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch"
 	rmeta "github.com/tigera/operator/pkg/render/common/meta"
 	"github.com/tigera/operator/pkg/render/common/networkpolicy"
@@ -358,15 +359,10 @@ func (es *elasticsearchComponent) podTemplate() corev1.PodTemplateSpec {
 		},
 	}
 
-	sc := securitycontext.NewRootContext(false)
-	// These capabilities are required for docker-entrypoint.sh.
-	// See: https://github.com/elastic/elasticsearch/blob/7.17/distribution/docker/src/docker/bin/docker-entrypoint.sh.
-	// TODO Consider removing for Elasticsearch v8+.
-	sc.Capabilities.Add = []corev1.Capability{
-		"SETGID",
-		"SETUID",
-		"SYS_CHROOT",
-	}
+	sc := securitycontext.NewNonRootContext()
+	// Set the user and group to be the default elasticsearch ID
+	sc.RunAsUser = ptr.Int64ToPtr(1000)
+	sc.RunAsGroup = ptr.Int64ToPtr(1000)
 
 	esContainer := corev1.Container{
 		Name: "elasticsearch",
@@ -717,9 +713,12 @@ func (es *elasticsearchComponent) nodeSets() []esv1.NodeSet {
 // NodeSet
 func (es *elasticsearchComponent) nodeSetTemplate(pvcTemplate corev1.PersistentVolumeClaim) esv1.NodeSet {
 	config := map[string]interface{}{
-		"node.master":                 "true",
-		"node.data":                   "true",
-		"node.ingest":                 "true",
+		"node.roles": []string{
+			"data",
+			"ingest",
+			"master",
+			"remote_cluster_client",
+		},
 		"cluster.max_shards_per_node": 10000,
 		// Disable geoip downloader. This removes an error from the startup logs, because our network policy blocks it.
 		"ingest.geoip.downloader.enabled": false,

pkg/render/logstorage_test.go

@@ -217,13 +217,12 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 				esContainer := resultES.Spec.NodeSets[0].PodTemplate.Spec.Containers[0]
 				Expect(*esContainer.SecurityContext.AllowPrivilegeEscalation).To(BeFalse())
 				Expect(*esContainer.SecurityContext.Privileged).To(BeFalse())
-				Expect(*esContainer.SecurityContext.RunAsGroup).To(BeEquivalentTo(0))
-				Expect(*esContainer.SecurityContext.RunAsNonRoot).To(BeFalse())
-				Expect(*esContainer.SecurityContext.RunAsUser).To(BeEquivalentTo(0))
+				Expect(*esContainer.SecurityContext.RunAsGroup).To(BeEquivalentTo(1000))
+				Expect(*esContainer.SecurityContext.RunAsNonRoot).To(BeTrue())
+				Expect(*esContainer.SecurityContext.RunAsUser).To(BeEquivalentTo(1000))
 				Expect(esContainer.SecurityContext.Capabilities).To(Equal(
 					&corev1.Capabilities{
 						Drop: []corev1.Capability{"ALL"},
-						Add:  []corev1.Capability{"SETGID", "SETUID", "SYS_CHROOT"},
 					},
 				))
 				Expect(esContainer.SecurityContext.SeccompProfile).To(Equal(
@@ -242,9 +241,7 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 
 				// Check that the expected config made it's way to the Elastic CR
 				Expect(nodeSet.Config.Data).Should(Equal(map[string]interface{}{
-					"node.master":                     "true",
-					"node.data":                       "true",
-					"node.ingest":                     "true",
+					"node.roles":                      []string{"data", "ingest", "master", "remote_cluster_client"},
 					"cluster.max_shards_per_node":     10000,
 					"ingest.geoip.downloader.enabled": false,
 				}))
@@ -970,12 +967,10 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 						},
 					}))
 					Expect(nodeSets[0].Config.Data).Should(Equal(map[string]interface{}{
-						"node.master":                     "true",
-						"node.data":                       "true",
-						"node.ingest":                     "true",
-						"cluster.max_shards_per_node":     10000,
-						"ingest.geoip.downloader.enabled": false,
-						"node.attr.zone":                  "us-west-2a",
+						"node.roles":                                      []string{"data", "ingest", "master", "remote_cluster_client"},
+						"cluster.max_shards_per_node":                     10000,
+						"ingest.geoip.downloader.enabled":                 false,
+						"node.attr.zone":                                  "us-west-2a",
 						"cluster.routing.allocation.awareness.attributes": "zone",
 					}))
 
@@ -991,12 +986,10 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 						},
 					}))
 					Expect(nodeSets[1].Config.Data).Should(Equal(map[string]interface{}{
-						"node.master":                     "true",
-						"node.data":                       "true",
-						"node.ingest":                     "true",
-						"cluster.max_shards_per_node":     10000,
-						"ingest.geoip.downloader.enabled": false,
-						"node.attr.zone":                  "us-west-2b",
+						"node.roles":                                      []string{"data", "ingest", "master", "remote_cluster_client"},
+						"cluster.max_shards_per_node":                     10000,
+						"ingest.geoip.downloader.enabled":                 false,
+						"node.attr.zone":                                  "us-west-2b",
 						"cluster.routing.allocation.awareness.attributes": "zone",
 					}))
 				})
@@ -1063,13 +1056,11 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 						},
 					}))
 					Expect(nodeSets[0].Config.Data).Should(Equal(map[string]interface{}{
-						"node.master":                     "true",
-						"node.data":                       "true",
-						"node.ingest":                     "true",
-						"cluster.max_shards_per_node":     10000,
-						"ingest.geoip.downloader.enabled": false,
-						"node.attr.zone":                  "us-west-2a",
-						"node.attr.rack":                  "rack1",
+						"node.roles":                                      []string{"data", "ingest", "master", "remote_cluster_client"},
+						"cluster.max_shards_per_node":                     10000,
+						"ingest.geoip.downloader.enabled":                 false,
+						"node.attr.zone":                                  "us-west-2a",
+						"node.attr.rack":                                  "rack1",
 						"cluster.routing.allocation.awareness.attributes": "zone,rack",
 					}))
 
@@ -1094,13 +1085,11 @@ var _ = Describe("Elasticsearch rendering tests", func() {
 						},
 					}))
 					Expect(nodeSets[1].Config.Data).Should(Equal(map[string]interface{}{
-						"node.master":                     "true",
-						"node.data":                       "true",
-						"node.ingest":                     "true",
-						"cluster.max_shards_per_node":     10000,
-						"ingest.geoip.downloader.enabled": false,
-						"node.attr.zone":                  "us-west-2b",
-						"node.attr.rack":                  "rack1",
+						"node.roles":                                      []string{"data", "ingest", "master", "remote_cluster_client"},
+						"cluster.max_shards_per_node":                     10000,
+						"ingest.geoip.downloader.enabled":                 false,
+						"node.attr.zone":                                  "us-west-2b",
+						"node.attr.rack":                                  "rack1",
 						"cluster.routing.allocation.awareness.attributes": "zone,rack",
 					}))
 				})