log4j temporary fix in elasticsearch helm chart using Dlog4j2.formatMsgNoLookups-CodePudding

I was trying to setup an elasticsearch cluster in AKS using helm chart but due to the log4j vulnerability, I wanted to set it up with option -Dlog4j2.formatMsgNoLookups set to true. I am getting unknown flag error when I pass the arguments in helm commands. Ref: https://artifacthub.io/packages/helm/elastic/elasticsearch/6.8.16

helm upgrade  elasticsearch elasticsearch --set imageTag=6.8.16 esJavaOpts "-Dlog4j2.formatMsgNoLookups=true"
Error: unknown shorthand flag: 'D' in -Dlog4j2.formatMsgNoLookups=true

I have also tried to add below in values.yaml file

esConfig: {}
#  elasticsearch.yml: |
#    key:
#      nestedkey: value
log4j2.properties: |
  -Dlog4j2.formatMsgNoLookups = true

but the values are not adding to the /usr/share/elasticsearch/config/jvm.options, /usr/share/elasticsearch/config/log4j2.properties or in the environment variables.

CodePudding user response：

Your values.yaml syntax is incorrect, try this:

esConfig:
  log4j2.properties: |
    -Dlog4j2.formatMsgNoLookups = true

A ConfigMap will be generated by Helm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-master-config
  ...
data:
  log4j2.properties: |
    -Dlog4j2.formatMsgNoLookups = true

And the Log4j configuration will be mount to your Elasticsearch as:

...
volumeMounts:
  ...
  - name: esconfig
    mountPath: /usr/share/elasticsearch/config/log4j2.properties
    subPath: log4j2.properties

Update: How to set and add multiple configuration files.

You can setup other ES configuration files in your values.yaml, all the files that you specified here will be part of the ConfigMap, each of the files will be mounted at /usr/share/elasticsearch/config/ in the Elasticsearch container. Example:

esConfig:
  elasticsearch.yml: |
    node.master: true
    node.data: true
  log4j2.properties: |
    -Dlog4j2.formatMsgNoLookups = true
  jvm.options: |
    # This is a comment
    -Xmx1g -Xms1g
  roles.yml: |
    click_admins:
      run_as: [ 'clicks_watcher_1' ]
      cluster: [ 'monitor' ]
      indices:
      - names: [ 'events-*' ]
        privileges: [ 'read' ]
        field_security:
          grant: ['category', '@timestamp', 'message' ]
        query: '{"match": {"category": "click"}}'

CodePudding user response：

if you update and put a value under esConfig, you will need to remove the curly brackets

esConfig:
log4j2.properties: |
key = value

CodePudding user response：

As I see in updated in elastic repository values.yml:

esConfig: {}
log4j2.properties: |
key = value

Probably need to uncomment log4j2.properties part.