Summary
When Elasticsearch is configured with a custom HTTPS port (via spec.http.service.spec.ports in the Elasticsearch CR), eck-diagnostics fails to connect because it never passes a --port flag to the support-diagnostics tool. The diagnostic Pod always relies on the support-diagnostics default of port 9200.
Current Behavior
In internal/job.tpl.yml, the diagnostics.sh invocation is:
/support-diagnostics/diagnostics.sh -h {{.SVCName}} --type {{.Type}} ...
No port is specified. The service hostname ({name}-es-http) is derived automatically, TLS is auto-detected from the CR spec, and credentials are read from secrets — but the port is entirely absent from the pipeline.
Proposed Solution
1. Auto-detect port from the Kubernetes Service
Read .spec.ports[].port from the {name}-es-http Service object via the K8s API. This is consistent with how TLS is already auto-detected from the CR and covers the common case without any user input.
2. CLI override flag
Add --elasticsearch-port (or --es-port) as a CLI flag for edge cases where the service port doesn't reflect the actual target.
The support-diagnostics tool already accepts --port / -p, so eck-diagnostics just needs to pass it through.
Files to Change
| File |
Change |
internal/diag.go |
Add port field to Params struct |
cmd/main.go |
Add --elasticsearch-port CLI flag |
internal/stackdiag.go |
Look up port from ES Service object; add Port to template data map |
internal/job.tpl.yml |
Add {{if .Port}} --port {{.Port}} {{end}} to diagnostics.sh invocation |
internal/stackdiag_test.go |
Cover port rendering in template tests |
Context
Customers running Elasticsearch with non-standard HTTPS ports (e.g. DISA environments) cannot collect diagnostics without manual workarounds.
Summary
When Elasticsearch is configured with a custom HTTPS port (via
spec.http.service.spec.portsin the Elasticsearch CR),eck-diagnosticsfails to connect because it never passes a--portflag to thesupport-diagnosticstool. The diagnostic Pod always relies on thesupport-diagnosticsdefault of port 9200.Current Behavior
In
internal/job.tpl.yml, thediagnostics.shinvocation is:No port is specified. The service hostname (
{name}-es-http) is derived automatically, TLS is auto-detected from the CR spec, and credentials are read from secrets — but the port is entirely absent from the pipeline.Proposed Solution
1. Auto-detect port from the Kubernetes Service
Read
.spec.ports[].portfrom the{name}-es-httpService object via the K8s API. This is consistent with how TLS is already auto-detected from the CR and covers the common case without any user input.2. CLI override flag
Add
--elasticsearch-port(or--es-port) as a CLI flag for edge cases where the service port doesn't reflect the actual target.The
support-diagnosticstool already accepts--port/-p, so eck-diagnostics just needs to pass it through.Files to Change
internal/diag.goParamsstructcmd/main.go--elasticsearch-portCLI flaginternal/stackdiag.goPortto template data mapinternal/job.tpl.yml{{if .Port}} --port {{.Port}} {{end}}todiagnostics.shinvocationinternal/stackdiag_test.goContext
Customers running Elasticsearch with non-standard HTTPS ports (e.g. DISA environments) cannot collect diagnostics without manual workarounds.