log4j temporary fix in elasticsearch helm chart using Dlog4j2.formatMsgNoLookups

Question

I was trying to setup an elasticsearch cluster in AKS using helm chart but due to the log4j vulnerability, I wanted to set it up with option -Dlog4j2.formatMsgNoLookups set to true. I am getting unknown flag error when I pass the arguments in helm commands. Ref: https://artifacthub.io/packages/helm/elastic/elasticsearch/6.8.16

helm upgrade  elasticsearch elasticsearch --set imageTag=6.8.16 esJavaOpts "-Dlog4j2.formatMsgNoLookups=true"
Error: unknown shorthand flag: 'D' in -Dlog4j2.formatMsgNoLookups=true

I have also tried to add below in values.yaml file

esConfig: {}
#  elasticsearch.yml: |
#    key:
#      nestedkey: value
log4j2.properties: |
  -Dlog4j2.formatMsgNoLookups = true

but the values are not adding to the /usr/share/elasticsearch/config/jvm.options, /usr/share/elasticsearch/config/log4j2.properties or in the environment variables.

Answer 1

First of all, here's a good source of knowledge about mitigating Log4j2 security issue if this is the reason you reached here.

Here's how you can write your values.yaml for the Elasticsearch chart:

esConfig:
  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

A ConfigMap will be generated by Helm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-master-config
  ...
data:
  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

And the Log4j configuration will be mount to your Elasticsearch as:

...
volumeMounts:
  ...
  - name: esconfig
    mountPath: /usr/share/elasticsearch/config/log4j2.properties
    subPath: log4j2.properties

Update: How to set and add multiple configuration files.

You can setup other ES configuration files in your values.yaml, all the files that you specified here will be part of the ConfigMap, each of the files will be mounted at /usr/share/elasticsearch/config/ in the Elasticsearch container. Example:

esConfig:
  elasticsearch.yml: |
    node.master: true
    node.data: true

  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

  jvm.options: |
    # You can also place a comment here.
    -Xmx1g -Xms1g -Dlog4j2.formatMsgNoLookups=true

  roles.yml: |
    click_admins:
      run_as: [ 'clicks_watcher_1' ]
      cluster: [ 'monitor' ]
      indices:
      - names: [ 'events-*' ]
        privileges: [ 'read' ]
        field_security:
          grant: ['category', '@timestamp', 'message' ]
        query: '{"match": {"category": "click"}}'

ALL of the configurations above are for illustration only to demonstrate how to add multiple configuration files in the values.yaml. Please substitute these configurations with your own settings.