Skip to content

Instantly share code, notes, and snippets.

@davidlu1001

davidlu1001/es-ilmpolicy.yaml

Created March 19, 2026 22:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save davidlu1001/cceb9c316c42c5f5ed26b287a5303dd0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save davidlu1001/cceb9c316c42c5f5ed26b287a5303dd0 to your computer and use it in GitHub Desktop.
Download ZIP
es-ilmpolicy.yaml
Raw
es-ilmpolicy.yaml
{{- if .Values.ilm.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "elasticsearch.fullname" . }}-ilm-{{ .Release.Revision }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "elasticsearch.labels" . | nindent 4 }}
app.kubernetes.io/component: ilm
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "10"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 5
activeDeadlineSeconds: 300
template:
metadata:
labels:
{{- include "elasticsearch.labels" . | nindent 8 }}
app.kubernetes.io/component: ilm
spec:
restartPolicy: OnFailure
# ----------------------------------------------------------------
# Security context — AKS Gatekeeper compliance
# ----------------------------------------------------------------
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- with .Values.nodeSets }}
{{- with (index . 0).podTemplate.spec.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with (index . 0).podTemplate.spec.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: ilm-create
image: {{ .Values.ilm.image | default "curlimages/curl:8.1.2" }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 50m
memory: 32Mi
command:
- /bin/sh
- -c
- |
set -e
ES_URL="http://{{ include "elasticsearch.fullname" . }}-es-http.{{ .Release.Namespace }}.svc:9200"
POLICY_NAME="{{ .Values.ilm.policyName }}"
# Retrieve ES credentials from the auto-generated secret
ES_USER="elastic"
ES_PASS=$(cat /mnt/elastic-internal/es-password)
echo "Waiting for Elasticsearch to be ready..."
for i in $(seq 1 60); do
if curl -sf -u "${ES_USER}:${ES_PASS}" "${ES_URL}/_cluster/health" >/dev/null 2>&1; then
echo "Elasticsearch is ready."
break
fi
echo "Attempt ${i}/60 — waiting 5s..."
sleep 5
done
echo "Creating/updating ILM policy: ${POLICY_NAME}"
HTTP_CODE=$(curl -sf -o /tmp/response -w "%{http_code}" \
-u "${ES_USER}:${ES_PASS}" \
-X PUT "${ES_URL}/_ilm/policy/${POLICY_NAME}" \
-H "Content-Type: application/json" \
-d @/mnt/ilm-config/policy.json)
echo "Response code: ${HTTP_CODE}"
cat /tmp/response
echo
if [ "${HTTP_CODE}" -ge 200 ] && [ "${HTTP_CODE}" -lt 300 ]; then
echo "ILM policy created/updated successfully."
else
echo "ERROR: Failed to create/update ILM policy."
exit 1
fi
volumeMounts:
- name: ilm-config
mountPath: /mnt/ilm-config
readOnly: true
- name: es-password
mountPath: /mnt/elastic-internal
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
- name: ilm-config
configMap:
name: {{ include "elasticsearch.fullname" . }}-ilm-policy
- name: es-password
secret:
secretName: {{ include "elasticsearch.fullname" . }}-es-elastic-user
items:
- key: elastic
path: es-password
- name: tmp
emptyDir:
sizeLimit: 10Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "elasticsearch.fullname" . }}-ilm-policy
namespace: {{ .Release.Namespace }}
labels:
{{- include "elasticsearch.labels" . | nindent 4 }}
app.kubernetes.io/component: ilm
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
data:
policy.json: |
{
"policy": {
"phases": {{ .Values.ilm.policy | toJson }}
}
}
{{- end }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment