Warn if unsupported distribution (#1228)

The operator only works with the official ES distributions to enable the security
available with the basic (free), gold and platinum licenses in order to ensure that
all clusters launched are secured by default.

A check is done in the prepare-fs script by looking at the existence of the
Elastic License. If not present, the script exit with a custom exit code.

Then the ES reconcilation loop sends an event of type warning if it detects that
a prepare-fs init container terminated with this exit code.

operators/pkg/controller/elasticsearch/driver/default.go

@@ -173,6 +173,8 @@ func (d *defaultDriver) Reconcile(
 		min = &d.Version
 	}
 
+	warnUnsupportedDistro(resourcesState.AllPods, reconcileState.Recorder)
+
 	observedState := d.observedStateResolver(
 		k8s.ExtractNamespacedName(&es),
 		certificateResources.TrustedHTTPCertificates,
@@ -545,3 +547,18 @@ func reconcileScriptsConfigMap(c k8s.Client, scheme *runtime.Scheme, es v1alpha1
 
 	return nil
 }
+
+// warnUnsupportedDistro sends an event of type warning if the Elasticsearch Docker image is not a supported
+// distribution by looking at if the prepare fs init container terminated with the UnsupportedDistro exit code.
+func warnUnsupportedDistro(pods []corev1.Pod, recorder *events.Recorder) {
+	for _, p := range pods {
+		for _, s := range p.Status.InitContainerStatuses {
+			state := s.LastTerminationState.Terminated
+			if s.Name == initcontainer.PrepareFilesystemContainerName &&
+				state != nil && state.ExitCode == initcontainer.UnsupportedDistroExitCode {
+				recorder.AddEvent(corev1.EventTypeWarning, events.EventReasonUnexpected,
+					"Unsupported distribution")
+			}
+		}
+	}
+}

operators/pkg/controller/elasticsearch/initcontainer/initcontainer.go

@@ -18,7 +18,7 @@ const (
 	// osSettingsContainerName is the name of the container that tweaks os-level settings
 	osSettingsContainerName = "elastic-internal-init-os-settings"
 	// prepareFilesystemContainerName is the name of the container that prepares the filesystem
-	prepareFilesystemContainerName = "elastic-internal-init-filesystem"
+	PrepareFilesystemContainerName = "elastic-internal-init-filesystem"
 )
 
 // NewInitContainers creates init containers according to the given parameters

operators/pkg/controller/elasticsearch/initcontainer/prepare_fs.go

@@ -105,7 +105,7 @@ func NewPrepareFSInitContainer(
 	container := corev1.Container{
 		Image:           imageName,
 		ImagePullPolicy: corev1.PullIfNotPresent,
-		Name:            prepareFilesystemContainerName,
+		Name:            PrepareFilesystemContainerName,
 		SecurityContext: &corev1.SecurityContext{
 			Privileged: &privileged,
 		},

operators/pkg/controller/elasticsearch/initcontainer/prepare_fs_script.go

@@ -6,6 +6,7 @@ package initcontainer
 
 import (
 	"bytes"
+	"fmt"
 	"html/template"
 )
 
@@ -30,7 +31,10 @@ func RenderScriptTemplate(params TemplateParams) (string, error) {
 	return tplBuffer.String(), nil
 }
 
-const PrepareFsScriptConfigKey = "prepare-fs.sh"
+const (
+	PrepareFsScriptConfigKey  = "prepare-fs.sh"
+	UnsupportedDistroExitCode = 42
+)
 
 // scriptTemplate is the main script to be run
 // in the prepare-fs init container before ES starts
@@ -39,6 +43,13 @@ var scriptTemplate = template.Must(template.New("").Parse(
 
 	set -eu
 
+	# the operator only works with the default ES distribution
+	license=/usr/share/elasticsearch/LICENSE.txt
+	if [[ ! -f $license || $(grep -Fxc "ELASTIC LICENSE AGREEMENT" $license) -ne 1 ]]; then
+		>&2 echo "unsupported_distribution"
+		exit ` + fmt.Sprintf("%d", UnsupportedDistroExitCode) + `
+	fi
+
 	# compute time in seconds since the given start time
 	function duration() {
 		local start=$1