From c756eeb8681d26663cd5c164dd0ccb91c8078059 Mon Sep 17 00:00:00 2001 From: Dhiraj Kumar Jain Date: Tue, 7 Sep 2021 23:56:09 +0530 Subject: [PATCH] Migrate helm charts from opensearch-devops repo (#7) * Adding a new folder to host Helm related code Signed-off-by: Barani * Helm Chart for OpenSearch (#4) * Create basic structure of OpenSearch helm chart Signed-off-by: Dhiraj Jain * Add templates and change values Signed-off-by: Dhiraj Jain * Change statefulset and configmap to resolve indentation issue Signed-off-by: Dhiraj Jain * Fix issues in templates Signed-off-by: Dhiraj Jain * Fix typos in statefulset.yaml * Add multinode deployment feature Signed-off-by: Dhiraj Jain * Update version to reflect the OpenSearch version * Add explicit security configuration * Update values.yaml * Create placeholder README.md Signed-off-by: Dhiraj Jain * Minimum masters should be 3 * Add YAML support for config. sysctl vm.mem fix. * Fixing PSP. Adding better sysctl logic. * Adding ref for systctl * PSP False by default * Disable HTTP SSL by default for Demo. * Fix Chart version to sync with OpenSearch Version Signed-off-by: Dhiraj Jain * Change cluster name and enable SSL by default Signed-off-by: Dhiraj Jain Co-authored-by: Aaron Layfield * fix: give networkpolicy objects a unique name (#16) This fixes the problem of installing this chart multiple times in the same namespace and having the network policy name conflict. Signed-off-by: Scott Leggett * fix: use the stable chart appVersion as image tag by default (#17) Using :latest by default is going to lead to clusters with version skew as pods schedule onto new nodes. So use a stable tag instead. Signed-off-by: Scott Leggett * OpenSearch Dashboards Helm Chart (#10) * Scaffold OpenSearch Dashboards Helm Chart Signed-off-by: Dhiraj Jain * Fix error for connection refused Signed-off-by: Dhiraj Jain * Add RBAC functionality Signed-off-by: Dhiraj Jain * Add security configurations in the chart Signed-off-by: Dhiraj Jain * Address issues and comments Signed-off-by: Dhiraj Jain * Fix templates Signed-off-by: Dhiraj Jain * Disable SSL by default * Address comments for beautification * Address comments Signed-off-by: Dhiraj Jain * chore: update demo config section (#24) This snippet doesn't make sense in a kubernetes statefulset. Signed-off-by: Scott Leggett * added secretMounts to values.yaml w/ example config (#29) Signed-off-by: johannes.reppin Co-authored-by: johannes.reppin * Change persistence config to make it more coherent w/ other helm charts (#33) Signed-off-by: johannes.reppin Co-authored-by: johannes.reppin * add Volumes and change broken (!) yaml indentation (#31) Signed-off-by: johannes.reppin Co-authored-by: johannes.reppin * support for current ingress apiVersion (#47) * Helm Chart Fixes for Env variables and volumes (#35) * Helm Chart Fixes for Env variables and volumes The opensearch-dashboards chart failed to render correctly when utilizing the extraEnvs flag, caused by incorrect indentation. The opensearch chart failed to render when utlizing the secrets for the security config, this was due to them being in the env section. This pull request reqolves both issues, verified via running helm template with the minumal values files included here: ```yaml envFrom: - secretRef: name: kibana-secrets extraEnvs: - name: TENANT_ID valueFrom: secretKeyRef: name: kibana-secrets key: tenantID ``` ```yaml securityConfig: enabled: true configSecret: "security-config" internalUsersSecret: "internal-users-config" rolesMappingSecret: "roles-mapping-config" rolesSecret: "roles-config" ``` Signed-off-by: Harrison Goscenski * Updating paths in sts to be dynamic Updating the paths specified in the sts for opensearch to utilize .Values.opensearchHome to allow for dynamic paths, with a default of `/usr/share/opensearch` which should be sufficient for most users. Signed-off-by: Harrison Goscenski * Fixing config path in opensearch-dashboards (#38) * Fixing config path in opensearch-dashboards The manifests rendered by the Helm chart place the user provided config into the incorrect directory. This simply updates that location to the correct path and updates the values.yaml file to use the correct default config file so that the user provided setting override the defaults. Signed-off-by: Harrison Goscenski * Updating cert paths to opensearch-dashboards Cert paths also need to utilize new filesystem location for opensearch-dashboards config. Signed-off-by: Harrison Goscenski * Resolves issue with securityConfig path (#41) * Resolves issue with securityConfig path Issue #39 This updates the securityConfig path in values to use the correct value for opensearch. Signed-off-by: Harrison Goscenski * Fixing bad auto formatting Removing unneeded indentation/newlines. Signed-off-by: Harrison Goscenski * Fixing missed auto formatting errors Signed-off-by: Harrison Goscenski * resolve issue about .Values.opensearchHome (#52) refer to this: https://github.com/opensearch-project/opensearch-devops/commit/fe831db949469cd74111f33036d37f1717135329#commitcomment-55395428 Error Msg: nil pointer evaluating interface {}.opensearchHome * Fix helm chart can not be deployed without ssl (#56) * Fixing issue exposed by changes in #38 After switching the name of the config file, and removing the shadowing between the default (from the docker container opensearch-dashbaords.yaml) and the default from the helm chart (dashboards.yaml) there is an issue with the certs that are attempting to be used. In order for this to work with the defaults, disabled TLS verification will be needed, and then disabling TLS to remain in line with the defaults. I added a commented out section showing what could potentially be used as TLS config if the user chooses to enable it. Signed-off-by: Harrison Goscenski * Using conventional yaml formatting for ssl config Moving comments around to follow relevant code and utilizing nested yaml format rather than dot format. Signed-off-by: Harrison Goscenski * Changing Folder name to Charts * Change deafult configuration for dashboards Signed-off-by: TheAlgo * Update securityconfig.yaml to remove extra spaces Signed-off-by: TheAlgo Co-authored-by: Barani Co-authored-by: Aaron Layfield Co-authored-by: Scott Leggett Co-authored-by: Johannes Reppin Co-authored-by: johannes.reppin Co-authored-by: paltryeffort Co-authored-by: hgoscenski-imanage <77067840+hgoscenski-imanage@users.noreply.github.com> Co-authored-by: Nagle Zhang --- charts/README.md | 44 ++ charts/opensearch-dashboards/.helmignore | 23 + charts/opensearch-dashboards/Chart.yaml | 24 + .../opensearch-dashboards/templates/NOTES.txt | 22 + .../templates/_helpers.tpl | 73 +++ .../templates/configmap.yaml | 12 + .../templates/deployment.yaml | 158 ++++++ .../templates/ingress.yaml | 60 +++ .../templates/rolebinding.yaml | 16 + .../templates/service.yaml | 33 ++ .../templates/serviceaccount.yaml | 12 + charts/opensearch-dashboards/values.yaml | 148 ++++++ charts/opensearch/.helmignore | 23 + charts/opensearch/Chart.yaml | 24 + charts/opensearch/templates/NOTES.txt | 2 + charts/opensearch/templates/_helpers.tpl | 65 +++ charts/opensearch/templates/configmap.yaml | 16 + charts/opensearch/templates/ingress.yaml | 38 ++ .../opensearch/templates/networkpolicy.yaml | 14 + .../templates/poddisruptionbudget.yaml | 12 + .../templates/podsecuritypolicy.yaml | 18 + charts/opensearch/templates/role.yaml | 25 + charts/opensearch/templates/rolebinding.yaml | 24 + .../opensearch/templates/securityconfig.yaml | 16 + charts/opensearch/templates/service.yaml | 75 +++ .../opensearch/templates/serviceaccount.yaml | 20 + charts/opensearch/templates/statefulset.yaml | 454 ++++++++++++++++++ charts/opensearch/values.yaml | 367 ++++++++++++++ 28 files changed, 1818 insertions(+) create mode 100644 charts/README.md create mode 100644 charts/opensearch-dashboards/.helmignore create mode 100644 charts/opensearch-dashboards/Chart.yaml create mode 100644 charts/opensearch-dashboards/templates/NOTES.txt create mode 100644 charts/opensearch-dashboards/templates/_helpers.tpl create mode 100644 charts/opensearch-dashboards/templates/configmap.yaml create mode 100644 charts/opensearch-dashboards/templates/deployment.yaml create mode 100644 charts/opensearch-dashboards/templates/ingress.yaml create mode 100644 charts/opensearch-dashboards/templates/rolebinding.yaml create mode 100644 charts/opensearch-dashboards/templates/service.yaml create mode 100644 charts/opensearch-dashboards/templates/serviceaccount.yaml create mode 100644 charts/opensearch-dashboards/values.yaml create mode 100644 charts/opensearch/.helmignore create mode 100644 charts/opensearch/Chart.yaml create mode 100755 charts/opensearch/templates/NOTES.txt create mode 100755 charts/opensearch/templates/_helpers.tpl create mode 100644 charts/opensearch/templates/configmap.yaml create mode 100644 charts/opensearch/templates/ingress.yaml create mode 100644 charts/opensearch/templates/networkpolicy.yaml create mode 100644 charts/opensearch/templates/poddisruptionbudget.yaml create mode 100644 charts/opensearch/templates/podsecuritypolicy.yaml create mode 100644 charts/opensearch/templates/role.yaml create mode 100644 charts/opensearch/templates/rolebinding.yaml create mode 100644 charts/opensearch/templates/securityconfig.yaml create mode 100644 charts/opensearch/templates/service.yaml create mode 100644 charts/opensearch/templates/serviceaccount.yaml create mode 100644 charts/opensearch/templates/statefulset.yaml create mode 100755 charts/opensearch/values.yaml diff --git a/charts/README.md b/charts/README.md new file mode 100644 index 00000000..82b49a1c --- /dev/null +++ b/charts/README.md @@ -0,0 +1,44 @@ + +This Helm chart is a lightweight way to configure and run the official [OpenSearch Docker image](https://hub.docker.com/r/opensearchproject/opensearch). + + +- [Installing](#installing) +- [Usage notes](#usage-notes) +- [Configuration](#configuration) +- [Future](#Future) + + + +## Installing + +This chart is tested with the latest 1.0.0-rc1 version. + +* Clone this repo +* Install it: + - with Helm 3: `helm install oss ./Helm/opensearch` + +## Usage notes + +* The chart deploys a StatefulSet and by default will do an automated rolling + update of your cluster. It does this by waiting for the cluster health to become + green after each instance is updated. +* It is important to verify that the JVM heap size in `esJavaOpts` and to set + the CPU/Memory `resources` to something suitable for your cluster. +* To simplify chart and maintenance each set of node groups is deployed as a + separate Helm release. Without doing this it isn't possible to resize persistent + volumes in a StatefulSet. By setting it up this way it makes it possible to add + more nodes with a new storage size then drain the old ones. It also solves the + problem of allowing the user to determine which node groups to update first when + doing upgrades or changes. +* We have designed this chart to be very un-opinionated about how to configure + OpenSearch. It exposes ways to set environment variables and mount secrets + inside of the container. Doing this makes it much easier for this chart to + support multiple versions with minimal changes. + +## Configuration +TODO : Write about all the parameters used + + +## Future +* Create example for different types of configurations for different K8S providers. +* Have a chart for deploying the OpenSearch stack comprising OpenSearch and OpenSearch Dashboards diff --git a/charts/opensearch-dashboards/.helmignore b/charts/opensearch-dashboards/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/opensearch-dashboards/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/opensearch-dashboards/Chart.yaml b/charts/opensearch-dashboards/Chart.yaml new file mode 100644 index 00000000..36040d86 --- /dev/null +++ b/charts/opensearch-dashboards/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: opensearch-dashboards +description: A Helm chart for OpenSearch Dashboards + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" diff --git a/charts/opensearch-dashboards/templates/NOTES.txt b/charts/opensearch-dashboards/templates/NOTES.txt new file mode 100644 index 00000000..d92acdc5 --- /dev/null +++ b/charts/opensearch-dashboards/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "opensearch-dashboards.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "opensearch-dashboards.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "opensearch-dashboards.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "opensearch-dashboards.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/opensearch-dashboards/templates/_helpers.tpl b/charts/opensearch-dashboards/templates/_helpers.tpl new file mode 100644 index 00000000..6b88a111 --- /dev/null +++ b/charts/opensearch-dashboards/templates/_helpers.tpl @@ -0,0 +1,73 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "opensearch-dashboards.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opensearch-dashboards.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opensearch-dashboards.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "opensearch-dashboards.labels" -}} +helm.sh/chart: {{ include "opensearch-dashboards.chart" . }} +{{ include "opensearch-dashboards.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "opensearch-dashboards.selectorLabels" -}} +app.kubernetes.io/name: {{ include "opensearch-dashboards.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "opensearch-dashboards.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} + {{- default (include "opensearch-dashboards.fullname" .) .Values.serviceAccount.name }}-dashboards +{{- else }} + {{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Define standard labels for frequently used metadata. +*/}} +{{- define "opensearch-dashboards.standard" -}} +app: {{ template "opensearch-dashboards.fullname" . }} +chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" +release: "{{ .Release.Name }}" +heritage: "{{ .Release.Service }}" +{{- end -}} + diff --git a/charts/opensearch-dashboards/templates/configmap.yaml b/charts/opensearch-dashboards/templates/configmap.yaml new file mode 100644 index 00000000..6bd72208 --- /dev/null +++ b/charts/opensearch-dashboards/templates/configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.config -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "opensearch-dashboards.fullname" . }}-config + labels: {{ include "opensearch-dashboards.labels" . | nindent 4 }} +data: +{{- range $configName, $configYaml := .Values.config }} + {{ $configName }}: | + {{- toYaml $configYaml | nindent 4 }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/opensearch-dashboards/templates/deployment.yaml b/charts/opensearch-dashboards/templates/deployment.yaml new file mode 100644 index 00000000..c8787b43 --- /dev/null +++ b/charts/opensearch-dashboards/templates/deployment.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "opensearch-dashboards.fullname" . }} + labels: {{- include "opensearch-dashboards.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + strategy: +{{ toYaml .Values.updateStrategy | indent 4 }} + selector: + matchLabels: + app: {{ .Chart.Name }} + release: {{ .Release.Name | quote }} + template: + metadata: + labels: + app: {{ .Chart.Name }} + release: {{ .Release.Name | quote }} + {{- range $key, $value := .Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- /* This forces a restart if the configmap has changed */}} + {{- if .Values.config }} + configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} + {{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 8 }} + serviceAccountName: {{ template "opensearch-dashboards.serviceAccountName" . }} + {{- if .Values.hostAliases }} + hostAliases: {{ toYaml .Values.hostAliases | nindent 6 }} + {{- end }} + volumes: + {{- range .Values.secretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} + {{- if .Values.config }} + - name: config + configMap: + name: {{ template "opensearch-dashboards.fullname" . }}-config + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.extraInitContainers }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + initContainers: + {{- if eq "string" (printf "%T" .Values.extraInitContainers) }} +{{ tpl .Values.extraInitContainers . | indent 6 }} + {{- else }} +{{ toYaml .Values.extraInitContainers | indent 6 }} + {{- end }} + {{- end }} + containers: + - name: dashboards + securityContext: +{{ toYaml .Values.securityContext | indent 10 }} + image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + env: + {{- if .Values.opensearchURL }} + - name: OPENSEARCH_URL + value: "{{ .Values.opensearchURL }}" + {{- else if .Values.opensearchHosts }} + - name: OPENSEARCH_HOSTS + value: "{{ .Values.opensearchHosts }}" + {{- end }} + - name: SERVER_HOST + value: "{{ .Values.serverHost }}" + {{- if .Values.opensearchAccount.secret }} + - name: OPENSEARCH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.opensearchAccount.secret }} + key: username + - name: OPENSEARCH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.opensearchAccount.secret }} + key: password + {{- if and .Values.opensearchAccount.keyPassphrase.enabled }} + - name: KEY_PASSPHRASE + valueFrom: + secretKeyRef: + name: {{ .Values.opensearchAccount.secret }} + key: keypassphrase + # 32-character random string to be used as cookie password by security plugin + {{- end }} + - name: COOKIE_PASS + valueFrom: + secretKeyRef: + name: {{ .Values.opensearchAccount.secret }} + key: cookie + {{- end }} +{{- if .Values.extraEnvs }} +{{ toYaml .Values.extraEnvs | indent 8 }} +{{- end }} +{{- if .Values.envFrom }} + envFrom: +{{ toYaml .Values.envFrom | indent 10 }} +{{- end }} + ports: + - containerPort: {{ .Values.service.port }} + name: {{ .Values.service.httpPortName | default "http" }} + protocol: TCP +{{- if .Values.lifecycle }} + lifecycle: +{{ toYaml .Values.lifecycle | indent 10 }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + {{- range .Values.secretMounts }} + - name: {{ .name }} + mountPath: {{ .path }} + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} + {{- end }} + {{- range $path, $config := .Values.config }} + - name: config + mountPath: /usr/share/opensearch-dashboards/config/{{ $path }} + subPath: {{ $path }} + {{- end }} + {{- if .Values.extraContainers }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + {{- if eq "string" (printf "%T" .Values.extraContainers) }} +{{ tpl .Values.extraContainers . | indent 6 }} + {{- else }} +{{ toYaml .Values.extraContainers | indent 6 }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/opensearch-dashboards/templates/ingress.yaml b/charts/opensearch-dashboards/templates/ingress.yaml new file mode 100644 index 00000000..3acb0922 --- /dev/null +++ b/charts/opensearch-dashboards/templates/ingress.yaml @@ -0,0 +1,60 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "opensearch-dashboards.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "opensearch-dashboards.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- if semverCompare ">=1.19" .Capabilities.KubeVersion.Version -}} + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} + {{- else -}} + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/opensearch-dashboards/templates/rolebinding.yaml b/charts/opensearch-dashboards/templates/rolebinding.yaml new file mode 100644 index 00000000..bebc47cb --- /dev/null +++ b/charts/opensearch-dashboards/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: +{{ include "opensearch-dashboards.standard" . | indent 4 }} + name: {{ template "opensearch-dashboards.fullname" . }}-dashboards-rolebinding +roleRef: + kind: Role + name: {{ template "opensearch-dashboards.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ template "opensearch-dashboards.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/opensearch-dashboards/templates/service.yaml b/charts/opensearch-dashboards/templates/service.yaml new file mode 100644 index 00000000..4cdc86b2 --- /dev/null +++ b/charts/opensearch-dashboards/templates/service.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "opensearch-dashboards.fullname" . }} + labels: {{- include "opensearch-dashboards.labels" . | nindent 4 }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4}} +{{- end }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} + ports: + - port: {{ .Values.service.port }} +{{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} + protocol: TCP + name: {{ .Values.service.httpPortName | default "http" }} + targetPort: {{ .Values.service.port }} + selector: + app: {{ .Chart.Name }} + release: {{ .Release.Name | quote }} diff --git a/charts/opensearch-dashboards/templates/serviceaccount.yaml b/charts/opensearch-dashboards/templates/serviceaccount.yaml new file mode 100644 index 00000000..7ffbc076 --- /dev/null +++ b/charts/opensearch-dashboards/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "opensearch-dashboards.serviceAccountName" . }} + labels: + {{- include "opensearch-dashboards.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} diff --git a/charts/opensearch-dashboards/values.yaml b/charts/opensearch-dashboards/values.yaml new file mode 100644 index 00000000..f421adab --- /dev/null +++ b/charts/opensearch-dashboards/values.yaml @@ -0,0 +1,148 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0s + +# Default values for opensearch-dashboards. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +opensearchHosts: "https://opensearch-cluster-master:9200" +replicaCount: 1 + +image: "opensearchproject/opensearch-dashboards" +imageTag: "1.0.0" +imagePullPolicy: "IfNotPresent" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +rbac: + create: true + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] +# - name: certs +# secretName: dashboard-certs +# path: /usr/share/dashboards/certs + +podAnnotations: {} + +extraEnvs: [] +# - name: "NODE_OPTIONS" +# value: "--max-old-space-size=1800" + +envFrom: [] + +extraInitContainers: "" + +extraContainers: "" + +podSecurityContext: {} + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +config: {} + ## Default OpenSearch Dashboards configuration from docker image of Dashboards + # opensearch_dashboards.yml: + # server: + # name: dashboards + # host: 0.0.0.0 + + ## Dashboards TLS Config (Ensure the cert files are present before enabling SSL + # ssl: + # enabled: true + # key: /usr/share/opensearch-dashboards/certs/dashboards-key.pem + # certificate: /usr/share/opensearch-dashboards/certs/dashboards-crt.pem + + # determines how dashboards will verify certificates (needs to be none for default opensearch certificates to work) + # opensearch: + # ssl: + # certificateAuthorities: /usr/share/opensearch-dashboards/certs/dashboards-root-ca.pem + # if utilizing custom CA certs for connection to opensearch, provide the CA here + +priorityClassName: "" + +opensearchAccount: + secret: "" + keyPassphrase: + enabled: false + +labels: {} + +hostAliases: [] +#- ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" + +serverHost: "0.0.0.0" + +service: + type: ClusterIP + port: 5601 + loadBalancerIP: "" + nodePort: "" + labels: {} + annotations: {} + loadBalancerSourceRanges: [] + # 0.0.0.0/0 + httpPortName: http + +ingress: + enabled: false + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + backend: + serviceName: chart-example.local + servicePort: 80 + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + requests: + cpu: "100m" + memory: "512M" + limits: + cpu: "100m" + memory: "512M" + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +updateStrategy: + type: "Recreate" + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/charts/opensearch/.helmignore b/charts/opensearch/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/opensearch/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml new file mode 100644 index 00000000..7c608ffd --- /dev/null +++ b/charts/opensearch/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: opensearch +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.0.0" diff --git a/charts/opensearch/templates/NOTES.txt b/charts/opensearch/templates/NOTES.txt new file mode 100755 index 00000000..99c41213 --- /dev/null +++ b/charts/opensearch/templates/NOTES.txt @@ -0,0 +1,2 @@ +Watch all cluster members come up. + $ kubectl get pods --namespace={{ .Release.Namespace }} -l app={{ template "opensearch.uname" . }} -w diff --git a/charts/opensearch/templates/_helpers.tpl b/charts/opensearch/templates/_helpers.tpl new file mode 100755 index 00000000..7733999a --- /dev/null +++ b/charts/opensearch/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opensearch.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "opensearch.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "opensearch.uname" -}} +{{- if empty .Values.fullnameOverride -}} +{{- if empty .Values.nameOverride -}} +{{ .Values.clusterName }}-{{ .Values.nodeGroup }} +{{- else -}} +{{ .Values.nameOverride }}-{{ .Values.nodeGroup }} +{{- end -}} +{{- else -}} +{{ .Values.fullnameOverride }} +{{- end -}} +{{- end -}} + +{{- define "opensearch.masterService" -}} +{{- if empty .Values.masterService -}} +{{- if empty .Values.fullnameOverride -}} +{{- if empty .Values.nameOverride -}} +{{ .Values.clusterName }}-master +{{- else -}} +{{ .Values.nameOverride }}-master +{{- end -}} +{{- else -}} +{{ .Values.fullnameOverride }} +{{- end -}} +{{- else -}} +{{ .Values.masterService }} +{{- end -}} +{{- end -}} + +{{- define "opensearch.endpoints" -}} +{{- $replicas := int (toString (.Values.replicas)) }} +{{- $uname := (include "opensearch.uname" .) }} + {{- range $i, $e := untilStep 0 $replicas 1 -}} +{{ $uname }}-{{ $i }}, + {{- end -}} +{{- end -}} + +{{- define "opensearch.majorVersion" -}} +{{- if .Values.majorVersion -}} +{{ .Values.majorVersion }} +{{- else -}} +{{- $version := int (index (.Values.imageTag | splitList ".") 0) -}} + {{- if and (contains "opensearchproject/opensearch" .Values.image) (not (eq $version 0)) -}} +{{ $version }} + {{- else -}} +7 + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/opensearch/templates/configmap.yaml b/charts/opensearch/templates/configmap.yaml new file mode 100644 index 00000000..bf42669d --- /dev/null +++ b/charts/opensearch/templates/configmap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "opensearch.uname" . }}-config + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" +data: +{{- range $configName, $configYaml := .Values.config }} + {{ $configName }}: | + {{- toYaml $configYaml | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/opensearch/templates/ingress.yaml b/charts/opensearch/templates/ingress.yaml new file mode 100644 index 00000000..43b8afdc --- /dev/null +++ b/charts/opensearch/templates/ingress.yaml @@ -0,0 +1,38 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "opensearch.uname" . -}} +{{- $servicePort := .Values.httpPort -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app: {{ .Chart.Name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: {{ $ingressPath }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} +{{- end }} diff --git a/charts/opensearch/templates/networkpolicy.yaml b/charts/opensearch/templates/networkpolicy.yaml new file mode 100644 index 00000000..7e971273 --- /dev/null +++ b/charts/opensearch/templates/networkpolicy.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + name: {{ template "opensearch.uname" . }}-opensearch-net +spec: + ingress: + - from: + - podSelector: + matchLabels: + {{ template "opensearch.uname" . }}-transport-client: "true" + podSelector: + matchLabels: + {{ template "opensearch.uname" . }}-transport-client: "true" diff --git a/charts/opensearch/templates/poddisruptionbudget.yaml b/charts/opensearch/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..65d0d257 --- /dev/null +++ b/charts/opensearch/templates/poddisruptionbudget.yaml @@ -0,0 +1,12 @@ +--- +{{- if .Values.maxUnavailable }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: "{{ template "opensearch.uname" . }}-pdb" +spec: + maxUnavailable: {{ .Values.maxUnavailable }} + selector: + matchLabels: + app: "{{ template "opensearch.uname" . }}" +{{- end }} diff --git a/charts/opensearch/templates/podsecuritypolicy.yaml b/charts/opensearch/templates/podsecuritypolicy.yaml new file mode 100644 index 00000000..136c31f2 --- /dev/null +++ b/charts/opensearch/templates/podsecuritypolicy.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podSecurityPolicy.create -}} +{{- $fullName := include "opensearch.uname" . -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ default $fullName .Values.podSecurityPolicy.name | quote }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ $fullName | quote }} +spec: +{{ toYaml .Values.podSecurityPolicy.spec | indent 2 }} +{{- if .Values.sysctl.enabled }} + allowedUnsafeSysctls: + - vm.max_map_count +{{- end }} +{{- end }} diff --git a/charts/opensearch/templates/role.yaml b/charts/opensearch/templates/role.yaml new file mode 100644 index 00000000..53f367f1 --- /dev/null +++ b/charts/opensearch/templates/role.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create -}} +{{- $fullName := include "opensearch.uname" . -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $fullName | quote }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ $fullName | quote }} +rules: + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + {{- if eq .Values.podSecurityPolicy.name "" }} + - {{ $fullName | quote }} + {{- else }} + - {{ .Values.podSecurityPolicy.name | quote }} + {{- end }} + verbs: + - use +{{- end -}} diff --git a/charts/opensearch/templates/rolebinding.yaml b/charts/opensearch/templates/rolebinding.yaml new file mode 100644 index 00000000..85474722 --- /dev/null +++ b/charts/opensearch/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.create -}} +{{- $fullName := include "opensearch.uname" . -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $fullName | quote }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ $fullName | quote }} +subjects: + - kind: ServiceAccount + {{- if eq .Values.rbac.serviceAccountName "" }} + name: {{ $fullName | quote }} + {{- else }} + name: {{ .Values.rbac.serviceAccountName | quote }} + {{- end }} + namespace: {{ .Release.Namespace | quote }} +roleRef: + kind: Role + name: {{ $fullName | quote }} + apiGroup: rbac.authorization.k8s.io +{{- end -}} diff --git a/charts/opensearch/templates/securityconfig.yaml b/charts/opensearch/templates/securityconfig.yaml new file mode 100644 index 00000000..4557464e --- /dev/null +++ b/charts/opensearch/templates/securityconfig.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.securityConfig.config.securityConfigSecret }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + {{- range $key, $val := .Values.securityConfig.config.data }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end }} + {{- end}} diff --git a/charts/opensearch/templates/service.yaml b/charts/opensearch/templates/service.yaml new file mode 100644 index 00000000..c1860dc5 --- /dev/null +++ b/charts/opensearch/templates/service.yaml @@ -0,0 +1,75 @@ +--- +kind: Service +apiVersion: v1 +metadata: +{{- if eq .Values.nodeGroup "master" }} + name: {{ template "opensearch.masterService" . }} +{{- else }} + name: {{ template "opensearch.uname" . }} +{{- end }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4}} +{{- end }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +spec: + type: {{ .Values.service.type }} + selector: + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" + ports: + - name: {{ .Values.service.httpPortName | default "http" }} + protocol: TCP + port: {{ .Values.httpPort }} +{{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} + - name: {{ .Values.service.transportPortName | default "transport" }} + protocol: TCP + port: {{ .Values.transportPort }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} +--- +kind: Service +apiVersion: v1 +metadata: +{{- if eq .Values.nodeGroup "master" }} + name: {{ template "opensearch.masterService" . }}-headless +{{- else }} + name: {{ template "opensearch.uname" . }}-headless +{{- end }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" +{{- if .Values.service.labelsHeadless }} +{{ toYaml .Values.service.labelsHeadless | indent 4 }} +{{- end }} + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + clusterIP: None # This is needed for statefulset hostnames like opensearch-0 to resolve + # Create endpoints also if the related pod isn't ready + publishNotReadyAddresses: true + selector: + app: "{{ template "opensearch.uname" . }}" + ports: + - name: {{ .Values.service.httpPortName | default "http" }} + port: {{ .Values.httpPort }} + - name: {{ .Values.service.transportPortName | default "transport" }} + port: {{ .Values.transportPort }} diff --git a/charts/opensearch/templates/serviceaccount.yaml b/charts/opensearch/templates/serviceaccount.yaml new file mode 100644 index 00000000..2d2e22bb --- /dev/null +++ b/charts/opensearch/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +{{- $fullName := include "opensearch.uname" . -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- if eq .Values.rbac.serviceAccountName "" }} + name: {{ $fullName | quote }} + {{- else }} + name: {{ .Values.rbac.serviceAccountName | quote }} + {{- end }} + annotations: + {{- with .Values.rbac.serviceAccountAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ $fullName | quote }} +{{- end -}} diff --git a/charts/opensearch/templates/statefulset.yaml b/charts/opensearch/templates/statefulset.yaml new file mode 100644 index 00000000..d5772c85 --- /dev/null +++ b/charts/opensearch/templates/statefulset.yaml @@ -0,0 +1,454 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "opensearch.uname" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" + {{- range $key, $value := .Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + majorVersion: "{{ include "opensearch.majorVersion" . }}" +spec: + serviceName: {{ template "opensearch.uname" . }}-headless + selector: + matchLabels: + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" + replicas: {{ .Values.replicas }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + updateStrategy: + type: {{ .Values.updateStrategy }} + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: {{ template "opensearch.uname" . }} + {{- if .Values.persistence.labels.enabled }} + labels: + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" + {{- range $key, $value := .Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- with .Values.persistence.annotations }} + annotations: +{{ toYaml . | indent 8 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" + {{- end }} + {{- end }} + {{- end }} + template: + metadata: + name: "{{ template "opensearch.uname" . }}" + labels: + release: {{ .Release.Name | quote }} + chart: "{{ .Chart.Name }}" + app: "{{ template "opensearch.uname" . }}" + {{- range $key, $value := .Values.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + annotations: + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{/* This forces a restart if the configmap has changed */}} + {{- if .Values.config }} + configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 8 }} + {{- if .Values.sysctl.enabled }} + sysctls: + - name: vm.max_map_count + value: {{ .Values.sysctlVmMaxMapCount | quote }} + {{- end }} + {{- if .Values.fsGroup }} + fsGroup: {{ .Values.fsGroup }} # Deprecated value, please use .Values.podSecurityContext.fsGroup + {{- end }} + {{- if .Values.rbac.create }} + serviceAccountName: "{{ template "opensearch.uname" . }}" + {{- else if not (eq .Values.rbac.serviceAccountName "") }} + serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 6 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if or (eq .Values.antiAffinity "hard") (eq .Values.antiAffinity "soft") .Values.nodeAffinity }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + affinity: + {{- end }} + {{- if eq .Values.antiAffinity "hard" }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - "{{ template "opensearch.uname" .}}" + topologyKey: {{ .Values.antiAffinityTopologyKey }} + {{- else if eq .Values.antiAffinity "soft" }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: {{ .Values.antiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - "{{ template "opensearch.uname" . }}" + {{- end }} + {{- with .Values.nodeAffinity }} + nodeAffinity: +{{ toYaml . | indent 10 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }} + volumes: + {{- range .Values.secretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- if .defaultMode }} + defaultMode: {{ .defaultMode }} + {{- end }} + {{- end }} + {{- if .Values.config }} + - name: config + configMap: + name: {{ template "opensearch.uname" . }}-config + {{- end }} + {{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} + - name: security-config + secret: + secretName: {{ .Values.securityConfig.config.securityConfigSecret }} + {{- end }} + {{- if .Values.securityConfig.actionGroupsSecret }} + - name: action-groups + secret: + secretName: {{ .Values.securityConfig.actionGroupsSecret }} + {{- end }} + {{- if .Values.securityConfig.configSecret }} + - name: security-config + secret: + secretName: {{ .Values.securityConfig.configSecret }} + {{- end }} + {{- if .Values.securityConfig.internalUsersSecret }} + - name: internal-users-config + secret: + secretName: {{ .Values.securityConfig.internalUsersSecret }} + {{- end }} + {{- if .Values.securityConfig.rolesSecret }} + - name: roles + secret: + secretName: {{ .Values.securityConfig.rolesSecret }} + {{- end }} + {{- if .Values.securityConfig.rolesMappingSecret }} + - name: role-mapping + secret: + secretName: {{ .Values.securityConfig.rolesMappingSecret }} + {{- end -}} + {{- if .Values.securityConfig.tenantsSecret }} + - name: tenants + secret: + secretName: {{ .Values.securityConfig.tenantsSecret }} + {{- end }} +{{- if .Values.keystore }} + - name: keystore + emptyDir: {} + {{- range .Values.keystore }} + - name: keystore-{{ .secretName }} + secret: {{ toYaml . | nindent 12 }} + {{- end }} +{{ end }} + {{- if .Values.extraVolumes }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + {{- if eq "string" (printf "%T" .Values.extraVolumes) }} +{{ tpl .Values.extraVolumes . | indent 8 }} + {{- else }} +{{ toYaml .Values.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if .Values.hostAliases }} + hostAliases: {{ toYaml .Values.hostAliases | nindent 8 }} + {{- end }} + {{- if or (.Values.extraInitContainers) (.Values.keystore) }} + initContainers: +{{ if .Values.keystore }} + - name: keystore + image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + command: + - sh + - -c + - | + #!/usr/bin/env bash + set -euo pipefail + + opensearch-keystore create + + for i in /tmp/keystoreSecrets/*/*; do + key=$(basename $i) + echo "Adding file $i to keystore key $key" + opensearch-keystore add-file "$key" "$i" + done + + # Add the bootstrap password since otherwise the opensearch entrypoint tries to do this on startup + if [ ! -z ${PASSWORD+x} ]; then + echo 'Adding env $PASSWORD to keystore as key bootstrap.password' + echo "$PASSWORD" | opensearch-keystore add -x bootstrap.password + fi + + cp -a {{ .Values.opensearchHome }}/config/opensearch.keystore /tmp/keystore/ + env: {{ toYaml .Values.extraEnvs | nindent 10 }} + envFrom: {{ toYaml .Values.envFrom | nindent 10 }} + resources: {{ toYaml .Values.initResources | nindent 10 }} + volumeMounts: + - name: keystore + mountPath: /tmp/keystore + {{- range .Values.keystore }} + - name: keystore-{{ .secretName }} + mountPath: /tmp/keystoreSecrets/{{ .secretName }} + {{- end }} +{{ end }} + {{- if .Values.extraInitContainers }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + {{- if eq "string" (printf "%T" .Values.extraInitContainers) }} +{{ tpl .Values.extraInitContainers . | indent 6 }} + {{- else }} +{{ toYaml .Values.extraInitContainers | indent 6 }} + {{- end }} + {{- end }} + {{- end }} + containers: + - name: "{{ template "opensearch.name" . }}" + securityContext: +{{ toYaml .Values.securityContext | indent 10 }} + image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + ports: + - name: http + containerPort: {{ .Values.httpPort }} + - name: transport + containerPort: {{ .Values.transportPort }} + resources: +{{ toYaml .Values.resources | indent 10 }} + env: + - name: node.name + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if eq .Values.roles.master "true" }} + {{- if ge (int (include "opensearch.majorVersion" .)) 7 }} + - name: cluster.initial_master_nodes + value: "{{ template "opensearch.endpoints" . }}" + {{- else }} + - name: discovery.zen.minimum_master_nodes + value: "{{ .Values.minimumMasterNodes }}" + {{- end }} + {{- end }} + {{- if lt (int (include "opensearch.majorVersion" .)) 7 }} + - name: discovery.zen.ping.unicast.hosts + value: "{{ template "opensearch.masterService" . }}-headless" + {{- else }} + - name: discovery.seed_hosts + value: "{{ template "opensearch.masterService" . }}-headless" + {{- end }} + - name: cluster.name + value: "{{ .Values.clusterName }}" + - name: network.host + value: "{{ .Values.networkHost }}" + - name: ES_JAVA_OPTS + value: "{{ .Values.esJavaOpts }}" + {{- range $role, $enabled := .Values.roles }} + - name: node.{{ $role }} + value: "{{ $enabled }}" + {{- end }} +{{- if .Values.extraEnvs }} +{{ toYaml .Values.extraEnvs | indent 10 }} +{{- end }} +{{- if .Values.envFrom }} + envFrom: +{{ toYaml .Values.envFrom | indent 10 }} +{{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: "{{ template "opensearch.uname" . }}" + mountPath: {{ .Values.opensearchHome }}/data + {{- end }} + {{- if .Values.keystore }} + - name: keystore + mountPath: {{ .Values.opensearchHome }}/config/opensearch.keystore + subPath: opensearch.keystore + {{- end }} + {{- if .Values.securityConfig.enabled }} + {{- if .Values.securityConfig.actionGroupsSecret }} + - mountPath: {{ .Values.securityConfig.path }}/action_groups.yml + name: action-groups + subPath: action_groups.yml + {{- end }} + {{- if .Values.securityConfig.configSecret }} + - mountPath: {{ .Values.securityConfig.path }}/config.yml + name: security-config + subPath: config.yml + {{- end }} + {{- if .Values.securityConfig.internalUsersSecret }} + - mountPath: {{ .Values.securityConfig.path }}/internal_users.yml + name: internal-users-config + subPath: internal_users.yml + {{- end }} + {{- if .Values.securityConfig.rolesSecret }} + - mountPath: {{ .Values.securityConfig.path }}/roles.yml + name: roles + subPath: roles.yml + {{- end }} + {{- if .Values.securityConfig.rolesMappingSecret }} + - mountPath: {{ .Values.securityConfig.path }}/roles_mapping.yml + name: role-mapping + subPath: roles_mapping.yml + {{- end }} + {{- if .Values.securityConfig.tenantsSecret }} + - mountPath: {{ .Values.securityConfig.path }}/tenants.yml + name: tenants + subPath: tenants.yml + {{- end }} + {{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} + - mountPath: {{ .Values.securityConfig.path }} + name: security-config + {{- end }} + {{- end }} + + {{- range .Values.secretMounts }} + - name: {{ .name }} + mountPath: {{ .path }} + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} + {{- end }} + {{- range $path, $config := .Values.config }} + - name: config + mountPath: {{ $.Values.opensearchHome }}/config/{{ $path }} + subPath: {{ $path }} + {{- end -}} + {{- if .Values.extraVolumeMounts }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + {{- if eq "string" (printf "%T" .Values.extraVolumeMounts) }} +{{ tpl .Values.extraVolumeMounts . | indent 10 }} + {{- else }} +{{ toYaml .Values.extraVolumeMounts | indent 10 }} + {{- end }} + {{- end }} + {{- if .Values.masterTerminationFix }} + {{- if eq .Values.roles.master "true" }} + # This sidecar will prevent slow master re-election + - name: opensearch-master-graceful-termination-handler + image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + command: + - "sh" + - -c + - | + #!/usr/bin/env bash + set -eo pipefail + + http () { + local path="${1}" + if [ -n "${USERNAME}" ] && [ -n "${PASSWORD}" ]; then + BASIC_AUTH="-u ${USERNAME}:${PASSWORD}" + elses + BASIC_AUTH='' + fi + curl -XGET -s -k --fail ${BASIC_AUTH} {{ .Values.protocol }}://{{ template "opensearch.masterService" . }}:{{ .Values.httpPort }}${path} + } + + cleanup () { + while true ; do + local master="$(http "/_cat/master?h=node" || echo "")" + if [[ $master == "{{ template "opensearch.masterService" . }}"* && $master != "${NODE_NAME}" ]]; then + echo "This node is not master." + break + fi + echo "This node is still master, waiting gracefully for it to step down" + sleep 1 + done + + exit 0 + } + + trap cleanup SIGTERM + + sleep infinity & + wait $! + resources: +{{ toYaml .Values.sidecarResources | indent 10 }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if .Values.extraEnvs }} +{{ toYaml .Values.extraEnvs | indent 10 }} + {{- end }} + {{- if .Values.envFrom }} + envFrom: +{{ toYaml .Values.envFrom | indent 10 }} + {{- end }} + {{- end }} + {{- end }} +{{- if .Values.lifecycle }} + lifecycle: +{{ toYaml .Values.lifecycle | indent 10 }} +{{- end }} + {{- if .Values.extraContainers }} + # Currently some extra blocks accept strings + # to continue with backwards compatibility this is being kept + # whilst also allowing for yaml to be specified too. + {{- if eq "string" (printf "%T" .Values.extraContainers) }} +{{ tpl .Values.extraContainers . | indent 6 }} + {{- else }} +{{ toYaml .Values.extraContainers | indent 6 }} + {{- end }} + {{- end }} diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml new file mode 100755 index 00000000..ad6761a5 --- /dev/null +++ b/charts/opensearch/values.yaml @@ -0,0 +1,367 @@ +--- +clusterName: "opensearch-cluster" +nodeGroup: "master" + +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group +masterService: "opensearch-cluster-master" + +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variables. E.g. node.master=true +roles: + master: "true" + ingest: "true" + data: "true" + remote_cluster_client: "true" + +replicas: 3 +minimumMasterNodes: 1 + +majorVersion: "" + +# Allows you to add any config files in {{ .Values.configPath }}/config +opensearchHome: /usr/share/opensearch +# such as opensearch.yml and log4j2.properties +config: + opensearch.yml: + cluster.name: opensearch-cluster + + # Bind to all interfaces because we don't know what IP address Docker will assign to us. + network.host: 0.0.0.0 + + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + #discovery.type: single-node + + ######## Start OpenSearch Security Demo Configuration ######## + # WARNING: revise all the lines below before you go into production + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + allow_unsafe_democertificates: true + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test, C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] + ######## End OpenSearch Security Demo Configuration ######## + # log4j2.properties: + +# Extra environment variables to append to this nodeGroup +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here +extraEnvs: [] +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + +# Allows you to load environment variables from kubernextes secret or config map +envFrom: [] +# - secretRef: +# name: env-secret +# - configMapRef: +# name: config-map + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +hostAliases: [] +#- ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" + +image: "opensearchproject/opensearch" +# override image tag, which is .Chart.AppVersion by default +imageTag: "" +imagePullPolicy: "IfNotPresent" + +podAnnotations: {} + # iam.amazonaws.com/role: es-cluster + +# additionals labels +labels: {} + +esJavaOpts: "-Xmx512M -Xms512M" + +resources: + requests: + cpu: "1000m" + memory: "100Mi" + +initResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +sidecarResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +networkHost: "0.0.0.0" + +rbac: + create: false + serviceAccountAnnotations: {} + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - emptyDir + +persistence: + enabled: true + labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet + enabled: false + ## OpenSearch Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +extraVolumes: [] + # - name: extras + # emptyDir: {} + +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + +extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + +extraInitContainers: [] + # - name: do-somethings + # image: busybox + # command: ['do', 'something'] + +# This is the PriorityClass settings as defined in +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: "" + +# By default this will make sure two pods don't end up on the same node +# Changing this to a region would allow you to spread pods across regions +antiAffinityTopologyKey: "kubernetes.io/hostname" + +# Hard means that by default pods will only be scheduled if there are enough nodes for them +# and that they will never end up on the same node. Setting this to soft will do this "best effort" +antiAffinity: "soft" + +# This is the node affinity settings as defined in +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature +nodeAffinity: {} + +# The default is to deploy all pods serially. By setting this to parallel all pods are started at +# the same time when bootstrapping the cluster +podManagementPolicy: "Parallel" + +# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when +# there are many services in the current namespace. +# If you experience slow pod startups you probably want to set this to `false`. +enableServiceLinks: true + +protocol: http +httpPort: 9200 +transportPort: 9300 + +service: + labels: {} + labelsHeadless: {} + type: ClusterIP + nodePort: "" + annotations: {} + httpPortName: http + transportPortName: transport + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance +maxUnavailable: 1 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +securityConfig: + enabled: true + path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + #The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants + #Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used + config: + securityConfigSecret: + data: {} + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # rolesMapping.yml: |- + # tenants.yml: |- + +# How long to wait for opensearch to stop gracefully +terminationGracePeriod: 120 + +sysctlVmMaxMapCount: 262144 + +readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" + +imagePullSecrets: [] +nodeSelector: {} +tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +nameOverride: "" +fullnameOverride: "" + +masterTerminationFix: false + +lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] + # postStart: + # exec: + # command: + # - bash + # - -c + # - | + # #!/bin/bash + # # Add a template to adjust number of shards/replicas1 + # TEMPLATE_NAME=my_template + # INDEX_PATTERN="logstash-*" + # SHARD_COUNT=8 + # REPLICA_COUNT=1 + # ES_URL=http://localhost:9200 + # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done + # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}' + +keystore: [] + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + ## Example for default configuration to access HTTP port: + ## opensearch-master-http-client: "true" + ## Example for default configuration to access transport port: + ## opensearch-master-transport-client: "true" + + http: + enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead +fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +sysctl: + enabled: false