From 9c407b9745f998433d291e3c0443c650e4f03e0f Mon Sep 17 00:00:00 2001 From: Michael Primeaux Date: Wed, 27 Oct 2021 19:35:13 -0500 Subject: [PATCH] FIX: Issue 105 - RBAC enabled (#106) * - Added missing `labels:` stanza delimeter to role.yaml to address the failure when RBAC is enabled. Signed-off-by: Michael Primeaux * - Renamed CI values file for testing RBAC enabled. Signed-off-by: Michael Primeaux * - Indented template line to asthetically match. Signed-off-by: Michael Primeaux * - Incremented OpenSearch chart version to 1.2.2 to accommodate another PR. Signed-off-by: Michael Primeaux * - Amended CHANGELOG as per review. Signed-off-by: Michael Primeaux --- charts/opensearch/CHANGELOG.md | 6 +- charts/opensearch/Chart.yaml | 2 +- .../opensearch/ci/ci-rbac-enabled-values.yaml | 388 ++++++++++++++++++ charts/opensearch/ci/ci-values.yaml | 183 ++++++++- 4 files changed, 569 insertions(+), 10 deletions(-) create mode 100755 charts/opensearch/ci/ci-rbac-enabled-values.yaml diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index 51946cda..ea842298 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -14,12 +14,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security --- -## [1.2.1] +## [1.2.2] ### Added ### Changed ### Deprecated ### Removed ### Fixed +- [Issue #105](https://github.com/opensearch-project/helm-charts/issues/105) OpenSearch chart fails when RBAC is enabled. - Missing `labels` key is added into role.yaml. ### Security @@ -109,7 +110,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security -[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.1...HEAD +[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.2...HEAD +[1.2.2]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.1...opensearch-1.2.2 [1.2.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.0...opensearch-1.2.1 [1.2.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.1.0...opensearch-1.2.0 [1.1.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.8...opensearch-1.1.0 diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 1579e58c..e9759988 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.2.1 +version: 1.2.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opensearch/ci/ci-rbac-enabled-values.yaml b/charts/opensearch/ci/ci-rbac-enabled-values.yaml new file mode 100755 index 00000000..88e7901b --- /dev/null +++ b/charts/opensearch/ci/ci-rbac-enabled-values.yaml @@ -0,0 +1,388 @@ +--- +clusterName: "opensearch-cluster" +nodeGroup: "master" + +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group +masterService: "opensearch-cluster-master" + +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variables. E.g. node.master=true +roles: + master: "true" + ingest: "true" + data: "true" + remote_cluster_client: "true" + +replicas: 1 +minimumMasterNodes: 1 + +# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. +majorVersion: "" + +global: + # Set if you want to change the default docker registry, e.g. a private one. + dockerRegistry: "" + +# Allows you to add any config files in {{ .Values.opensearchHome }}/config +opensearchHome: /usr/share/opensearch +# such as opensearch.yml and log4j2.properties +config: + opensearch.yml: + cluster.name: opensearch-cluster + + # Bind to all interfaces because we don't know what IP address Docker will assign to us. + network.host: 0.0.0.0 + + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + # discovery.type: single-node + + # Start OpenSearch Security Demo Configuration + # WARNING: revise all the lines below before you go into production + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + allow_unsafe_democertificates: true + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test, C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] + ######## End OpenSearch Security Demo Configuration ######## + # log4j2.properties: + +# Extra environment variables to append to this nodeGroup +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here +extraEnvs: [] +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + +# Allows you to load environment variables from kubernextes secret or config map +envFrom: [] +# - secretRef: +# name: env-secret +# - configMapRef: +# name: config-map + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" + +image: "opensearchproject/opensearch" +# override image tag, which is .Chart.AppVersion by default +imageTag: "" +imagePullPolicy: "IfNotPresent" + +podAnnotations: {} + # iam.amazonaws.com/role: es-cluster + +# additionals labels +labels: {} + +opensearchJavaOpts: "-Xmx512M -Xms512M" + +resources: + requests: + cpu: "1000m" + memory: "100Mi" + +initResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +sidecarResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +networkHost: "0.0.0.0" + +rbac: + create: true + serviceAccountAnnotations: {} + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - emptyDir + +persistence: + enabled: true + labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet + enabled: false + # OpenSearch Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. (gp2 on AWS, standard on + # GKE, AWS & OpenStack) + # + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +extraVolumes: [] + # - name: extras + # emptyDir: {} + +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + +extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + +extraInitContainers: [] + # - name: do-somethings + # image: busybox + # command: ['do', 'something'] + +# This is the PriorityClass settings as defined in +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: "" + +# By default this will make sure two pods don't end up on the same node +# Changing this to a region would allow you to spread pods across regions +antiAffinityTopologyKey: "kubernetes.io/hostname" + +# Hard means that by default pods will only be scheduled if there are enough nodes for them +# and that they will never end up on the same node. Setting this to soft will do this "best effort" +antiAffinity: "soft" + +# This is the node affinity settings as defined in +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature +nodeAffinity: {} + +# The default is to deploy all pods serially. By setting this to parallel all pods are started at +# the same time when bootstrapping the cluster +podManagementPolicy: "Parallel" + +# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when +# there are many services in the current namespace. +# If you experience slow pod startups you probably want to set this to `false`. +enableServiceLinks: true + +protocol: http +httpPort: 9200 +transportPort: 9300 + +service: + labels: {} + labelsHeadless: {} + type: ClusterIP + nodePort: "" + annotations: {} + httpPortName: http + transportPortName: transport + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance +maxUnavailable: 1 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +securityConfig: + enabled: true + path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. + config: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + securityConfigSecret: "" + data: {} + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # roles_mapping.yml: |- + # action_groups.yml: |- + # tenants.yml: |- + +# How long to wait for opensearch to stop gracefully +terminationGracePeriod: 120 + +sysctlVmMaxMapCount: 262144 + +readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" + +imagePullSecrets: [] +nodeSelector: {} +tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +nameOverride: "" +fullnameOverride: "" + +masterTerminationFix: false + +lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] + # postStart: + # exec: + # command: + # - bash + # - -c + # - | + # #!/bin/bash + # # Add a template to adjust number of shards/replicas1 + # TEMPLATE_NAME=my_template + # INDEX_PATTERN="logstash-*" + # SHARD_COUNT=8 + # REPLICA_COUNT=1 + # ES_URL=http://localhost:9200 + # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done + # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}' + +keystore: [] + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + ## Example for default configuration to access HTTP port: + ## opensearch-master-http-client: "true" + ## Example for default configuration to access transport port: + ## opensearch-master-transport-client: "true" + + http: + enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead +fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +sysctl: + enabled: false + +## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. +plugins: + enabled: false + installList: [] + # - example-fake-plugin diff --git a/charts/opensearch/ci/ci-values.yaml b/charts/opensearch/ci/ci-values.yaml index 53ca9232..e58af71c 100755 --- a/charts/opensearch/ci/ci-values.yaml +++ b/charts/opensearch/ci/ci-values.yaml @@ -2,8 +2,12 @@ clusterName: "opensearch-cluster" nodeGroup: "master" +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group masterService: "opensearch-cluster-master" +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variables. E.g. node.master=true roles: master: "true" ingest: "true" @@ -13,13 +17,32 @@ roles: replicas: 1 minimumMasterNodes: 1 +# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. majorVersion: "" +global: + # Set if you want to change the default docker registry, e.g. a private one. + dockerRegistry: "" + +# Allows you to add any config files in {{ .Values.opensearchHome }}/config opensearchHome: /usr/share/opensearch +# such as opensearch.yml and log4j2.properties config: opensearch.yml: cluster.name: opensearch-cluster + + # Bind to all interfaces because we don't know what IP address Docker will assign to us. network.host: 0.0.0.0 + + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + # discovery.type: single-node + + # Start OpenSearch Security Demo Configuration + # WARNING: revise all the lines below before you go into production plugins: security: ssl: @@ -58,19 +81,43 @@ config: ".opendistro-notebooks", ".opendistro-asynchronous-search-response*", ] + ######## End OpenSearch Security Demo Configuration ######## + # log4j2.properties: +# Extra environment variables to append to this nodeGroup +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here extraEnvs: [] +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + +# Allows you to load environment variables from kubernextes secret or config map envFrom: [] +# - secretRef: +# name: env-secret +# - configMapRef: +# name: config-map + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license secretMounts: [] + hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" image: "opensearchproject/opensearch" +# override image tag, which is .Chart.AppVersion by default imageTag: "" imagePullPolicy: "IfNotPresent" podAnnotations: {} + # iam.amazonaws.com/role: es-cluster - +# additionals labels labels: {} opensearchJavaOpts: "-Xmx512M -Xms512M" @@ -81,7 +128,20 @@ resources: memory: "100Mi" initResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + sidecarResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" networkHost: "0.0.0.0" @@ -108,29 +168,67 @@ podSecurityPolicy: - configMap - persistentVolumeClaim - emptyDir + persistence: enabled: true labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet enabled: false + # OpenSearch Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. (gp2 on AWS, standard on + # GKE, AWS & OpenStack) + # + # storageClass: "-" accessModes: - ReadWriteOnce size: 8Gi annotations: {} + extraVolumes: [] + # - name: extras + # emptyDir: {} + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + extraInitContainers: [] + # - name: do-somethings + # image: busybox + # command: ['do', 'something'] +# This is the PriorityClass settings as defined in +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" +# By default this will make sure two pods don't end up on the same node +# Changing this to a region would allow you to spread pods across regions antiAffinityTopologyKey: "kubernetes.io/hostname" +# Hard means that by default pods will only be scheduled if there are enough nodes for them +# and that they will never end up on the same node. Setting this to soft will do this "best effort" antiAffinity: "soft" +# This is the node affinity settings as defined in +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature nodeAffinity: {} +# The default is to deploy all pods serially. By setting this to parallel all pods are started at +# the same time when bootstrapping the cluster podManagementPolicy: "Parallel" +# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when +# there are many services in the current namespace. +# If you experience slow pod startups you probably want to set this to `false`. enableServiceLinks: true protocol: http @@ -150,6 +248,10 @@ service: externalTrafficPolicy: "" updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance maxUnavailable: 1 podSecurityContext: @@ -160,6 +262,7 @@ securityContext: capabilities: drop: - ALL + # readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 @@ -172,10 +275,28 @@ securityConfig: rolesSecret: rolesMappingSecret: tenantsSecret: + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. config: - securityConfigSecret: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + securityConfigSecret: "" data: {} - + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # roles_mapping.yml: |- + # action_groups.yml: |- + # tenants.yml: |- + +# How long to wait for opensearch to stop gracefully terminationGracePeriod: 120 sysctlVmMaxMapCount: 262144 @@ -186,34 +307,82 @@ readinessProbe: periodSeconds: 10 successThreshold: 3 timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## schedulerName: "" + imagePullSecrets: [] nodeSelector: {} tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster ingress: enabled: false annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" path: / hosts: - chart-example.local tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + nameOverride: "" fullnameOverride: "" masterTerminationFix: false lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] + # postStart: + # exec: + # command: + # - bash + # - -c + # - | + # #!/bin/bash + # # Add a template to adjust number of shards/replicas1 + # TEMPLATE_NAME=my_template + # INDEX_PATTERN="logstash-*" + # SHARD_COUNT=8 + # REPLICA_COUNT=1 + # ES_URL=http://localhost:9200 + # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done + # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}' + keystore: [] networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + ## Example for default configuration to access HTTP port: + ## opensearch-master-http-client: "true" + ## Example for default configuration to access transport port: + ## opensearch-master-transport-client: "true" + http: enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctl: enabled: false - +## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. plugins: - enabled: true - installList: - - https://github.com/aparo/opensearch-prometheus-exporter/releases/download/1.0.0/prometheus-exporter-1.0.0.zip + enabled: false + installList: [] + # - example-fake-plugin