Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][Opensearch] Invalid volume permissions plus securityConfigSecrets #8

Closed
alborotogarcia opened this issue Sep 8, 2021 · 1 comment · Fixed by #9
Closed

[BUG][Opensearch] Invalid volume permissions plus securityConfigSecrets #8

alborotogarcia opened this issue Sep 8, 2021 · 1 comment · Fixed by #9
Labels
bug Something isn't working

Comments

@alborotogarcia
Copy link
Contributor

alborotogarcia commented Sep 8, 2021
edited
Loading

Describe the bug
A clear and concise description of what the bug is.
Failed to mount multiple secrets at once from securityConfigSecrets.config.data plus volume permissions
To Reproduce
Steps to reproduce the behavior:

  1. Having set
  enabled: true
  path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  #The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
  #Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
  config:
    securityConfigSecret: mysecret
    data:
         config.yml: |-

Returns the following:

helm.go:88: [debug] error converting YAML to JSON: yaml: invalid map key: map[interface {}]interface {}{".Chart.Name":interface {}(nil)}```

After applying a few fixes at opensearch/templates/securityconfig.yaml

It shows the following:
```opensearch-cluster-master-1 opensearch [2021-09-08T05:44:38,943][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-1] loaded plugin [opensearch-sql]
opensearch-cluster-master-1 opensearch [2021-09-08T05:44:39,058][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-1] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml
opensearch-cluster-master-1 opensearch [2021-09-08T05:44:39,613][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-cluster-master-1] uncaught exception in thread [main]
opensearch-cluster-master-1 opensearch org.opensearch.bootstrap.StartupException: OpenSearchException[failed to bind service]; nested: AccessDeniedException[/usr/share/opensearch/data/nodes];

Due to fsgroup permissions..

Expected behavior
A clear and concise description of what you expected to happen.

Chart Name
Specify the Chart which is affected?
Opensearch
Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • Helm Version: [e.g. 3.x.x]
  • Kubernetes Version: [e.g. 1.16.x]

Additional context
Add any other context about the problem here.
@alborotogarcia alborotogarcia added bug Something isn't working untriaged Issues that have not yet been triaged labels Sep 8, 2021
@alborotogarcia alborotogarcia mentioned this issue Sep 8, 2021
Merged
1 task
@peterzhuamazon
Copy link
Member

@TheAlgo @smlx any idea on this issue here? Thanks.

@peterzhuamazon peterzhuamazon removed the untriaged Issues that have not yet been triaged label Sep 10, 2021
@peterzhuamazon peterzhuamazon linked a pull request Sep 16, 2021 that will close this issue
fix securityConfigSecrets.config.data secrets mount plus permissions #9
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix securityConfigSecrets.config.data secrets mount plus permissions alborotogarcia/helm-charts
2 participants
@alborotogarcia @peterzhuamazon