From 6a8bf14e9ca9ea59280e971fc5fad38c05cccfd3 Mon Sep 17 00:00:00 2001 From: Michael Primeaux Date: Fri, 26 Nov 2021 11:11:24 -0600 Subject: [PATCH 1/2] Added support for the `ingressClassName` field. The `kubernetes.io/ingress.class` annotation was deprecated in Kubernetes 1.18. Signed-off-by: Michael Primeaux --- charts/opensearch-dashboards/CHANGELOG.md | 17 +- charts/opensearch-dashboards/Chart.yaml | 2 +- .../templates/_helpers.tpl | 26 ++ .../templates/ingress.yaml | 5 + charts/opensearch-dashboards/values.yaml | 3 + charts/opensearch/CHANGELOG.md | 22 +- charts/opensearch/Chart.yaml | 2 +- .../ci/ci-ingress-class-name-values.yaml | 412 ++++++++++++++++++ .../opensearch/ci/ci-rbac-enabled-values.yaml | 28 +- charts/opensearch/ci/ci-values.yaml | 28 +- charts/opensearch/templates/_helpers.tpl | 26 ++ charts/opensearch/templates/ingress.yaml | 5 + charts/opensearch/values.yaml | 4 + 13 files changed, 572 insertions(+), 8 deletions(-) create mode 100644 charts/opensearch/ci/ci-ingress-class-name-values.yaml diff --git a/charts/opensearch-dashboards/CHANGELOG.md b/charts/opensearch-dashboards/CHANGELOG.md index bf7fae2b..c4cbdad9 100644 --- a/charts/opensearch-dashboards/CHANGELOG.md +++ b/charts/opensearch-dashboards/CHANGELOG.md @@ -12,6 +12,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed ### Fixed ### Security + +--- +## [1.1.0] +### Added +- Added support for the `ingressClassName` field in the `Ingress` resource. This field is used to specify the Ingress class that should be used for the Ingress. Supported in Kubernetes 1.18 and greater as per [this](https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation) notice. +### Changed +### Deprecated +### Removed +### Fixed +### Security + --- ## [1.0.8] ### Added @@ -21,6 +32,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed ### Fixed ### Security + --- ## [1.0.7] ### Added @@ -75,7 +87,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security -[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-dashboards-1.0.6...HEAD +[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-dashboards-1.1.0...HEAD +[1.1.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.8...opensearch-1.1.0 +[1.0.8]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.7...opensearch-1.0.8 +[1.0.7]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.6...opensearch-1.0.7 [1.0.6]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.5...opensearch-1.0.6 [1.0.5]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.4...opensearch-1.0.5 [1.0.4]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.0.2...opensearch-1.0.4 diff --git a/charts/opensearch-dashboards/Chart.yaml b/charts/opensearch-dashboards/Chart.yaml index 6f18754a..85147e5a 100644 --- a/charts/opensearch-dashboards/Chart.yaml +++ b/charts/opensearch-dashboards/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.8 +version: 1.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opensearch-dashboards/templates/_helpers.tpl b/charts/opensearch-dashboards/templates/_helpers.tpl index ba299c00..6c4b60ba 100644 --- a/charts/opensearch-dashboards/templates/_helpers.tpl +++ b/charts/opensearch-dashboards/templates/_helpers.tpl @@ -60,3 +60,29 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "opensearch-dashboards.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "opensearch-dashboards.ingress.isStable" -}} + {{- eq (include "opensearch-dashboards.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "opensearch-dashboards.ingress.supportsIngressClassName" -}} + {{- or (eq (include "opensearch-dashboards.ingress.isStable" .) "true") (and (eq (include "opensearch-dashboards.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} diff --git a/charts/opensearch-dashboards/templates/ingress.yaml b/charts/opensearch-dashboards/templates/ingress.yaml index 843700e8..ebdd74c7 100644 --- a/charts/opensearch-dashboards/templates/ingress.yaml +++ b/charts/opensearch-dashboards/templates/ingress.yaml @@ -1,5 +1,7 @@ {{- if .Values.ingress.enabled -}} {{- $fullName := include "opensearch-dashboards.fullname" . -}} +{{- $ingressApiIsStable := eq (include "opensearch-dashboards.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "opensearch-dashboards.ingress.supportsIngressClassName" .) "true" -}} {{- $svcPort := .Values.service.port -}} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 @@ -18,6 +20,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} diff --git a/charts/opensearch-dashboards/values.yaml b/charts/opensearch-dashboards/values.yaml index 175d87b3..1e17d441 100644 --- a/charts/opensearch-dashboards/values.yaml +++ b/charts/opensearch-dashboards/values.yaml @@ -116,6 +116,9 @@ service: ingress: enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx annotations: {} # kubernetes.io/ingress.class: nginx diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index d808ac4f..32b3be3d 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -12,6 +12,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed ### Fixed ### Security +--- +## [1.5.0] +### Added +- Added support for the `ingressClassName` field in the `Ingress` resource. This field is used to specify the Ingress class that should be used for the Ingress. Supported in Kubernetes 1.18 and greater as per [this](https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation) notice. +### Changed +### Deprecated +### Removed +### Fixed +### Security + --- ## [1.4.3] ### Added @@ -21,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Fixed links to values.yaml in README.md. ### Security + --- ## [1.4.2] ### Added @@ -197,7 +208,16 @@ config: ### Fixed ### Security -[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.2...HEAD +[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.5.0...HEAD +[1.5.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.4.3...opensearch-1.5.0 +[1.4.3]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.4.2...opensearch-1.4.3 +[1.4.2]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.4.1...opensearch-1.4.2 +[1.4.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.4.0...opensearch-1.4.1 +[1.4.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.3.1...opensearch-1.4.0 +[1.3.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.3.0...opensearch-1.3.1 +[1.3.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.4...opensearch-1.3.0 +[1.2.4]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.3...opensearch-1.2.4 +[1.2.3]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.2...opensearch-1.2.3 [1.2.2]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.1...opensearch-1.2.2 [1.2.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.2.0...opensearch-1.2.1 [1.2.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-1.1.0...opensearch-1.2.0 diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 8e99c578..67fa47a1 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.4.3 +version: 1.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opensearch/ci/ci-ingress-class-name-values.yaml b/charts/opensearch/ci/ci-ingress-class-name-values.yaml new file mode 100644 index 00000000..e8e8aef4 --- /dev/null +++ b/charts/opensearch/ci/ci-ingress-class-name-values.yaml @@ -0,0 +1,412 @@ +--- +clusterName: "opensearch-cluster" +nodeGroup: "master" + +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group +masterService: "opensearch-cluster-master" + +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client +roles: + - master + - ingest + - data + - remote_cluster_client + +replicas: 1 +minimumMasterNodes: 1 + +# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. +majorVersion: "" + +global: + # Set if you want to change the default docker registry, e.g. a private one. + dockerRegistry: "" + +# Allows you to add any config files in {{ .Values.opensearchHome }}/config +opensearchHome: /usr/share/opensearch +# such as opensearch.yml and log4j2.properties +config: + # Values must be YAML literal style scalar / YAML multiline string. + # : | + # + # log4j2.properties: | + # status = error + # + # appender.console.type = Console + # appender.console.name = console + # appender.console.layout.type = PatternLayout + # appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + # + # rootLogger.level = info + # rootLogger.appenderRef.console.ref = console + opensearch.yml: | + cluster.name: opensearch-cluster + + # Bind to all interfaces because we don't know what IP address Docker will assign to us. + network.host: 0.0.0.0 + + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + # discovery.type: single-node + + # Start OpenSearch Security Demo Configuration + # WARNING: revise all the lines below before you go into production + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + allow_unsafe_democertificates: true + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test,C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] + ######## End OpenSearch Security Demo Configuration ######## + # log4j2.properties: + +# Extra environment variables to append to this nodeGroup +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here +extraEnvs: [] +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + +# Allows you to load environment variables from kubernextes secret or config map +envFrom: [] +# - secretRef: +# name: env-secret +# - configMapRef: +# name: config-map + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +hostAliases: [] +# - ip: "127.0.0.1" +# hostnames: +# - "foo.local" +# - "bar.local" + +image: "opensearchproject/opensearch" +# override image tag, which is .Chart.AppVersion by default +imageTag: "" +imagePullPolicy: "IfNotPresent" + +podAnnotations: {} + # iam.amazonaws.com/role: es-cluster + +# additionals labels +labels: {} + +opensearchJavaOpts: "-Xmx512M -Xms512M" + +resources: + requests: + cpu: "1000m" + memory: "100Mi" + +initResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +sidecarResources: {} + # limits: + # cpu: "25m" + # # memory: "128Mi" + # requests: + # cpu: "25m" + # memory: "128Mi" + +networkHost: "0.0.0.0" + +rbac: + create: false + serviceAccountAnnotations: {} + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - emptyDir + +persistence: + enabled: true + # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. + enableInitChown: true + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet + enabled: false + # OpenSearch Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. (gp2 on AWS, standard on + # GKE, AWS & OpenStack) + # + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + +extraVolumes: [] + # - name: extras + # emptyDir: {} + +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + +extraContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + +extraInitContainers: [] + # - name: do-somethings + # image: busybox + # command: ['do', 'something'] + +# This is the PriorityClass settings as defined in +# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass +priorityClassName: "" + +# By default this will make sure two pods don't end up on the same node +# Changing this to a region would allow you to spread pods across regions +antiAffinityTopologyKey: "kubernetes.io/hostname" + +# Hard means that by default pods will only be scheduled if there are enough nodes for them +# and that they will never end up on the same node. Setting this to soft will do this "best effort" +antiAffinity: "soft" + +# This is the node affinity settings as defined in +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature +nodeAffinity: {} + +# The default is to deploy all pods serially. By setting this to parallel all pods are started at +# the same time when bootstrapping the cluster +podManagementPolicy: "Parallel" + +# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when +# there are many services in the current namespace. +# If you experience slow pod startups you probably want to set this to `false`. +enableServiceLinks: true + +protocol: http +httpPort: 9200 +transportPort: 9300 + +service: + labels: {} + labelsHeadless: {} + type: ClusterIP + nodePort: "" + annotations: {} + httpPortName: http + transportPortName: transport + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance +maxUnavailable: 1 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +securityConfig: + enabled: true + path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. + config: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + securityConfigSecret: "" + data: {} + # config.yml: |- + # internal_users.yml: |- + # roles.yml: |- + # roles_mapping.yml: |- + # action_groups.yml: |- + # tenants.yml: |- + +# How long to wait for opensearch to stop gracefully +terminationGracePeriod: 120 + +sysctlVmMaxMapCount: 262144 + +readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" + +imagePullSecrets: [] +nodeSelector: {} +tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster +ingress: + enabled: true + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + ingressClassName: nginx + + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + path: / + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +nameOverride: "" +fullnameOverride: "" + +masterTerminationFix: false + +lifecycle: {} + # preStop: + # exec: + # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] + # postStart: + # exec: + # command: + # - bash + # - -c + # - | + # #!/bin/bash + # # Add a template to adjust number of shards/replicas1 + # TEMPLATE_NAME=my_template + # INDEX_PATTERN="logstash-*" + # SHARD_COUNT=8 + # REPLICA_COUNT=1 + # ES_URL=http://localhost:9200 + # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done + # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}' + +keystore: [] + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + ## Example for default configuration to access HTTP port: + ## opensearch-master-http-client: "true" + ## Example for default configuration to access transport port: + ## opensearch-master-transport-client: "true" + + http: + enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead +fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +sysctl: + enabled: false + +## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. +plugins: + enabled: false + installList: [] + # - example-fake-plugin diff --git a/charts/opensearch/ci/ci-rbac-enabled-values.yaml b/charts/opensearch/ci/ci-rbac-enabled-values.yaml index a41a8c6a..43e48d51 100755 --- a/charts/opensearch/ci/ci-rbac-enabled-values.yaml +++ b/charts/opensearch/ci/ci-rbac-enabled-values.yaml @@ -7,7 +7,7 @@ nodeGroup: "master" masterService: "opensearch-cluster-master" # OpenSearch roles that will be applied to this nodeGroup -# These will be set as environment variables. E.g. node.master=true +# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client roles: - master - ingest @@ -28,6 +28,19 @@ global: opensearchHome: /usr/share/opensearch # such as opensearch.yml and log4j2.properties config: + # Values must be YAML literal style scalar / YAML multiline string. + # : | + # + # log4j2.properties: | + # status = error + # + # appender.console.type = Console + # appender.console.name = console + # appender.console.layout.type = PatternLayout + # appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + # + # rootLogger.level = info + # rootLogger.appenderRef.console.ref = console opensearch.yml: | cluster.name: opensearch-cluster @@ -60,7 +73,7 @@ config: allow_default_init_securityindex: true authcz: admin_dn: - - CN=kirk,OU=client,O=client,L=test, C=de + - CN=kirk,OU=client,O=client,L=test,C=de audit.type: internal_opensearch enable_snapshot_restore_privilege: true check_snapshot_restore_write_privileges: true @@ -171,6 +184,12 @@ podSecurityPolicy: persistence: enabled: true + # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. + enableInitChown: true + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: labels: # Add default labels for the volumeClaimTemplate of the StatefulSet enabled: false @@ -321,6 +340,11 @@ tolerations: [] # Only enable this if you have security enabled on your cluster ingress: enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + ingressClassName: nginx + annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" diff --git a/charts/opensearch/ci/ci-values.yaml b/charts/opensearch/ci/ci-values.yaml index b4b39c62..84787d15 100755 --- a/charts/opensearch/ci/ci-values.yaml +++ b/charts/opensearch/ci/ci-values.yaml @@ -7,7 +7,7 @@ nodeGroup: "master" masterService: "opensearch-cluster-master" # OpenSearch roles that will be applied to this nodeGroup -# These will be set as environment variables. E.g. node.master=true +# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client roles: - master - ingest @@ -28,6 +28,19 @@ global: opensearchHome: /usr/share/opensearch # such as opensearch.yml and log4j2.properties config: + # Values must be YAML literal style scalar / YAML multiline string. + # : | + # + # log4j2.properties: | + # status = error + # + # appender.console.type = Console + # appender.console.name = console + # appender.console.layout.type = PatternLayout + # appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + # + # rootLogger.level = info + # rootLogger.appenderRef.console.ref = console opensearch.yml: | cluster.name: opensearch-cluster @@ -60,7 +73,7 @@ config: allow_default_init_securityindex: true authcz: admin_dn: - - CN=kirk,OU=client,O=client,L=test, C=de + - CN=kirk,OU=client,O=client,L=test,C=de audit.type: internal_opensearch enable_snapshot_restore_privilege: true check_snapshot_restore_write_privileges: true @@ -171,6 +184,12 @@ podSecurityPolicy: persistence: enabled: true + # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. + enableInitChown: true + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: labels: # Add default labels for the volumeClaimTemplate of the StatefulSet enabled: false @@ -321,6 +340,11 @@ tolerations: [] # Only enable this if you have security enabled on your cluster ingress: enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + ingressClassName: nginx + annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" diff --git a/charts/opensearch/templates/_helpers.tpl b/charts/opensearch/templates/_helpers.tpl index d1044df2..07274ca9 100755 --- a/charts/opensearch/templates/_helpers.tpl +++ b/charts/opensearch/templates/_helpers.tpl @@ -108,3 +108,29 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{ . }}, {{- end -}} {{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "opensearch.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "opensearch.ingress.isStable" -}} + {{- eq (include "opensearch.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "opensearch.ingress.supportsIngressClassName" -}} + {{- or (eq (include "opensearch.ingress.isStable" .) "true") (and (eq (include "opensearch.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} diff --git a/charts/opensearch/templates/ingress.yaml b/charts/opensearch/templates/ingress.yaml index d90a3ff0..67a12e4b 100644 --- a/charts/opensearch/templates/ingress.yaml +++ b/charts/opensearch/templates/ingress.yaml @@ -2,6 +2,8 @@ {{- $fullName := include "opensearch.uname" . -}} {{- $servicePort := .Values.httpPort -}} {{- $ingressPath := .Values.ingress.path -}} +{{- $ingressApiIsStable := eq (include "opensearch.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "opensearch.ingress.supportsIngressClassName" .) "true" -}} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} @@ -19,6 +21,9 @@ metadata: {{ toYaml . | indent 4 }} {{- end }} spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index 940f74b7..25557a51 100644 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -340,6 +340,10 @@ tolerations: [] # Only enable this if you have security enabled on your cluster ingress: enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" From 04c14caebe121452282a1e84a2af3e575b39f932 Mon Sep 17 00:00:00 2001 From: Michael Primeaux Date: Fri, 26 Nov 2021 11:20:54 -0600 Subject: [PATCH 2/2] - Fixed trailing spaces as per chart lint rules. Signed-off-by: Michael Primeaux --- charts/opensearch/ci/ci-ingress-class-name-values.yaml | 2 +- charts/opensearch/ci/ci-rbac-enabled-values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/opensearch/ci/ci-ingress-class-name-values.yaml b/charts/opensearch/ci/ci-ingress-class-name-values.yaml index e8e8aef4..52745b90 100644 --- a/charts/opensearch/ci/ci-ingress-class-name-values.yaml +++ b/charts/opensearch/ci/ci-ingress-class-name-values.yaml @@ -340,7 +340,7 @@ tolerations: [] # Only enable this if you have security enabled on your cluster ingress: enabled: true - + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress ingressClassName: nginx diff --git a/charts/opensearch/ci/ci-rbac-enabled-values.yaml b/charts/opensearch/ci/ci-rbac-enabled-values.yaml index 43e48d51..e775d6e9 100755 --- a/charts/opensearch/ci/ci-rbac-enabled-values.yaml +++ b/charts/opensearch/ci/ci-rbac-enabled-values.yaml @@ -340,7 +340,7 @@ tolerations: [] # Only enable this if you have security enabled on your cluster ingress: enabled: false - + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress ingressClassName: nginx