-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Opensearch operator does not properly append the opensearch.yml file when general.additionalConfig is specified #920
Comments
Hi Team, I am using the OpenSearch Operator 2.7.0. I am also facing the similar issue. Thanks, |
This is what I use as well. The problem is that env vars do not seem to have an effect on opensearch config changes. Unless maybe you need to set them with a certain prefix. But one thing is for sure, that the dashboard config changes are taking effect properly and the yaml file gets updated OK. Logically, the opensearch.yml would also need to get updated the same way. |
I have a similar observation. I am trying to enable mTLS client authentication. I am using Operator Chart 2.7.0 and the container images in version 2.16.0 In the CRD of the operator I create Logs from pod securityconfig-update I see errors for:
The content in the generated ConfigMap is: In the generated configuration file of the pod (master) I find: in the (auto-generated) certificate is again to be found: I'm a bit surprised that the “Best practices for OpenSearch security” explicitly recommends client certificate authentication (https://opensearch.org/docs/latest/security/configuration/best-practices/) and then it doesn't work. Apart from that, the documentation is very confusing on the subject. |
I think I now see where I went wrong. It seems like the |
Just added like so bootstrap:
additionalConfig:
s3.client.default.endpoint: "s3.test.svc.cluster.local:9020"
s3.client.default.protocol: "https"
s3.client.default.max_retries: "3"
s3.client.default.path_style_access: "false"
s3.client.default.read_timeout: "50s"
s3.client.default.use_throttle_retries: "true" Here is my helm diff metadata:
name: opensearch-cluster
namespace: opensearch
spec:
+ bootstrap:
+ additionalConfig:
+
+ s3.client.default.endpoint: s3.test.svc.cluster.local:9020
+ s3.client.default.max_retries: "3"
+ s3.client.default.path_style_access: "false"
+ s3.client.default.protocol: http
+ s3.client.default.read_timeout: 50s
+ s3.client.default.use_throttle_retries: "true"
initHelper: All 3 masters do restart after the apply. However, when I exec to the pod and cat the config, I do not see the additional configs there. [opensearch@opensearch-cluster-masters-0 ~]$ cat config/opensearch.yml
plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn: ["CN=admin,OU=opensearch-cluster"]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn: ["CN=opensearch-cluster,OU=opensearch-cluster"]
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt
plugins.security.ssl.http.pemkey_filepath: tls-http/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: tls-http/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.pemcert_filepath: tls-transport/tls.crt
plugins.security.ssl.transport.pemkey_filepath: tls-transport/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: tls-transport/ca.crt
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config",".opendistro-alerting-alert*",".opendistro-anomaly-results*",".opendistro-anomaly-detector*",".opendistro-anomaly-checkpoints",".opendistro-anomaly-detection-state",".opendistro-reports-*",".opendistro-notifications-*",".opendistro-notebooks",".opensearch-observability",".opendistro-asynchronous-search-response*",".replication-metadata-store"] |
In the operator code, there seems to be a function that will add the additional config to the opensearch config here: opensearch-k8s-operator/opensearch-operator/pkg/reconcilers/reconcilers.go Lines 86 to 93 in 2e78967
But it is not being used for the general.additionalConfig or bootstrap.additionalconfig. Both of those are being used only to set environment variables: First here: opensearch-k8s-operator/opensearch-operator/pkg/reconcilers/cluster.go Lines 143 to 153 in 2e78967
IMO, I think that there should be separate helm value for |
@digitalray I am ready to test a patch. |
Hi @digitalray It is a known issue that using the env var mechanism leads to problems (see also #883) and that the whole mechanism should be reworked to directly generate the |
@OlafRadicke Regarding your issue: The operator does not allow setting |
@swoehrl-mw does this mean that it is not possible to implement the 'Best practices for OpenSearch security' ( https://opensearch.org/docs/latest/security/configuration/best-practices/ ) and follow the instructions at https://opensearch.org/docs/latest/security/authentication-backends/client-auth/? Because apparently I need the entry |
@OlafRadicke |
@swoehrl-mw additionalConfig:
plugins.security.audit.type: internal_opensearch Plus audit.yml: plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE
plugins.security.audit.config.log_request_body: false
plugins.security.audit.config.ignore_users: NONE
plugins.security.audit.config.exclude_sensitive_headers: true |
Haven't tried it but audit logs should be possible, the operator should not interfere there and the |
Thanks for clarifying how the additional configs would be populated. When I opened this issue, I was actually using general.additionalConfig. However, it did not populate the opensearch.yml file with my entries. I did confirm that the env vars got created on the pod though with the key/values that I had entered in additionalConfig. Let me try it again and see if I can tail the init container logs maybe can catch something. |
@swoehrl-mw, I just re-tried with general.additionalConfig with no luck. There are no logs that track the config changes. It seems like for the dashboard, directly generating the configs currently exists doesn't it? Could we not use the same method for the opensearch config as well? |
@digitalray Providing the entire generated config via configmap will be the way to go, yes. It just requires some rework and additional logic in the operator. |
Hi @swoehrl-mw ! I have tested two things. additionalConfig:
plugins.security.audit.type: internal_opensearch Enabling the audit log seems to work. I am still having problems with PKI and mTLS. The following configuration has no effect: additionalConfig:
plugins.security.ssl.http.clientauth_mode: OPTIONAL The entry does not appear in the pod's configuration. Out of desperation, I tried to give the pod its own configuration with |
What is the bug?
When you specify key pairs to general.additionalConfig, the operator adds those to the env instead of the opensearch.yml file. This is not the case when specifying dashboard.additionalConfig. In the Dashboard case, the additional values are appended to the dashboard config file.
How can one reproduce the bug?
What is the expected behavior?
Expected behavior is that when you specify additionalConfig, those key/values need to get appended to the config-map as it is the case with the dashboard. Then after that, the opensearch.yml file in the pod will get updated with those new values. However, what happens is that those values get added to the Environment variables instead while the config-map remains unchanged. Hence, the opensearch.yml file does not get updated as expected.
What is your host/environment?
Kubernetes Version: 1.29.9
Kubernetes Node OS: Alma Linux 8
opensearchCluster
general.version: 2.14.0
general.image: opensearchproject/opensearch:2.18.0
dashboard.version: 2.14.0
dashboard.image: opensearchproject/opensearch-dashboards:2.18.0
initHelper.image: busybox:latest
Do you have any screenshots?
n/a
Do you have any additional context?
I am trying to add S3 related configuration to the opensearch.yml file via general.additionalConfig section of OpenSearchCluster manifest.
The text was updated successfully, but these errors were encountered: