Skip to content

Commit

Permalink
Use a per-install name for securityconfig secret (#41)
Browse files Browse the repository at this point in the history 
* feat: per-install name for securityconfig secret

Give the securityconfig secret an autogenerated unique name to
facilitate installing the chart multiple times in the same namespace.

This helps with the common case of sharing the securityconfig between
multiple instantiations of this chart to construct an Opensearch
cluster.

Signed-off-by: Scott Leggett <[email protected]>

* feat: update logic to handle externally defined secrets

See the comments describing how this is intended to work.

Signed-off-by: Scott Leggett <[email protected]>

* chore: bump opensearch chart version

Signed-off-by: Scott Leggett <[email protected]>

* chore: add securityConfig to README

Signed-off-by: Scott Leggett <[email protected]>
  • Loading branch information
@smlx
smlx authored Oct 18, 2021
1 parent b32e3c6 commit 00c507f
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 18 deletions.
2 changes: 1 addition & 1 deletion charts/opensearch/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 1.0.8
version: 1.1.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
3 changes: 2 additions & 1 deletion charts/opensearch/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ helm uninstall my-release
| `roles` | A hash map with the specific [roles][] for the `nodeGroup` | see [values.yaml][] |
| `schedulerName` | Name of the [alternate scheduler][] | `""` |
| `secretMounts` | Allows you easily mount a secret as a file inside the StatefulSet. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` |
| `securityConfig` | Configure the opensearch security plugin. There are multiple ways to inject configuration into the chart, see [values.yaml](https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml) details. | By default an insecure demonstration configuration is set. This **must** be changed before going to production. |
| `securityContext` | Allows you to set the [securityContext][] for the container | see [values.yaml][] |
| `service.annotations` | [LoadBalancer annotations][] that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` | `{}` |
| `service.externalTrafficPolicy` | Some cloud providers allow you to specify the [LoadBalancer externalTrafficPolicy][]. Kubernetes will use this to preserve the client source IP. This will configure load balancer if `service.type` is `LoadBalancer` | `""` |
Expand Down Expand Up @@ -153,4 +154,4 @@ helm uninstall my-release
[updateStrategy]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
[volumeClaimTemplate for statefulsets]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage

[service types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
[service types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
15 changes: 8 additions & 7 deletions charts/opensearch/templates/securityconfig.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
{{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }}
{{- if .Values.securityConfig.config.data -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.securityConfig.config.securityConfigSecret }}
name: {{ include "opensearch.uname" . }}-securityconfig
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
{{- range $key, $val := .Values.securityConfig.config.data }}
{{ $key }}: {{ $val | b64enc | quote }}
{{- end }}
{{- end}}
stringData:
{{- range $key, $val := .Values.securityConfig.config.data }}
{{ $key }}: |
{{- $val | nindent 4 }}
{{- end }}
{{- end }}
18 changes: 13 additions & 5 deletions charts/opensearch/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,18 @@ spec:
configMap:
name: {{ template "opensearch.uname" . }}-config
{{- end }}
{{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }}
- name: security-config
{{- if and .Values.securityConfig.config.data .Values.securityConfig.config.securityConfigSecret }}
{{ fail "Only one of .Values.securityConfig.config.data and .Values.securityConfig.config.securityConfigSecret may be defined. Please see the comment in values.yaml describing usage." }}
{{- end }}
{{- if .Values.securityConfig.config.data }}
- name: security-config-complete
secret:
secretName: {{ .Values.securityConfig.config.securityConfigSecret }}
secretName: {{ include "opensearch.uname" . }}-securityconfig
{{- end }}
{{- with .Values.securityConfig.config.securityConfigSecret }}
- name: security-config-complete
secret:
secretName: {{ . | quote }}
{{- end }}
{{- if .Values.securityConfig.actionGroupsSecret }}
- name: action-groups
Expand Down Expand Up @@ -369,9 +377,9 @@ spec:
name: tenants
subPath: tenants.yml
{{- end }}
{{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }}
{{- if .Values.securityConfig.config.data }}
- mountPath: {{ .Values.securityConfig.path }}
name: security-config
name: security-config-complete
{{- end }}
{{- end }}
{{- range .Values.secretMounts }}
Expand Down
17 changes: 13 additions & 4 deletions charts/opensearch/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,17 +275,26 @@ securityConfig:
rolesSecret:
rolesMappingSecret:
tenantsSecret:
# The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
# Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
# The following option simplifies securityConfig by using a single secret and
# specifying the config files as keys in the secret instead of creating
# different secrets for for each config file.
# Note that this is an alternative to the individual secret configuration
# above and shouldn't be used if the above secrets are used.
config:
securityConfigSecret:
# There are multiple ways to define the configuration here:
# * If you define anything under data, the chart will automatically create
# a secret and mount it.
# * If you define securityConfigSecret, the chart will assume this secret is
# created externally and mount it.
# * It is an error to define both data and securityConfigSecret.
securityConfigSecret: ""
data: {}
# config.yml: |-
# internal_users.yml: |-
# roles.yml: |-
# roles_mapping.yml: |-
# action_groups.yml: |-
# tenants.yml: |-
# tenants.yml: |-

# How long to wait for opensearch to stop gracefully
terminationGracePeriod: 120
Expand Down

0 comments on commit 00c507f

Please sign in to comment.