diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 171bd93f..c90ba6d1 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.8 +version: 1.1.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/opensearch/README.md b/charts/opensearch/README.md index f7835fcc..ce3e06b9 100644 --- a/charts/opensearch/README.md +++ b/charts/opensearch/README.md @@ -81,6 +81,7 @@ helm uninstall my-release | `roles` | A hash map with the specific [roles][] for the `nodeGroup` | see [values.yaml][] | | `schedulerName` | Name of the [alternate scheduler][] | `""` | | `secretMounts` | Allows you easily mount a secret as a file inside the StatefulSet. Useful for mounting certificates and other secrets. See [values.yaml][] for an example | `[]` | +| `securityConfig` | Configure the opensearch security plugin. There are multiple ways to inject configuration into the chart, see [values.yaml](https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml) details. | By default an insecure demonstration configuration is set. This **must** be changed before going to production. | | `securityContext` | Allows you to set the [securityContext][] for the container | see [values.yaml][] | | `service.annotations` | [LoadBalancer annotations][] that Kubernetes will use for the service. This will configure load balancer if `service.type` is `LoadBalancer` | `{}` | | `service.externalTrafficPolicy` | Some cloud providers allow you to specify the [LoadBalancer externalTrafficPolicy][]. Kubernetes will use this to preserve the client source IP. This will configure load balancer if `service.type` is `LoadBalancer` | `""` | @@ -153,4 +154,4 @@ helm uninstall my-release [updateStrategy]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ [volumeClaimTemplate for statefulsets]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#stable-storage -[service types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types \ No newline at end of file +[service types]: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types diff --git a/charts/opensearch/templates/securityconfig.yaml b/charts/opensearch/templates/securityconfig.yaml index 4557464e..6ff33303 100644 --- a/charts/opensearch/templates/securityconfig.yaml +++ b/charts/opensearch/templates/securityconfig.yaml @@ -1,16 +1,17 @@ -{{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} +{{- if .Values.securityConfig.config.data -}} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.securityConfig.config.securityConfigSecret }} + name: {{ include "opensearch.uname" . }}-securityconfig namespace: {{ .Release.Namespace }} labels: app: {{ .Chart.Name }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} type: Opaque -data: - {{- range $key, $val := .Values.securityConfig.config.data }} - {{ $key }}: {{ $val | b64enc | quote }} - {{- end }} - {{- end}} +stringData: +{{- range $key, $val := .Values.securityConfig.config.data }} + {{ $key }}: | + {{- $val | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/opensearch/templates/statefulset.yaml b/charts/opensearch/templates/statefulset.yaml index 5bf72a97..ff49f850 100644 --- a/charts/opensearch/templates/statefulset.yaml +++ b/charts/opensearch/templates/statefulset.yaml @@ -150,10 +150,18 @@ spec: configMap: name: {{ template "opensearch.uname" . }}-config {{- end }} - {{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} - - name: security-config + {{- if and .Values.securityConfig.config.data .Values.securityConfig.config.securityConfigSecret }} + {{ fail "Only one of .Values.securityConfig.config.data and .Values.securityConfig.config.securityConfigSecret may be defined. Please see the comment in values.yaml describing usage." }} + {{- end }} + {{- if .Values.securityConfig.config.data }} + - name: security-config-complete secret: - secretName: {{ .Values.securityConfig.config.securityConfigSecret }} + secretName: {{ include "opensearch.uname" . }}-securityconfig + {{- end }} + {{- with .Values.securityConfig.config.securityConfigSecret }} + - name: security-config-complete + secret: + secretName: {{ . | quote }} {{- end }} {{- if .Values.securityConfig.actionGroupsSecret }} - name: action-groups @@ -369,9 +377,9 @@ spec: name: tenants subPath: tenants.yml {{- end }} - {{- if and .Values.securityConfig.config.securityConfigSecret .Values.securityConfig.config.data }} + {{- if .Values.securityConfig.config.data }} - mountPath: {{ .Values.securityConfig.path }} - name: security-config + name: security-config-complete {{- end }} {{- end }} {{- range .Values.secretMounts }} diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index 9215dd82..c39ffac4 100755 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -275,17 +275,26 @@ securityConfig: rolesSecret: rolesMappingSecret: tenantsSecret: - # The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants - # Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. config: - securityConfigSecret: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + securityConfigSecret: "" data: {} # config.yml: |- # internal_users.yml: |- # roles.yml: |- # roles_mapping.yml: |- # action_groups.yml: |- - # tenants.yml: |- + # tenants.yml: |- # How long to wait for opensearch to stop gracefully terminationGracePeriod: 120