Skip to content

Commit 6938474

Browse files
feat: Allow the configuration of the security plugin (#117)
* test: Add security-config integration test * feat: Add securityConfig to the CRD; Deploy the initial security configuration * Deploy security config files only if completely managed by the API * test(smoke): Use securityConfig * Deploy security config files only to the managing role group * Create admin certificate in init container * Add update-security-config container * Configure DN of the admin certificate * Allow only one pod to manage the security configuration * Validate the security configuration; Fix all unit tests * Allow to disable the security plugin * Use a structure for the validated security configuration * Declare security init containers * test(backup-restore): Use securityConfig * test(external-access): Use securityConfig * test(ldap): Use securityConfig * test(logging): Use securityConfig * test(metrics): Use securityConfig * test(opensearch-dashboards): Use securityConfig * Rename clusterConfig.security.config to clusterConfig.security.settings; Fix admin DN; Fix integration tests * Update the CRD documentation * Rename admin_dn() to super_admin_dn() * Do not use overrides to determine if TLS is enabled * Delete unit tests for removed functions * Update changelog * Fix shellcheck warnings * Extend node_config unit test * Rename ValidatedSecurity::config to settings * Restructure role group builder * Move init-keystore script into separate file * Add security modes to the role group builder * test(smoke): Fix assertion * test: Test role group security modes * Regenerate charts * Rework RoleGroupSecurityMode * Test NodeConfig::super_admin_dn * Remove redundant enum SecurityConfigFileType * Fix comments * Test RoleGroupBuilder::security_settings_file_type_managed_by_env_var * Add ValidatedSecurity::Disabled * Test the preprocess step * Rename security_config_managing_role_group to security_config_managing_role_group_default * Upgrade opensearch-py to version 3.1.0 * Fix tests * Fix the test cases that work with the original image * Add support for DEPRECATION log level * test: Set backoffLimit for all jobs * Validate node roles; Fix coordinating_only node role * doc: Document the security plugin configuration * Rename allow_list.yml to allowlist.yml * test(smoke): Fix test assertion * doc: Improve the security documentation * doc: Remove deprecation warning for the opensearch-operator * Store the Vector state in /stackable/log/_vector-state * Update docs/modules/opensearch/pages/usage-guide/security.adoc Co-authored-by: Malte Sander <malte.sander.it@gmail.com> * Update rust/operator-binary/src/controller/validate.rs Co-authored-by: Malte Sander <malte.sander.it@gmail.com> * Regenerate charts * test: Fix unit tests * Regenerate Nix files * test(smoke): Fix test assertion --------- Co-authored-by: Malte Sander <malte.sander.it@gmail.com>
1 parent 47ee593 commit 6938474

File tree

89 files changed

+7215
-2282
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

89 files changed

+7215
-2282
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file.
2727
- Configuration parameter `spec.nodes.roleGroups.<role-group-name>.config.discoveryServiceExposed`
2828
added to expose a role-group via the discovery service.
2929
- Add support for OpenSearch 3.4.0 ([#108]).
30+
- Allow the configuration of the OpenSearch security plugin ([#117]).
3031

3132
### Changed
3233

@@ -50,6 +51,7 @@ All notable changes to this project will be documented in this file.
5051
[#108]: https://github.com/stackabletech/opensearch-operator/pull/108
5152
[#110]: https://github.com/stackabletech/opensearch-operator/pull/110
5253
[#114]: https://github.com/stackabletech/opensearch-operator/pull/114
54+
[#117]: https://github.com/stackabletech/opensearch-operator/pull/117
5355
[#120]: https://github.com/stackabletech/opensearch-operator/pull/120
5456

5557
## [25.11.0] - 2025-11-07

Cargo.nix

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

crate-hashes.json

Lines changed: 9 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/modules/opensearch/examples/getting_started/getting_started.sh

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ esac
4747

4848
echo "Creating OpenSearch security plugin configuration"
4949
# tag::apply-security-config[]
50-
kubectl apply -f opensearch-security-config.yaml
50+
kubectl apply -f initial-opensearch-security-config.yaml
5151
# end::apply-security-config[]
5252

5353
echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
9191
--json '{"name": "Stackable"}' \
9292
"$OPENSEARCH_HOST/sample_index/_doc/1"
9393

94-
# Output:
95-
# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
94+
# Formatted output:
95+
# {
96+
# "_index": "sample_index",
97+
# "_id": "1",
98+
# "_version": 1,
99+
# "result": "created",
100+
# "_shards": {
101+
# "total": 2,
102+
# "successful": 1,
103+
# "failed": 0
104+
# },
105+
# "_seq_no": 0,
106+
# "_primary_term": 1
107+
# }
108+
96109

97110
curl \
98111
--insecure \
99112
--user $CREDENTIALS \
100113
--request GET \
101114
"$OPENSEARCH_HOST/sample_index/_doc/1"
102115

103-
# Output:
104-
# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
116+
# Formatted output:
117+
# {
118+
# "_index": "sample_index",
119+
# "_id": "1",
120+
# "_version": 1,
121+
# "_seq_no": 0,
122+
# "_primary_term": 1,
123+
# "found": true,
124+
# "_source": {
125+
# "name": "Stackable"
126+
# }
127+
# }
105128
# end::rest-api[]
106129

107130
echo

docs/modules/opensearch/examples/getting_started/getting_started.sh.j2

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ esac
4747

4848
echo "Creating OpenSearch security plugin configuration"
4949
# tag::apply-security-config[]
50-
kubectl apply -f opensearch-security-config.yaml
50+
kubectl apply -f initial-opensearch-security-config.yaml
5151
# end::apply-security-config[]
5252

5353
echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
9191
--json '{"name": "Stackable"}' \
9292
"$OPENSEARCH_HOST/sample_index/_doc/1"
9393

94-
# Output:
95-
# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
94+
# Formatted output:
95+
# {
96+
# "_index": "sample_index",
97+
# "_id": "1",
98+
# "_version": 1,
99+
# "result": "created",
100+
# "_shards": {
101+
# "total": 2,
102+
# "successful": 1,
103+
# "failed": 0
104+
# },
105+
# "_seq_no": 0,
106+
# "_primary_term": 1
107+
# }
108+
96109

97110
curl \
98111
--insecure \
99112
--user $CREDENTIALS \
100113
--request GET \
101114
"$OPENSEARCH_HOST/sample_index/_doc/1"
102115

103-
# Output:
104-
# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
116+
# Formatted output:
117+
# {
118+
# "_index": "sample_index",
119+
# "_id": "1",
120+
# "_version": 1,
121+
# "_seq_no": 0,
122+
# "_primary_term": 1,
123+
# "found": true,
124+
# "_source": {
125+
# "name": "Stackable"
126+
# }
127+
# }
105128
# end::rest-api[]
106129

107130
echo
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: initial-opensearch-security-config
6+
stringData:
7+
internal_users.yml: |
8+
---
9+
_meta:
10+
type: internalusers
11+
config_version: 2
12+
admin:
13+
hash: $2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/e
14+
reserved: true
15+
backend_roles:
16+
- admin
17+
description: OpenSearch admin user
18+
kibanaserver:
19+
hash: $2y$10$vPgQ/6ilKDM5utawBqxoR.7euhVQ0qeGl8mPTeKhmFT475WUDrfQS
20+
reserved: true
21+
description: OpenSearch Dashboards user
22+
roles_mapping.yml: |
23+
---
24+
_meta:
25+
type: rolesmapping
26+
config_version: 2
27+
all_access:
28+
reserved: false
29+
backend_roles:
30+
- admin
31+
kibana_server:
32+
reserved: true
33+
users:
34+
- kibanaserver

docs/modules/opensearch/examples/getting_started/opensearch-dashboards-values.yaml

Lines changed: 30 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -17,43 +17,43 @@ config:
1717
ssl:
1818
verificationMode: full
1919
certificateAuthorities:
20-
- /stackable/opensearch-dashboards/config/tls/ca.crt
20+
- /stackable/opensearch-dashboards/config/tls/ca.crt
2121
opensearch_security:
2222
cookie:
2323
secure: true
2424
# See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/templates/deployment.yaml#L122
2525
opensearchHosts: ""
2626
extraEnvs:
27-
- name: OPENSEARCH_HOSTS
28-
valueFrom:
29-
configMapKeyRef:
30-
name: simple-opensearch
31-
key: OPENSEARCH_HOSTS
32-
- name: OPENSEARCH_PASSWORD
33-
valueFrom:
34-
secretKeyRef:
35-
name: opensearch-credentials
36-
key: kibanaserver
27+
- name: OPENSEARCH_HOSTS
28+
valueFrom:
29+
configMapKeyRef:
30+
name: simple-opensearch
31+
key: OPENSEARCH_HOSTS
32+
- name: OPENSEARCH_PASSWORD
33+
valueFrom:
34+
secretKeyRef:
35+
name: opensearch-credentials
36+
key: kibanaserver
3737
extraVolumes:
38-
- name: tls
39-
ephemeral:
40-
volumeClaimTemplate:
41-
metadata:
42-
annotations:
43-
secrets.stackable.tech/class: tls
44-
secrets.stackable.tech/scope: service=opensearch-dashboards
45-
spec:
46-
storageClassName: secrets.stackable.tech
47-
accessModes:
48-
- ReadWriteOnce
49-
resources:
50-
requests:
51-
storage: "1"
38+
- name: tls
39+
ephemeral:
40+
volumeClaimTemplate:
41+
metadata:
42+
annotations:
43+
secrets.stackable.tech/class: tls
44+
secrets.stackable.tech/scope: service=opensearch-dashboards
45+
spec:
46+
storageClassName: secrets.stackable.tech
47+
accessModes:
48+
- ReadWriteOnce
49+
resources:
50+
requests:
51+
storage: "1"
5252
extraVolumeMounts:
53-
- mountPath: /stackable/opensearch-dashboards/config/tls
54-
name: tls
55-
- mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
56-
name: config
57-
subPath: opensearch_dashboards.yml
53+
- mountPath: /stackable/opensearch-dashboards/config/tls
54+
name: tls
55+
- mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
56+
name: config
57+
subPath: opensearch_dashboards.yml
5858
podSecurityContext:
5959
fsGroup: 1000

0 commit comments

Comments
 (0)