feat(helm): add opensearch deployment (reanahub#827)

jlemesh · Aug 30, 2024 · c8426c8 · c8426c8
1 parent a288636
commit c8426c8
Show file tree

Hide file tree

Showing 5 changed files with 273 additions and 0 deletions.
diff --git a/helm/configurations/values-dev.yaml b/helm/configurations/values-dev.yaml
@@ -31,3 +31,28 @@ components:
 
 pgbouncer:
  enabled: true
+
+# OpenSearch configuration for dev environment
+opensearch:
+ tls:
+ generate: false
+ singleNode: true
+ config:
+ opensearch.yml: |
+ cluster.name: opensearch-cluster
+ network.host: 0.0.0.0
+ plugins.security.disabled: true
+ extraEnvs:
+ - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
+ value: ReanaOS1=
+ securityConfig:
+ enabled: false
+ internalUsersSecret:
+ rolesSecret:
+ rolesMappingSecret:
+ resources:
+ requests:
+ cpu: "500m"
+ memory: "2Gi"
+ secretMounts: []
+ customSecurityConfig:
diff --git a/helm/reana/Chart.yaml b/helm/reana/Chart.yaml
@@ -35,3 +35,7 @@ dependencies:
  condition: traefik.enabled
  tags:
  - ingress
+ - name: opensearch
+ version: 2.22.1
+ repository: https://opensearch-project.github.io/helm-charts/
+ condition: opensearch.enabled
diff --git a/helm/reana/README.md b/helm/reana/README.md
@@ -98,6 +98,18 @@ This Helm automatically prefixes all names using the release name to avoid colli
 | `reana_hostname` | REANA hostname (e.g. reana.example.org) | None |
 | `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` |
 | `naming_scheme` | REANA component naming scheme | None |
+| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - |
+| `opensearch.enabled` | Enable OpenSearch | false |
+| `opensearch.tls.generate` | Enable the generation of a self-signed TLS certificates for OpenSearch | true |
+| `opensearch.tls.ca.cn` | OpenSearch root CA certificate common name (CN) | reana.io |
+| `opensearch.tls.ca.ttl` | OpenSearch root CA certificate TTL in days | 365 |
+| `opensearch.tls.cert.cn` | OpenSearch node certificate common name (CN) | opensearch-cluster-master.default.svc.cluster.local |
+| `opensearch.tls.cert.ttl` | OpenSearch node certificate TTL in days | 180 |
+| `opensearch.tls.admin.cn` | OpenSearch admin certificate common name (CN) | opensearch-admin.reana.io |
+| `opensearch.tls.admin.ttl` | OpenSearch admin certificate TTL in days | 180 |
+| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None |
+| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None |
+| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None |
 | `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false |
 | `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` |
 | `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction |

diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml
@@ -76,3 +76,73 @@ data:
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
 {{- end }}
+---
+{{- if and .Values.opensearch.enabled .Values.opensearch.tls.generate }}
+{{- $prefix := include "reana.prefix" . }}
+{{- $tlsSecretName := printf "%s-%s" $prefix "opensearch-tls-secret" }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $tlsSecretName }}
+ namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+ {{- $idx := lookup "v1" "Secret" .Release.Namespace $tlsSecretName -}}
+ {{- if $idx }}
+ tls.crt: {{ index $idx.data "tls.crt" }}
+ tls.key: {{ index $idx.data "tls.key" }}
+ admin.crt: {{ index $idx.data "admin.crt" }}
+ admin.key: {{ index $idx.data "admin.key" }}
+ ca.crt: {{ index $idx.data "ca.crt" }}
+ {{ else }}
+ {{- $ca := genCA .Values.opensearch.tls.ca.cn (.Values.opensearch.tls.ca.ttl | int) }}
+ {{- $cert := genSignedCert .Values.opensearch.tls.cert.cn nil nil (.Values.opensearch.tls.cert.ttl | int) $ca }}
+ {{- $certAdmin := genSignedCert .Values.opensearch.tls.admin.cn nil nil (.Values.opensearch.tls.admin.ttl | int) $ca }}
+ tls.crt: {{ $cert.Cert | b64enc | quote }}
+ tls.key: {{ $cert.Key | b64enc | quote }}
+ admin.crt: {{ $certAdmin.Cert | b64enc | quote }}
+ admin.key: {{ $certAdmin.Key | b64enc | quote }}
+ ca.crt: {{ $ca.Cert | b64enc | quote }}
+ {{- end }}
+{{- end }}
+---
+{{- if and .Values.opensearch.enabled .Values.opensearch.customSecurityConfig }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "reana.prefix" . }}-opensearch-config-secret
+ namespace: {{ .Release.Namespace }}
+type: kubernetes.io/opaque
+stringData:
+ {{- if .Values.opensearch.customSecurityConfig.internalUsers }}
+ internal_users.yml: |
+ ---
+ # This is the internal user database
+ # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+ _meta:
+ type: "internalusers"
+ config_version: 2
+ {{ .Values.opensearch.customSecurityConfig.internalUsers | toYaml | nindent 4 }}
+ {{- end }}
+ {{- if .Values.opensearch.customSecurityConfig.rolesMapping }}
+ roles_mapping.yml: |
+ ---
+ # In this file users, backendroles and hosts can be mapped to Security roles.
+ # Permissions for OpenSearch roles are configured in roles.yml
+ _meta:
+ type: "rolesmapping"
+ config_version: 2
+ {{ .Values.opensearch.customSecurityConfig.rolesMapping | toYaml | nindent 4 }}
+ {{- end }}
+ {{- if .Values.opensearch.customSecurityConfig.roles }}
+ roles.yml: |
+ ---
+ _meta:
+ type: "roles"
+ config_version: 2
+ # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+ security_rest_api_access:
+ reserved: true
+ {{ .Values.opensearch.customSecurityConfig.roles | toYaml | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml
@@ -189,3 +189,165 @@ quota:
  # backward compatibility
  disk_update: "0 3 * * *" # everyday at 3am
  termination_update_policy: ""
+
+# OpenSearch chart values.yaml
+opensearch:
+ enabled: false
+ tls:
+ generate: true
+ ca:
+ cn: "reana.io"
+ ttl: 365
+ cert:
+ cn: "opensearch-cluster-master.default.svc.cluster.local"
+ ttl: 180
+ admin:
+ cn: "opensearch-admin.reana.io"
+ ttl: 180
+ singleNode: true # advanced storage configuration needed if set to false
+ config:
+ opensearch.yml: |
+ cluster.name: opensearch-cluster
+ network.host: 0.0.0.0
+ plugins:
+ security:
+ nodes_dn:
+ - "CN={{ .Values.tls.cert.cn }}"
+ authcz:
+ admin_dn:
+ - "CN={{ .Values.tls.admin.cn }}"
+ ssl:
+ transport:
+ pemcert_filepath: certs/tls.crt
+ pemkey_filepath: certs/tls.key
+ pemtrustedcas_filepath: certs/ca.crt
+ enforce_hostname_verification: false
+ http:
+ enabled: true
+ pemcert_filepath: certs/tls.crt
+ pemkey_filepath: certs/tls.key
+ pemtrustedcas_filepath: certs/ca.crt
+ allow_default_init_securityindex: true
+ check_snapshot_restore_write_privileges: true
+ enable_snapshot_restore_privilege: true
+ ssl_cert_reload_enabled: true # https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates
+ restapi:
+ roles_enabled:
+ - all_access
+ - security_rest_api_access
+ system_indices:
+ enabled: true
+ indices:
+ [
+ ".opendistro-alerting-config",
+ ".opendistro-alerting-alert*",
+ ".opendistro-anomaly-results*",
+ ".opendistro-anomaly-detector*",
+ ".opendistro-anomaly-checkpoints",
+ ".opendistro-anomaly-detection-state",
+ ".opendistro-reports-*",
+ ".opendistro-notifications-*",
+ ".opendistro-notebooks",
+ ".opendistro-asynchronous-search-response*",
+ ]
+ extraEnvs:
+ - name: DISABLE_INSTALL_DEMO_CONFIG
+ value: "true"
+ secretMounts:
+ - name: reana-opensearch-tls-secret
+ secretName: reana-opensearch-tls-secret
+ path: /usr/share/opensearch/config/certs
+ resources:
+ requests:
+ cpu: "1000m"
+ memory: "4Gi"
+ persistence:
+ enabled: false
+ securityConfig:
+ enabled: true
+ internalUsersSecret: "reana-opensearch-config-secret"
+ rolesSecret: "reana-opensearch-config-secret"
+ rolesMappingSecret: "reana-opensearch-config-secret"
+ extraVolumes:
+ - name: reana-opensearch-volume
+ hostPath:
+ path: /var/reana
+ # You can instead configure infrastructure volume:
+ # - name: reana-opensearch-volume
+ # persistentVolumeClaim:
+ # claimName: reana-infrastructure-persistent-volume
+ # readOnly: false
+ # Or shared volume:
+ # - name: reana-opensearch-volume
+ # persistentVolumeClaim:
+ # claimName: reana-shared-persistent-volume
+ # readOnly: false
+ extraVolumeMounts:
+ - mountPath: /usr/share/opensearch/data
+ subPath: opensearch
+ name: reana-opensearch-volume
+ # Configure REANA and FluentBit users and roles for job log collection
+ customSecurityConfig:
+ internalUsers:
+ reana:
+ hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
+ reserved: false
+ backend_roles:
+ - readall
+ description: REANA user
+ fluentbit:
+ hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
+ reserved: false
+ backend_roles:
+ - fluentbit
+ description: FluentBit user
+ roles:
+ fluentbit:
+ reserved: true
+ hidden: false
+ description: Provide the minimum permissions for fluentbit
+ cluster_permissions:
+ - cluster_monitor
+ - cluster_composite_ops
+ - indices:admin/template/get
+ - indices:admin/template/put
+ - cluster:admin/ingest/pipeline/put
+ - cluster:admin/ingest/pipeline/get
+ - indices:data/write/bulk*
+ index_permissions:
+ - index_patterns:
+ - fluentbit-*
+ fls: []
+ masked_fields: []
+ allowed_actions:
+ - crud
+ - create_index
+ tenant_permissions: []
+ static: true
+ rolesMapping:
+ fluentbit:
+ hosts: []
+ users: []
+ reserved: false
+ hidden: false
+ backend_roles:
+ - fluentbit
+ and_backend_roles: []
+ own_index:
+ hosts: []
+ users:
+ - "*"
+ reserved: false
+ hidden: false
+ backend_roles: []
+ and_backend_roles: []
+ description: Allow full access to an index named like the username
+ readall:
+ hosts: []
+ users:
+ - "reana"
+ reserved: false
+ hidden: false
+ backend_roles:
+ - readall
+ and_backend_roles: []