Skip to content

Commit

Permalink
feat(helm): add opensearch deployment (reanahub#827)
Browse files Browse the repository at this point in the history
  • Loading branch information
jlemesh committed Aug 28, 2024
1 parent fcecb6b commit ea1fb45
Show file tree
Hide file tree
Showing 5 changed files with 244 additions and 0 deletions.
24 changes: 24 additions & 0 deletions helm/configurations/values-dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,27 @@ components:

pgbouncer:
enabled: true

# OpenSearch configuration for dev environment
opensearch:
singleNode: true
generateCerts: false
config:
opensearch.yml: |
cluster.name: opensearch-cluster
network.host: 0.0.0.0
plugins.security.disabled: true
extraEnvs:
- name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
value: ReanaOS1=
securityConfig:
enabled: false
internalUsersSecret:
rolesSecret:
rolesMappingSecret:
resources:
requests:
cpu: "500m"
memory: "2Gi"
secretMounts: []
customSecurityConfig:
4 changes: 4 additions & 0 deletions helm/reana/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,7 @@ dependencies:
condition: traefik.enabled
tags:
- ingress
- name: opensearch
version: 2.22.1
repository: https://opensearch-project.github.io/helm-charts/
condition: opensearch.enabled
6 changes: 6 additions & 0 deletions helm/reana/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@ This Helm automatically prefixes all names using the release name to avoid colli
| `reana_hostname` | REANA hostname (e.g. reana.example.org) | None |
| `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` |
| `naming_scheme` | REANA component naming scheme | None |
| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - |
| `opensearch.enabled` | Enable OpenSearch | false |
| `opensearch.generateCerts` | Enable the generation of a self-signed TLS certificates for OpenSearch nodes | true |
| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None |
| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None |
| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None |
| `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false |
| `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` |
| `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction |
Expand Down
59 changes: 59 additions & 0 deletions helm/reana/templates/secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,62 @@ data:
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
{{- end }}
---
{{- if and .Values.opensearch.enabled .Values.opensearch.generateCerts }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "reana.prefix" . }}-opensearch-tls-secret
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
{{- $ca := genCA "reana.io" 365 }}
{{- $cert := genSignedCert "opensearch.reana.io" nil nil 90 $ca }}
{{- $certAdmin := genSignedCert "opensearch-admin.reana.io" nil nil 90 $ca }}
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
admin.crt: {{ $certAdmin.Cert | b64enc | quote }}
admin.key: {{ $certAdmin.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}
---
{{- if and .Values.opensearch.enabled .Values.opensearch.customSecurityConfig }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "reana.prefix" . }}-opensearch-config-secret
namespace: {{ .Release.Namespace }}
type: kubernetes.io/opaque
stringData:
{{- if .Values.opensearch.customSecurityConfig.internalUsers }}
internal_users.yml: |
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
{{ .Values.opensearch.customSecurityConfig.internalUsers | toYaml | nindent 4 }}
{{- end }}
{{- if .Values.opensearch.customSecurityConfig.rolesMapping }}
roles_mapping.yml: |
---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
{{ .Values.opensearch.customSecurityConfig.rolesMapping | toYaml | nindent 4 }}
{{- end }}
{{- if .Values.opensearch.customSecurityConfig.roles }}
roles.yml: |
---
_meta:
type: "roles"
config_version: 2
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
reserved: true
{{ .Values.opensearch.customSecurityConfig.roles | toYaml | nindent 4 }}
{{- end }}
{{- end }}
151 changes: 151 additions & 0 deletions helm/reana/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -189,3 +189,154 @@ quota:
# backward compatibility
disk_update: "0 3 * * *" # everyday at 3am
termination_update_policy: ""

# OpenSearch chart values.yaml
opensearch:
enabled: false
generateCerts: true
singleNode: true # advanced storage configuration needed if set to false
config:
opensearch.yml: |
cluster.name: opensearch-cluster
network.host: 0.0.0.0
plugins:
security:
nodes_dn:
- "CN=opensearch.reana.io"
authcz:
admin_dn:
- "CN=opensearch-admin.reana.io"
ssl:
transport:
pemcert_filepath: certs/tls.crt
pemkey_filepath: certs/tls.key
pemtrustedcas_filepath: certs/ca.crt
enforce_hostname_verification: false
http:
enabled: true
pemcert_filepath: certs/tls.crt
pemkey_filepath: certs/tls.key
pemtrustedcas_filepath: certs/ca.crt
allow_default_init_securityindex: true
check_snapshot_restore_write_privileges: true
enable_snapshot_restore_privilege: true
ssl_cert_reload_enabled: true # https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates
restapi:
roles_enabled:
- all_access
- security_rest_api_access
system_indices:
enabled: true
indices:
[
".opendistro-alerting-config",
".opendistro-alerting-alert*",
".opendistro-anomaly-results*",
".opendistro-anomaly-detector*",
".opendistro-anomaly-checkpoints",
".opendistro-anomaly-detection-state",
".opendistro-reports-*",
".opendistro-notifications-*",
".opendistro-notebooks",
".opendistro-asynchronous-search-response*",
]
extraEnvs:
- name: DISABLE_INSTALL_DEMO_CONFIG
value: "true"
secretMounts:
- name: reana-opensearch-tls-secret
secretName: reana-opensearch-tls-secret
path: /usr/share/opensearch/config/certs
resources:
requests:
cpu: "1000m"
memory: "4Gi"
persistence:
enabled: false
securityConfig:
enabled: true
internalUsersSecret: "reana-opensearch-config-secret"
rolesSecret: "reana-opensearch-config-secret"
rolesMappingSecret: "reana-opensearch-config-secret"
extraVolumes:
- name: reana-opensearch-volume
hostPath:
path: /var/reana
# You can instead configure infrastructure volume:
# - name: reana-opensearch-volume
# persistentVolumeClaim:
# claimName: reana-infrastructure-persistent-volume
# readOnly: false
# Or shared volume:
# - name: reana-opensearch-volume
# persistentVolumeClaim:
# claimName: reana-shared-persistent-volume
# readOnly: false
extraVolumeMounts:
- mountPath: /usr/share/opensearch/data
subPath: opensearch
name: reana-opensearch-volume
# Configure REANA and FluentBit users and roles for job log collection
customSecurityConfig:
internalUsers:
reana:
hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
reserved: false
backend_roles:
- readall
description: REANA user
fluentbit:
hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
reserved: false
backend_roles:
- fluentbit
description: FluentBit user
roles:
fluentbit:
reserved: true
hidden: false
description: Provide the minimum permissions for fluentbit
cluster_permissions:
- cluster_monitor
- cluster_composite_ops
- indices:admin/template/get
- indices:admin/template/put
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
index_permissions:
- index_patterns:
- fluentbit-*
fls: []
masked_fields: []
allowed_actions:
- crud
- create_index
tenant_permissions: []
static: true
rolesMapping:
fluentbit:
hosts: []
users: []
reserved: false
hidden: false
backend_roles:
- fluentbit
and_backend_roles: []
own_index:
hosts: []
users:
- "*"
reserved: false
hidden: false
backend_roles: []
and_backend_roles: []
description: Allow full access to an index named like the username
readall:
hosts: []
users:
- "reana"
reserved: false
hidden: false
backend_roles:
- readall
and_backend_roles: []

0 comments on commit ea1fb45

Please sign in to comment.