Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add securityconfig reconciler #61

Merged
merged 6 commits into from
Mar 14, 2022
Merged

Add securityconfig reconciler #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
96091c4
Implement securityconfig reconciler
swoehrl-mw Mar 4, 2022
1cf03f8
Add adminCredentialsSecret for scaler
swoehrl-mw Mar 7, 2022
2f6808b
Unify tls handling
swoehrl-mw Mar 7, 2022
fef381b
Small code cleanup
swoehrl-mw Mar 10, 2022
473c353
Supress error when waiting on securityconfig secret
swoehrl-mw Mar 11, 2022
be526e7
Merge remote-tracking branch 'origin/main' into securityconfig
swoehrl-mw Mar 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 16 additions & 9 deletions opensearch-operator/api/v1/opensearch_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,25 +81,23 @@ type ConfMgmt struct {
type DashboardsConfig struct {
Enable bool `json:"enable,omitempty"`
Tls *DashboardsTlsConfig `json:"tls,omitempty"`
// Secret that contains fields username and password for dashboards to use to login to opensearch, must only be supplied if a custom securityconfig is provided
OpensearchCredentialsSecret corev1.LocalObjectReference `json:"opensearchCredentialsSecret,omitempty"`
}

type DashboardsTlsConfig struct {
// Enable HTTPS for Dashboards
Enable bool `json:"enable,omitempty"`
// Generate certificate, if false either secret or keySecret & certSecret must be provided
// Generate certificate, if false secret must be provided
Generate bool `json:"generate,omitempty"`
// Optional, name of a secret that contains tls.key and tls.crt data, use either this or set the separate keySecret and certSecret fields
Secret string `json:"secret,omitempty"`
// Optional, secret that contains the private key
KeySecret *TlsSecret `json:"keySecret,omitempty"`
// Optional, secret that contains the certificate for the private key, must be signed by the provided CA
CertSecret *TlsSecret `json:"certSecret,omitempty"`
// foobar
CertificateConfig TlsCertificateConfig `json:",inline,omitempty"`
}

// Security defines options for managing the opensearch-security plugin
type Security struct {
Tls *TlsConfig `json:"tls,omitempty"`
// TBD: securityconfig
Tls *TlsConfig `json:"tls,omitempty"`
Config *SecurityConfig `json:"config,omitempty"`
}

// Configure tls usage for transport and http interface
Expand Down Expand Up @@ -139,6 +137,15 @@ type TlsSecret struct {
Key *string `json:"key,omitempty"`
}

type SecurityConfig struct {
// Secret that contains the differnt yml files of the opensearch-security config (config.yml, internal_users.yml, ...)
SecurityconfigSecret corev1.LocalObjectReference `json:"securityConfigSecret,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the expectation here that the user builds these config files themselves with the appropriate usernames and passwords? Would we consider creating the configs for the user (https://github.com/rancher-sandbox/opni-opensearch-operator/blob/main/pkg/resources/opensearch/config.go#L128-L163 is how I did it in the other operator for reference)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is the expectation. In all projects where I used and use opensearch I need to configure custom users and roles so the approach you did would not be enough.
My idea was to extend it in a later version so that users/roles can be specified via CRDs (something like kind: OpenSearchUser or kind: OpenSearchRole) to make the management of it more kubernetes-native.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. One approach might be to use the interal_users config just for initial population of users (admin and ops user), and then reconcile additional users directly against the the users API rather than going through the config.

// TLS Secret that contains a client certificate (tls.key, tls.crt, ca.crt) with admin rights in the opensearch cluster. Must be set if transport certificates are provided by user and not generated
AdminSecret corev1.LocalObjectReference `json:"adminSecret,omitempty"`
// Secret that contains fields username and password to be used by the operator to access the opensearch cluster for node draining. Must be set if custom securityconfig is provided.
AdminCredentialsSecret corev1.LocalObjectReference `json:"adminCredentialsSecret,omitempty"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do you mean by ` access the opensearch cluster for node draining', why for node draining

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the scaler drains a node it uses the API to exclude the node from hosting shards. This requests cluster credentials.

}

// ClusterSpec defines the desired state of OpenSearchCluster
type ClusterSpec struct {
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Expand Down
37 changes: 26 additions & 11 deletions opensearch-operator/api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

84 changes: 62 additions & 22 deletions opensearch-operator/config/crd/bases/opensearch.opster.io_opensearchclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,41 +55,46 @@ spec:
properties:
enable:
type: boolean
opensearchCredentialsSecret:
description: Secret that contains fields username and password
for dashboards to use to login to opensearch, must only be supplied
if a custom securityconfig is provided
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
tls:
properties:
certSecret:
description: Optional, secret that contains the certificate
for the private key, must be signed by the provided CA
caSecret:
description: Optional, secret that contains the ca certificate
as ca.crt. If this and generate=true is set the existing
CA cert from that secret is used to generate the node certs.
In this case must contain ca.crt and ca.key fields
properties:
key:
type: string
secretName:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- secretName
type: object
enable:
description: Enable HTTPS for Dashboards
type: boolean
generate:
description: Generate certificate, if false either secret
or keySecret & certSecret must be provided
description: Generate certificate, if false secret must be
provided
type: boolean
keySecret:
description: Optional, secret that contains the private key
secret:
description: Optional, name of a TLS secret that contains
ca.crt, tls.key and tls.crt data. If ca.crt is in a different
secret provide it via the caSecret field
properties:
key:
type: string
secretName:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
required:
- secretName
type: object
secret:
description: Optional, name of a secret that contains tls.key
and tls.crt data, use either this or set the separate keySecret
and certSecret fields
type: string
type: object
type: object
general:
Expand Down Expand Up @@ -1130,6 +1135,41 @@ spec:
description: Security defines options for managing the opensearch-security
plugin
properties:
config:
properties:
adminCredentialsSecret:
description: Secret that contains fields username and password
to be used by the operator to access the opensearch cluster
for node draining. Must be set if custom securityconfig
is provided.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
adminSecret:
description: TLS Secret that contains a client certificate
(tls.key, tls.crt, ca.crt) with admin rights in the opensearch
cluster. Must be set if transport certificates are provided
by user and not generated
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
securityConfigSecret:
description: Secret that contains the differnt yml files of
the opensearch-security config (config.yml, internal_users.yml,
...)
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: object
tls:
description: Configure tls usage for transport and http interface
properties:
Expand Down
16 changes: 16 additions & 0 deletions opensearch-operator/controllers/opensearchController.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,13 @@ func (r *OpenSearchClusterReconciler) deleteExternalResources(ctx context.Contex
&reconcilerContext,
r.Instance,
)
securityconfig := reconcilers.NewSecurityconfigReconciler(
r.Client,
ctx,
r.Recorder,
&reconcilerContext,
r.Instance,
)
config := reconcilers.NewConfigurationReconciler(
r.Client,
ctx,
Expand All @@ -182,6 +189,7 @@ func (r *OpenSearchClusterReconciler) deleteExternalResources(ctx context.Contex

componentReconcilers := []reconcilers.ComponentReconciler{
tls.DeleteResources,
securityconfig.DeleteResources,
config.DeleteResources,
cluster.DeleteResources,
dashboards.DeleteResources,
Expand Down Expand Up @@ -230,6 +238,13 @@ func (r *OpenSearchClusterReconciler) reconcilePhaseRunning(ctx context.Context)
&reconcilerContext,
r.Instance,
)
securityconfig := reconcilers.NewSecurityconfigReconciler(
r.Client,
ctx,
r.Recorder,
&reconcilerContext,
r.Instance,
)
config := reconcilers.NewConfigurationReconciler(
r.Client,
ctx,
Expand Down Expand Up @@ -261,6 +276,7 @@ func (r *OpenSearchClusterReconciler) reconcilePhaseRunning(ctx context.Context)

componentReconcilers := []reconcilers.ComponentReconciler{
tls.Reconcile,
securityconfig.Reconcile,
config.Reconcile,
cluster.Reconcile,
scaler.Reconcile,
Expand Down