-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add securityconfig reconciler #61
Changes from all commits
96091c4
1cf03f8
2f6808b
fef381b
473c353
be526e7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -81,25 +81,23 @@ type ConfMgmt struct { | |
type DashboardsConfig struct { | ||
Enable bool `json:"enable,omitempty"` | ||
Tls *DashboardsTlsConfig `json:"tls,omitempty"` | ||
// Secret that contains fields username and password for dashboards to use to login to opensearch, must only be supplied if a custom securityconfig is provided | ||
OpensearchCredentialsSecret corev1.LocalObjectReference `json:"opensearchCredentialsSecret,omitempty"` | ||
} | ||
|
||
type DashboardsTlsConfig struct { | ||
// Enable HTTPS for Dashboards | ||
Enable bool `json:"enable,omitempty"` | ||
// Generate certificate, if false either secret or keySecret & certSecret must be provided | ||
// Generate certificate, if false secret must be provided | ||
Generate bool `json:"generate,omitempty"` | ||
// Optional, name of a secret that contains tls.key and tls.crt data, use either this or set the separate keySecret and certSecret fields | ||
Secret string `json:"secret,omitempty"` | ||
// Optional, secret that contains the private key | ||
KeySecret *TlsSecret `json:"keySecret,omitempty"` | ||
// Optional, secret that contains the certificate for the private key, must be signed by the provided CA | ||
CertSecret *TlsSecret `json:"certSecret,omitempty"` | ||
// foobar | ||
CertificateConfig TlsCertificateConfig `json:",inline,omitempty"` | ||
} | ||
|
||
// Security defines options for managing the opensearch-security plugin | ||
type Security struct { | ||
Tls *TlsConfig `json:"tls,omitempty"` | ||
// TBD: securityconfig | ||
Tls *TlsConfig `json:"tls,omitempty"` | ||
Config *SecurityConfig `json:"config,omitempty"` | ||
} | ||
|
||
// Configure tls usage for transport and http interface | ||
|
@@ -139,6 +137,15 @@ type TlsSecret struct { | |
Key *string `json:"key,omitempty"` | ||
} | ||
|
||
type SecurityConfig struct { | ||
// Secret that contains the differnt yml files of the opensearch-security config (config.yml, internal_users.yml, ...) | ||
SecurityconfigSecret corev1.LocalObjectReference `json:"securityConfigSecret,omitempty"` | ||
// TLS Secret that contains a client certificate (tls.key, tls.crt, ca.crt) with admin rights in the opensearch cluster. Must be set if transport certificates are provided by user and not generated | ||
AdminSecret corev1.LocalObjectReference `json:"adminSecret,omitempty"` | ||
// Secret that contains fields username and password to be used by the operator to access the opensearch cluster for node draining. Must be set if custom securityconfig is provided. | ||
AdminCredentialsSecret corev1.LocalObjectReference `json:"adminCredentialsSecret,omitempty"` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what do you mean by ` access the opensearch cluster for node draining', why for node draining There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When the scaler drains a node it uses the API to exclude the node from hosting shards. This requests cluster credentials. |
||
} | ||
|
||
// ClusterSpec defines the desired state of OpenSearchCluster | ||
type ClusterSpec struct { | ||
// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the expectation here that the user builds these config files themselves with the appropriate usernames and passwords? Would we consider creating the configs for the user (https://github.com/rancher-sandbox/opni-opensearch-operator/blob/main/pkg/resources/opensearch/config.go#L128-L163 is how I did it in the other operator for reference)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is the expectation. In all projects where I used and use opensearch I need to configure custom users and roles so the approach you did would not be enough.
My idea was to extend it in a later version so that users/roles can be specified via CRDs (something like
kind: OpenSearchUser
orkind: OpenSearchRole
) to make the management of it more kubernetes-native.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood. One approach might be to use the interal_users config just for initial population of users (admin and ops user), and then reconcile additional users directly against the the users API rather than going through the config.