Add support for OpenSearch (#810)

* Add support for reconfigure Elasticsearch Signed-off-by: kamolhasan <kamol@appscode.com> * Add changes Signed-off-by: kamolhasan <kamol@appscode.com> * add admin certificate even if the eableSSL is false Signed-off-by: kamolhasan <kamol@appscode.com>
kubedb · Nov 2, 2021 · 6f31cb6 · 6f31cb6
1 parent b9f7ead
commit 6f31cb6
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 16 deletions.
diff --git a/apis/catalog/v1alpha1/elasticsearch_version_types.go b/apis/catalog/v1alpha1/elasticsearch_version_types.go
@@ -116,21 +116,23 @@ type ElasticsearchSecurityContext struct {
 	RunAsAnyNonRoot bool `json:"runAsAnyNonRoot,omitempty" protobuf:"varint,2,opt,name=runAsAnyNonRoot"`
 }
 
-// +kubebuilder:validation:Enum=OpenDistro;SearchGuard;X-Pack
+// +kubebuilder:validation:Enum=OpenDistro;SearchGuard;X-Pack;OpenSearch
 type ElasticsearchAuthPlugin string
 
 const (
 	ElasticsearchAuthPluginOpenDistro  ElasticsearchAuthPlugin = "OpenDistro"
+	ElasticsearchAuthPluginOpenSearch  ElasticsearchAuthPlugin = "OpenSearch"
 	ElasticsearchAuthPluginSearchGuard ElasticsearchAuthPlugin = "SearchGuard"
 	ElasticsearchAuthPluginXpack       ElasticsearchAuthPlugin = "X-Pack"
 )
 
-// +kubebuilder:validation:Enum=ElasticStack;OpenDistro;SearchGuard;KubeDB
+// +kubebuilder:validation:Enum=ElasticStack;OpenDistro;SearchGuard;KubeDB;OpenSearch
 type ElasticsearchDistro string
 
 const (
 	ElasticsearchDistroElasticStack ElasticsearchDistro = "ElasticStack"
 	ElasticsearchDistroOpenDistro   ElasticsearchDistro = "OpenDistro"
 	ElasticsearchDistroSearchGuard  ElasticsearchDistro = "SearchGuard"
 	ElasticsearchDistroKubeDB       ElasticsearchDistro = "KubeDB"
+	ElasticsearchDistroOpenSearch   ElasticsearchDistro = "OpenSearch"
 )
diff --git a/apis/kubedb/v1alpha2/constants.go b/apis/kubedb/v1alpha2/constants.go
@@ -74,13 +74,17 @@ const (
 	ElasticsearchPerformanceAnalyzerPortName     = "analyzer"
 	ElasticsearchNodeRoleSet                     = "set"
 	ElasticsearchConfigDir                       = "/usr/share/elasticsearch/config"
+	ElasticsearchOpenSearchConfigDir             = "/usr/share/opensearch/config"
 	ElasticsearchSecureSettingsDir               = "/elasticsearch/secure-settings"
 	ElasticsearchTempConfigDir                   = "/elasticsearch/temp-config"
 	ElasticsearchCustomConfigDir                 = "/elasticsearch/custom-config"
 	ElasticsearchDataDir                         = "/usr/share/elasticsearch/data"
+	ElasticsearchOpenSearchDataDir               = "/usr/share/opensearch/data"
 	ElasticsearchOpendistroSecurityConfigDir     = "/usr/share/elasticsearch/plugins/opendistro_security/securityconfig"
+	ElasticsearchOpenSearchSecurityConfigDir     = "/usr/share/opensearch/plugins/opensearch-security/securityconfig"
 	ElasticsearchSearchGuardSecurityConfigDir    = "/usr/share/elasticsearch/plugins/search-guard-%v/sgconfig"
 	ElasticsearchOpendistroReadallMonitorRole    = "readall_and_monitor"
+	ElasticsearchOpenSearchReadallMonitorRole    = "readall_and_monitor"
 	ElasticsearchSearchGuardReadallMonitorRoleV7 = "SGS_READALL_AND_MONITOR"
 	ElasticsearchSearchGuardReadallMonitorRoleV6 = "sg_readall_and_monitor"
 	ElasticsearchStatusGreen                     = "green"

diff --git a/apis/kubedb/v1alpha2/elasticsearch_helpers.go b/apis/kubedb/v1alpha2/elasticsearch_helpers.go
@@ -588,9 +588,10 @@ func (e *Elasticsearch) setDefaultInternalUsersAndRoleMappings(esVersion *catalo
 		return
 	}
 
-	// The internalUsers feature only works with searchGuard and openDistro
-	if esVersion.Spec.Distribution == catalog.ElasticsearchDistroOpenDistro ||
-		esVersion.Spec.Distribution == catalog.ElasticsearchDistroSearchGuard {
+	// The internalUsers feature only works with searchGuard, openSearch, and openDistro
+	if esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginOpenDistro ||
+		esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginSearchGuard ||
+		esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginOpenSearch {
 
 		inUsers := e.Spec.InternalUsers
 		// If not set, create empty map
@@ -650,7 +651,7 @@ func (e *Elasticsearch) setDefaultInternalUsersAndRoleMappings(esVersion *catalo
 				rolesMapping = make(map[string]ElasticsearchRoleMapSpec)
 			}
 			var monitorRole string
-			if esVersion.Spec.Distribution == catalog.ElasticsearchDistroSearchGuard {
+			if esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginSearchGuard {
 				// readall_and_monitor role name varies in ES version
 				// 	V7        = "SGS_READALL_AND_MONITOR"
 				//	V6        = "sg_readall_and_monitor"
@@ -664,8 +665,10 @@ func (e *Elasticsearch) setDefaultInternalUsersAndRoleMappings(esVersion *catalo
 					// Required during upgrade process, from v6 --> v7
 					delete(rolesMapping, string(ElasticsearchSearchGuardReadallMonitorRoleV6))
 				}
-			} else {
+			} else if esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginOpenDistro {
 				monitorRole = ElasticsearchOpendistroReadallMonitorRole
+			} else {
+				monitorRole = ElasticsearchOpenSearchReadallMonitorRole
 			}
 
 			// Create rolesMapping if not exists.
@@ -712,6 +715,17 @@ func (e *Elasticsearch) SetTLSDefaults(esVersion *catalog.ElasticsearchVersion)
 		SecretName: e.CertificateName(ElasticsearchTransportCert),
 	})
 
+	// Set missing admin certificate spec, if authPlugin is "OpenDistro", "SearchGuard", or "OpenSearch"
+	// Create the admin certificate, even if the enable.SSL is false. This is necessary to securityadmin.sh command.
+	if esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginSearchGuard ||
+		esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginOpenDistro ||
+		esVersion.Spec.AuthPlugin == catalog.ElasticsearchAuthPluginOpenSearch {
+		tlsConfig.Certificates = kmapi.SetMissingSpecForCertificate(tlsConfig.Certificates, kmapi.CertificateSpec{
+			Alias:      string(ElasticsearchAdminCert),
+			SecretName: e.CertificateName(ElasticsearchAdminCert),
+		})
+	}
+
 	// If SSL is enabled, set missing certificate spec
 	if e.Spec.EnableSSL {
 		// http
@@ -720,15 +734,6 @@ func (e *Elasticsearch) SetTLSDefaults(esVersion *catalog.ElasticsearchVersion)
 			SecretName: e.CertificateName(ElasticsearchHTTPCert),
 		})
 
-		// Set missing admin certificate spec, if authPlugin is either "OpenDistro" or "SearchGuard"
-		if esVersion.Spec.Distribution == catalog.ElasticsearchDistroSearchGuard ||
-			esVersion.Spec.Distribution == catalog.ElasticsearchDistroOpenDistro {
-			tlsConfig.Certificates = kmapi.SetMissingSpecForCertificate(tlsConfig.Certificates, kmapi.CertificateSpec{
-				Alias:      string(ElasticsearchAdminCert),
-				SecretName: e.CertificateName(ElasticsearchAdminCert),
-			})
-		}
-
 		// Set missing metrics-exporter certificate, if monitoring is enabled.
 		if e.Spec.Monitor != nil {
 			// matrics-exporter

diff --git a/crds/catalog.kubedb.com_elasticsearchversions.yaml b/crds/catalog.kubedb.com_elasticsearchversions.yaml
@@ -53,6 +53,7 @@ spec:
                 - OpenDistro
                 - SearchGuard
                 - X-Pack
+                - OpenSearch
                 type: string
               db:
                 properties:
@@ -69,6 +70,7 @@ spec:
                 - OpenDistro
                 - SearchGuard
                 - KubeDB
+                - OpenSearch
                 type: string
               exporter:
                 properties: