Skip to content
/ pam-opensearch Public

Helm chart for Opensearch used by arbeidsplassen.no

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

navikt/pam-opensearch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits

.github/workflows

.github/workflows

 
 

docker

docker

 
 

opensearch-dashboards

opensearch-dashboards

 
 

opensearch

opensearch

 
 

scripts

scripts

 
 

security

security

 
 

.gitignore

.gitignore

 
 

.helmignore

.helmignore

 
 

CODEOWNERS

CODEOWNERS

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Opensearch

Helm chart for Opensearch

Installing the chart

Prerequisites:

  • A kubernetes cluster
  • Helm 3.x
  • openssl (for generating keys)

Virtual memory

Opensearch uses a mmapfs directory to store indices. It wont start if it detects low mmap counts. Set the limits with following command:

> sudo sysctl -w vm.max_map_count=262144

Install Opensearch with:

> cd opensearch
> export OPENSEARCH_RELEASE=arbeidsplassen-opensearch
> export OPENSEARCH_NAMESPACE=teampam
> ../scripts/generate_certs.sh
> ../scripts/generate_kubernetes_secrets.sh <changeme>
> ../scripts/deploy-opensearch.sh <path.to.values.yaml>

Install Dashbards with:

> cd opensearch-dashbards
> export DASHBOARDS_RELEASE=arbeidsplassen-dashboards
> export DASHBOARDS_NAMESPACE=teampam
> ../scripts/deploy-dashboards.sh <path.to.values.yaml>

Deploy to production:

Before going to production, reconfigure the settings in the values.yaml file according to your need. Depending on traffic load and index size, increase the memory for data and master nodes. More about settings

Linkerd

This chart is compatible with linkerd, you can enable/disable linkerd by setting the flag "security.linkerd.enabled" to true/false. When running with linkerd, it will create a networkpolicy, you need to change the policy according to your services.

Security

Security is now enabled by default. Opensearch supports a variety of authentication and authorization protocols like LDAP, Kerberos, SAML, OpenID and more. By default this installation creates a list of internal users with passwords. NOTE by convenient all users is set to the same password on startup, you can change this by logging into Dashboards and change the password there.

Use the script generate_certs.sh to generate self signed certs:

> ./scripts/generate_certs.sh

The script creates all keys necessary needed for this setup, and are placed under .secrets/ folder. Keep root-ca-key.pem and root-ca.pem in case you need to add more keys and need to sign them.

Apply the secrets to kubernetes using following command:

> ./scripts/generate_kubernetes_secrets.sh <password>

Remember to change the password later in Dashboards. Finally deploy with security enabled:

> ./scripts/deploy-opensearch.sh

About

Helm chart for Opensearch used by arbeidsplassen.no

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages 1

 

Contributors 2

  •  
  •  

Languages