opensearch-project · idanl21 · Apr 26, 2022 · Apr 21, 2022 · Apr 24, 2022
@@ -133,6 +133,27 @@ Using `spec.general.additionalConfig` you can add settings to all nodes, using `
 
 As of right now the settings cannot be changed after the initial installation of the cluster (that feature is planned for the next version). If you need to change any settings please use the [Cluster Settings API](https://opensearch.org/docs/latest/opensearch/configuration/#update-cluster-settings-using-the-api) to change them at runtime.
 
+## Configuring opensearch_dashboards.yml
+
+You can customize the OpenSearch dashboard configuration file [`opensearch_dashboards.yml`](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml) using the `additionalConfig` field in the dashboards section of the `OpenSearchCluster` custom resource:
+
+```yaml
+apiVersion: opensearch.opster.io/v1
+kind: OpenSearchCluster
+...
+spec:
+  dashboards:
+    additionalConfig:
+      opensearch_security.auth.type: "proxy"
+      opensearch.requestHeadersWhitelist: |
+        ["securitytenant","Authorization","x-forwarded-for","x-auth-request-access-token", "x-auth-request-email", "x-auth-request-groups"]
+      opensearch_security.multitenancy.enabled: "true"
+```
+
+This allows one to set up any of the [backend](https://opensearch.org/docs/latest/security-plugin/configuration/configuration/) authentication types for the dashboard.
+
+*The configuration must be valid or the dashboard will fail to start.*
+
 ## TLS
 
 For security reasons communication with the opensearch cluster and between cluster nodes is only done encrypted. If you do not configure anything opensearch will use included demo TLS certificates that are not suited for real deployments.
@@ -159,7 +180,7 @@ spec:
           name:  # Name of the secret that contains the provided certificate
         caSecret:
           name:  # Name of the secret that contains a CA the operator should use
-        nodesDn: []  # List of certificate DNs allowed to connect 
+        nodesDn: []  # List of certificate DNs allowed to connect
         adminDn: []  # List of certificate DNs that should get admin access
 # ...
 ```

@@ -90,6 +90,8 @@ type DashboardsConfig struct {
 	Replicas  int32                       `json:"replicas"`
 	Tls       *DashboardsTlsConfig        `json:"tls,omitempty"`
 	Version   string                      `json:"version"`
+	// Additional properties for opensearch_dashboards.yaml
+	AdditionalConfig map[string]string `json:"additionalConfig,omitempty"`
 	// Secret that contains fields username and password for dashboards to use to login to opensearch, must only be supplied if a custom securityconfig is provided
 	OpensearchCredentialsSecret corev1.LocalObjectReference `json:"opensearchCredentialsSecret,omitempty"`
 }

@@ -53,6 +53,11 @@ spec:
                 type: object
               dashboards:
                 properties:
+                  additionalConfig:
+                    additionalProperties:
+                      type: string
+                    description: Additional properties for opensearch_dashboards.yaml
+                    type: object
                   enable:
                     type: boolean
                   opensearchCredentialsSecret:

@@ -61,6 +61,11 @@ func (r *DashboardsReconciler) Reconcile() (ctrl.Result, error) {
 		return ctrl.Result{}, err
 	}
 
+	// add any aditional dashboard config to the reconciler context
+	for key, value := range r.instance.Spec.Dashboards.AdditionalConfig {
+		r.reconcilerContext.AddDashboardsConfig(key, value)
+	}
+
 	cm := builders.NewDashboardsConfigMapForCR(r.instance, fmt.Sprintf("%s-dashboards-config", r.instance.Name), r.reconcilerContext.DashboardsConfig)
 	result.CombineErr(ctrl.SetControllerReference(r.instance, cm, r.Client.Scheme()))
 	result.Combine(r.ReconcileResource(cm, reconciler.StatePresent))

@@ -2,6 +2,7 @@ package reconcilers
 
 import (
 	"context"
+	"strings"
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -159,6 +160,50 @@ var _ = Describe("Dashboards Reconciler", func() {
 		})
 	})
 
+	Context("When running the dashboards reconciler with additionalConfig supplied", func() {
+		It("should populate the dashboard config with these values", func() {
+			clusterName := "dashboards-add-config"
+			spec := opsterv1.OpenSearchCluster{
+				ObjectMeta: metav1.ObjectMeta{Name: clusterName, Namespace: clusterName, UID: "dummyuid"},
+				Spec: opsterv1.ClusterSpec{
+					General: opsterv1.GeneralConfig{ServiceName: clusterName},
+					Dashboards: opsterv1.DashboardsConfig{
+						Enable: true,
+						AdditionalConfig: map[string]string{
+							"foo": "bar",
+						},
+					},
+				}}
+			ns := corev1.Namespace{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: clusterName,
+				},
+			}
+			err := k8sClient.Create(context.Background(), &ns)
+			Expect(err).ToNot(HaveOccurred())
+
+			reconcilerContext := NewReconcilerContext(spec.Spec.NodePools)
+			underTest := NewDashboardsReconciler(
+				k8sClient,
+				context.Background(),
+				&helpers.MockEventRecorder{},
+				&reconcilerContext,
+				&spec,
+			)
+			_, err = underTest.Reconcile()
+			Expect(err).ToNot(HaveOccurred())
+			configMap := corev1.ConfigMap{}
+			Eventually(func() bool {
+				err := k8sClient.Get(context.Background(), client.ObjectKey{Name: clusterName + "-dashboards-config", Namespace: clusterName}, &configMap)
+				return err == nil
+			}, timeout, interval).Should(BeTrue())
+
+			data, exists := configMap.Data["opensearch_dashboards.yml"]
+			Expect(exists).To(BeTrue())
+			Expect(strings.Contains(data, "foo: bar\n")).To(BeTrue())
+		})
+	})
+
 })
 
 func hasEnvWithSecretSource(env []corev1.EnvVar, name string, secretName string, secretKey string) bool {