diff --git a/charts/opensearch-cluster/.helmignore b/charts/opensearch-cluster/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/opensearch-cluster/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/opensearch-cluster/CHANGELOG.md b/charts/opensearch-cluster/CHANGELOG.md index cda46edd..4d110dc2 100644 --- a/charts/opensearch-cluster/CHANGELOG.md +++ b/charts/opensearch-cluster/CHANGELOG.md @@ -14,6 +14,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security --- +## [3.0.0] +### Added +- Now it is possible to define any configuration that is supported by corresponding CRD by using exactly the same format +as it is defined in the CRD +- Support for all existing CRDs +- Ingress configuration for Opensearch and Dashboards +- Auto-generated README.md file with description for all possible configuration values +### Changed +- `opensearchCluster` variable was replaced by `cluster`. The configuration structure of each custom resource (OpenSearchCluster, OpensearchIndexTemplate, etc) follows the corresponding CRD documentation +### Deprecated +- opensearch-cluster helm chart is a fully refactored chart. Before upgrading to v3 check that [default chart values](../../charts/opensearch-cluster/values.yaml) + matches with your configuration. +### Removed +### Fixed +### Security + ## [2.6.1] ### Added ### Changed diff --git a/charts/opensearch-cluster/Chart.yaml b/charts/opensearch-cluster/Chart.yaml index c5cb2524..84cee84a 100644 --- a/charts/opensearch-cluster/Chart.yaml +++ b/charts/opensearch-cluster/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for OpenSearch Cluster type: application ## The opensearch-cluster Helm Chart version -version: 2.7.0 +version: 3.0.0 ## The operator version appVersion: 2.7.0 diff --git a/charts/opensearch-cluster/README.md b/charts/opensearch-cluster/README.md new file mode 100644 index 00000000..e72c6b7c --- /dev/null +++ b/charts/opensearch-cluster/README.md @@ -0,0 +1,109 @@ +# opensearch-cluster + +![Version: 3.0.0](https://img.shields.io/badge/Version-3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.7.0](https://img.shields.io/badge/AppVersion-2.7.0-informational?style=flat-square) + +A Helm chart for OpenSearch Cluster + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| actionGroups | list | `[]` | List of OpensearchActionGroup. Check values.yaml file for examples. | +| cluster.annotations | object | `{}` | OpenSearchCluster annotations | +| cluster.bootstrap.additionalConfig | object | `{}` | bootstrap additional configuration, key-value pairs that will be added to the opensearch.yml configuration | +| cluster.bootstrap.affinity | object | `{}` | bootstrap pod affinity rules | +| cluster.bootstrap.jvm | string | `""` | bootstrap pod jvm options. If jvm is not provided then the java heap size will be set to half of resources.requests.memory which is the recommend value for data nodes. If jvm is not provided and resources.requests.memory does not exist then value will be -Xmx512M -Xms512M | +| cluster.bootstrap.nodeSelector | object | `{}` | bootstrap pod node selectors | +| cluster.bootstrap.resources | object | `{}` | bootstrap pod cpu and memory resources | +| cluster.bootstrap.tolerations | list | `[]` | bootstrap pod tolerations | +| cluster.confMgmt.smartScaler | bool | `false` | Enable nodes to be safely removed from the cluster | +| cluster.dashboards.additionalConfig | object | `{}` | Additional properties for opensearch_dashboards.yaml | +| cluster.dashboards.affinity | object | `{}` | dashboards pod affinity rules | +| cluster.dashboards.annotations | object | `{}` | dashboards annotations | +| cluster.dashboards.basePath | string | `""` | dashboards Base Path for Opensearch Clusters running behind a reverse proxy | +| cluster.dashboards.enable | bool | `true` | Enable dashboards deployment | +| cluster.dashboards.env | list | `[]` | dashboards pod env variables | +| cluster.dashboards.image | string | `"docker.io/opensearchproject/opensearch-dashboards"` | dashboards image | +| cluster.dashboards.imagePullPolicy | string | `"IfNotPresent"` | dashboards image pull policy | +| cluster.dashboards.imagePullSecrets | list | `[]` | dashboards image pull secrets | +| cluster.dashboards.labels | object | `{}` | dashboards labels | +| cluster.dashboards.nodeSelector | object | `{}` | dashboards pod node selectors | +| cluster.dashboards.opensearchCredentialsSecret | object | `{}` | Secret that contains fields username and password for dashboards to use to login to opensearch, must only be supplied if a custom securityconfig is provided | +| cluster.dashboards.pluginsList | list | `[]` | List of dashboards plugins to install | +| cluster.dashboards.podSecurityContext | object | `{}` | dasboards pod security context configuration | +| cluster.dashboards.replicas | int | `1` | number of dashboards replicas | +| cluster.dashboards.resources | object | `{}` | dashboards pod cpu and memory resources | +| cluster.dashboards.securityContext | object | `{}` | dashboards security context configuration | +| cluster.dashboards.service.loadBalancerSourceRanges | list | `[]` | source ranges for a loadbalancer | +| cluster.dashboards.service.type | string | `"ClusterIP"` | dashboards service type | +| cluster.dashboards.tls.caSecret | object | `{}` | Secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields | +| cluster.dashboards.tls.enable | bool | `false` | Enable HTTPS for dashboards | +| cluster.dashboards.tls.generate | bool | `true` | generate certificate, if false secret must be provided | +| cluster.dashboards.tls.secret | string | `nil` | Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a different secret provide it via the caSecret field | +| cluster.dashboards.tolerations | list | `[]` | dashboards pod tolerations | +| cluster.dashboards.version | string | `"2.3.0"` | dashboards version | +| cluster.general.additionalConfig | object | `{}` | Extra items to add to the opensearch.yml | +| cluster.general.additionalVolumes | list | `[]` | Additional volumes to mount to all pods in the cluster. Supported volume types configMap, emptyDir, secret (with default Kubernetes configuration schema) | +| cluster.general.drainDataNodes | bool | `true` | Controls whether to drain data notes on rolling restart operations | +| cluster.general.httpPort | int | `9200` | Opensearch service http port | +| cluster.general.image | string | `"docker.io/opensearchproject/opensearch"` | Opensearch image | +| cluster.general.imagePullPolicy | string | `"IfNotPresent"` | Default image pull policy | +| cluster.general.keystore | list | `[]` | Populate opensearch keystore before startup | +| cluster.general.monitoring.enable | bool | `false` | Enable cluster monitoring | +| cluster.general.monitoring.monitoringUserSecret | string | `""` | Secret with 'username' and 'password' keys for monitoring user. You could also use OpenSearchUser CRD instead of setting it. | +| cluster.general.monitoring.pluginUrl | string | `""` | Custom URL for the monitoring plugin | +| cluster.general.monitoring.scrapeInterval | string | `"30s"` | How often to scrape metrics | +| cluster.general.monitoring.tlsConfig | object | `{}` | Override the tlsConfig of the generated ServiceMonitor | +| cluster.general.pluginsList | list | `[]` | List of Opensearch plugins to install | +| cluster.general.podSecurityContext | object | `{}` | Opensearch pod security context configuration | +| cluster.general.securityContext | object | `{}` | Opensearch securityContext | +| cluster.general.serviceAccount | string | `""` | Opensearch serviceAccount name. If Service Account doesn't exist it could be created by setting `serviceAccount.create` and `serviceAccount.name` | +| cluster.general.serviceName | string | `""` | Opensearch service name | +| cluster.general.setVMMaxMapCount | bool | `true` | Enable setVMMaxMapCount. OpenSearch requires the Linux kernel vm.max_map_count option to be set to at least 262144 | +| cluster.general.snapshotRepositories | list | `[]` | Opensearch snapshot repositories configuration | +| cluster.general.vendor | string | `"Opensearch"` | | +| cluster.general.version | string | `"2.3.0"` | Opensearch version | +| cluster.ingress.dashboards.annotations | object | `{}` | dashboards ingress annotations | +| cluster.ingress.dashboards.className | string | `""` | Ingress class name | +| cluster.ingress.dashboards.enabled | bool | `false` | Enable ingress for dashboards service | +| cluster.ingress.dashboards.hosts | list | `[]` | Ingress hostnames | +| cluster.ingress.dashboards.tls | list | `[]` | Ingress tls configuration | +| cluster.ingress.opensearch.annotations | object | `{}` | Opensearch ingress annotations | +| cluster.ingress.opensearch.className | string | `""` | Opensearch Ingress class name | +| cluster.ingress.opensearch.enabled | bool | `false` | Enable ingress for Opensearch service | +| cluster.ingress.opensearch.hosts | list | `[]` | Opensearch Ingress hostnames | +| cluster.ingress.opensearch.tls | list | `[]` | Opensearch tls configuration | +| cluster.initHelper.imagePullPolicy | string | `"IfNotPresent"` | initHelper image pull policy | +| cluster.initHelper.imagePullSecrets | list | `[]` | initHelper image pull secret | +| cluster.initHelper.resources | object | `{}` | initHelper pod cpu and memory resources | +| cluster.initHelper.version | string | `"1.36"` | initHelper version | +| cluster.labels | object | `{}` | OpenSearchCluster labels | +| cluster.name | string | `""` | OpenSearchCluster name, by default release name is used | +| cluster.nodePools | list | `[{"component":"masters","diskSize":"30Gi","replicas":3,"resources":{"limits":{"cpu":"500m","memory":"2Gi"},"requests":{"cpu":"500m","memory":"2Gi"}},"roles":["master","data"]}]` | Opensearch nodes configuration | +| cluster.security.config.adminCredentialsSecret | object | `{}` | Secret that contains fields username and password to be used by the operator to access the opensearch cluster for node draining. Must be set if custom securityconfig is provided. | +| cluster.security.config.adminSecret | object | `{}` | TLS Secret that contains a client certificate (tls.key, tls.crt, ca.crt) with admin rights in the opensearch cluster. Must be set if transport certificates are provided by user and not generated | +| cluster.security.config.securityConfigSecret | object | `{}` | Secret that contains the differnt yml files of the opensearch-security config (config.yml, internal_users.yml, etc) | +| cluster.security.tls.http.caSecret | object | `{}` | Optional, secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields | +| cluster.security.tls.http.generate | bool | `true` | If set to true the operator will generate a CA and certificates for the cluster to use, if false - secrets with existing certificates must be supplied | +| cluster.security.tls.http.secret | object | `{}` | Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a different secret provide it via the caSecret field | +| cluster.security.tls.transport.adminDn | list | `[]` | DNs of certificates that should have admin access, mainly used for securityconfig updates via securityadmin.sh, only used when existing certificates are provided | +| cluster.security.tls.transport.caSecret | object | `{}` | Optional, secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields | +| cluster.security.tls.transport.generate | bool | `true` | If set to true the operator will generate a CA and certificates for the cluster to use, if false secrets with existing certificates must be supplied | +| cluster.security.tls.transport.nodesDn | list | `[]` | Allowed Certificate DNs for nodes, only used when existing certificates are provided | +| cluster.security.tls.transport.perNode | bool | `true` | Separate certificate per node | +| cluster.security.tls.transport.secret | object | `{}` | Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a different secret provide it via the caSecret field | +| componentTemplates | list | `[]` | List of OpensearchComponentTemplate. Check values.yaml file for examples. | +| fullnameOverride | string | `""` | | +| indexTemplates | list | `[]` | List of OpensearchIndexTemplate. Check values.yaml file for examples. | +| ismPolicies | list | `[]` | List of OpenSearchISMPolicy. Check values.yaml file for examples. | +| nameOverride | string | `""` | | +| roles | list | `[]` | List of OpensearchRole. Check values.yaml file for examples. | +| serviceAccount.annotations | object | `{}` | Service Account annotations | +| serviceAccount.create | bool | `false` | Create Service Account | +| serviceAccount.name | string | `""` | Service Account name. Set `general.serviceAccount` to use this Service Account for the Opensearch cluster | +| tenants | list | `[]` | List of additional tenants. Check values.yaml file for examples. | +| users | list | `[]` | List of OpensearchUser. Check values.yaml file for examples. | +| usersRoleBinding | list | `[]` | Allows to link any number of users, backend roles and roles with a OpensearchUserRoleBinding. Each user in the binding will be granted each role Check values.yaml file for examples. | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/opensearch-cluster/templates/NOTES.txt b/charts/opensearch-cluster/templates/NOTES.txt new file mode 100644 index 00000000..3ddcf87f --- /dev/null +++ b/charts/opensearch-cluster/templates/NOTES.txt @@ -0,0 +1,38 @@ +1. Get the Opensearch application URL by running these commands: +{{- if .Values.cluster.ingress.opensearch.enabled }} +{{- range $host := .Values.cluster.ingress.opensearch.hosts }} + {{- range .paths }} + http{{ if $.Values.cluster.ingress.opensearch.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "opster.io/opensearch-cluster={{ .Values.cluster.name | default (include "opensearch-cluster.name" .) }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9200:$CONTAINER_PORT + curl https://127.0.0.1:9200 -k +{{- end }} + +{{ if .Values.cluster.dashboards.enable }} +2. Get the Dashboards application URL by running these commands: +{{- if .Values.cluster.ingress.dashboards.enabled }} +{{- range $host := .Values.cluster.ingress.dashboards.hosts }} + {{- range .paths }} + http{{ if $.Values.cluster.ingress.dashboards.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.cluster.dashboards.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "opensearch-cluster.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.cluster.dashboards.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "opensearch-cluster.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "opensearch-cluster.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.cluster.dashboards.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "opensearch.cluster.dashboards={{ include "opensearch-cluster.name" . }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT + Visit http://127.0.0.1:8080 to use your application +{{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/_helpers.tpl b/charts/opensearch-cluster/templates/_helpers.tpl index 4e42eea8..61e3a114 100644 --- a/charts/opensearch-cluster/templates/_helpers.tpl +++ b/charts/opensearch-cluster/templates/_helpers.tpl @@ -1,10 +1,13 @@ -{{/* vim: set filetype=mustache: */}} {{/* Expand the name of the chart. */}} {{- define "opensearch-cluster.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "opensearch-cluster.cluster-name" -}} +{{- default .Values.cluster.name .Release.Name | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create a default fully qualified app name. @@ -12,52 +15,46 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "opensearch-cluster.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} {{/* Create chart name and version as used by the chart label. */}} {{- define "opensearch-cluster.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Common labels */}} {{- define "opensearch-cluster.labels" -}} helm.sh/chart: {{ include "opensearch-cluster.chart" . }} -{{ include "opensearch-cluster.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "opensearch-cluster.selectorLabels" -}} -app.kubernetes.io/name: {{ include "opensearch-cluster.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} +{{- with .Values.cluster.labels }} +{{ . | toYaml }} +{{- end }} +{{- end }} {{/* Create the name of the service account to use */}} {{- define "opensearch-cluster.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "opensearch-cluster.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "opensearch-cluster.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/actiongroups.yaml b/charts/opensearch-cluster/templates/actiongroups.yaml new file mode 100644 index 00000000..9884da6b --- /dev/null +++ b/charts/opensearch-cluster/templates/actiongroups.yaml @@ -0,0 +1,25 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.actionGroups }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchActionGroup +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + {{- with .description }} + description: {{ . | toString }} + {{- end }} + {{- with .allowedActions }} + allowedActions: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .type }} + type: {{ . | toString }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/cluster.yaml b/charts/opensearch-cluster/templates/cluster.yaml new file mode 100644 index 00000000..882d0f05 --- /dev/null +++ b/charts/opensearch-cluster/templates/cluster.yaml @@ -0,0 +1,70 @@ +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpenSearchCluster +metadata: + name: {{ $clusterName }} + {{- with .Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ include "opensearch-cluster.labels" . | nindent 4 }} +spec: + {{- with .Values.cluster.bootstrap }} + bootstrap: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.cluster.confMgmt }} + confMgmt: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.cluster.dashboards }} + dashboards: + {{- . | toYaml | nindent 4 }} + image: {{ .image }}:{{ .version }} + {{- end }} + {{- with .Values.cluster.general }} + general: + {{- . | toYaml | nindent 4 }} + image: {{ .image }}:{{ .version }} + serviceName: {{ .serviceName | default $clusterName }} + {{- end }} + {{- with .Values.cluster.initHelper }} + initHelper: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.cluster.nodePools }} + nodePools: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .Values.cluster.security }} + security: + tls: + transport: + {{- if .tls.transport.generate }} + generate: {{ .tls.transport.generate }} + {{- end }} + {{- if .tls.transport.perNode }} + perNode: {{ .tls.transport.perNode }} + {{- end }} + {{- with .tls.transport.caSecret }} + caSecret: {{ . | toYaml | nindent 10 }} + {{- end }} + {{- with .tls.transport.adminDn }} + adminDn: {{ . | toYaml | nindent 10 }} + {{- end }} + {{- with .tls.transport.nodesDn }} + nodesDn: {{ . | toYaml | nindent 10 }} + {{- end }} + {{- with .tls.transport.secret }} + secret: {{ . | toYaml | nindent 10 }} + {{- end }} + http: + {{- if .tls.http.generate }} + generate: {{ .tls.http.generate }} + {{- end }} + {{- with .tls.http.secret }} + secret: {{ . | toYaml | nindent 10 }} + {{- end }} + {{- with .tls.http.caSecret }} + caSecret: {{ . | toYaml | nindent 10 }} + {{- end }} + {{- with .config }} + config: {{ . | toYaml | nindent 6 }} + {{- end }} + {{- end }} diff --git a/charts/opensearch-cluster/templates/componenttemplates.yaml b/charts/opensearch-cluster/templates/componenttemplates.yaml new file mode 100644 index 00000000..edddb54e --- /dev/null +++ b/charts/opensearch-cluster/templates/componenttemplates.yaml @@ -0,0 +1,26 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.componentTemplates }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchComponentTemplate +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + allowAutoCreate: {{ .allowAutoCreate | default false }} + {{- with .templateSpec }} + template: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .version }} + version: {{ . }} + {{- end }} + {{- with ._meta }} + _meta: {{ . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/indextemplates.yaml b/charts/opensearch-cluster/templates/indextemplates.yaml new file mode 100644 index 00000000..bc09647a --- /dev/null +++ b/charts/opensearch-cluster/templates/indextemplates.yaml @@ -0,0 +1,34 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.indexTemplates }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchIndexTemplate +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + {{- with .indexPatterns }} + indexPatterns: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .composedOf }} + composedOf: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .priority }} + priority: {{ . }} + {{- end }} + {{- with .templateSpec }} + template: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .version }} + version: {{ . }} + {{- end }} + {{- with ._meta }} + _meta: {{ . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/ingress.yaml b/charts/opensearch-cluster/templates/ingress.yaml new file mode 100644 index 00000000..ad21dfba --- /dev/null +++ b/charts/opensearch-cluster/templates/ingress.yaml @@ -0,0 +1,123 @@ +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- $svcPort := .Values.cluster.general.httpPort -}} +{{- if .Values.cluster.ingress.opensearch.enabled -}} +--- +{{- if and .Values.cluster.ingress.opensearch.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.cluster.ingress.opensearch.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.cluster.ingress.opensearch.annotations "kubernetes.io/ingress.class" .Values.cluster.ingress.opensearch.className }} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $clusterName }} + labels: + {{- include "opensearch-cluster.labels" . | nindent 4 }} + {{- with .Values.cluster.ingress.opensearch.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.cluster.ingress.opensearch.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.cluster.ingress.opensearch.className }} + {{- end }} + {{- if .Values.cluster.ingress.opensearch.tls }} + tls: + {{- range .Values.cluster.ingress.opensearch.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.cluster.ingress.opensearch.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $clusterName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $clusterName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- if .Values.cluster.ingress.dashboards.enabled }} +--- +{{- if and .Values.cluster.ingress.dashboards.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.cluster.ingress.dashboards.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.cluster.ingress.dashboards.annotations "kubernetes.io/ingress.class" .Values.cluster.ingress.dashboards.className }} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $clusterName }}-dashboards + labels: + {{- include "opensearch-cluster.labels" . | nindent 4 }} + {{- with .Values.cluster.ingress.dashboards.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.cluster.ingress.dashboards.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.cluster.ingress.dashboards.className }} + {{- end }} + {{- if .Values.cluster.ingress.dashboards.tls }} + tls: + {{- range .Values.cluster.ingress.dashboards.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.cluster.ingress.dashboards.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $clusterName }}-dashboards + port: + number: 5601 + {{- else }} + serviceName: {{ $clusterName }} + servicePort: 5601 + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/ismpolicies.yaml b/charts/opensearch-cluster/templates/ismpolicies.yaml new file mode 100644 index 00000000..a34beb34 --- /dev/null +++ b/charts/opensearch-cluster/templates/ismpolicies.yaml @@ -0,0 +1,30 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.ismPolicies }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpenSearchISMPolicy +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + defaultState: {{ .defaultState }} + description: {{ .description }} + {{- with .states }} + states: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .errorNotification }} + errorNotification: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .ismTemplate }} + ismTemplate: {{ . | toYaml | nindent 4 }} + {{- end }} + opensearchCluster: + name: {{ $clusterName }} + {{- with .policyId }} + policyId: {{ . }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/opensearch-cluster-cr.yaml b/charts/opensearch-cluster/templates/opensearch-cluster-cr.yaml deleted file mode 100644 index 7f1018b5..00000000 --- a/charts/opensearch-cluster/templates/opensearch-cluster-cr.yaml +++ /dev/null @@ -1,361 +0,0 @@ -{{- if eq .Values.opensearchCluster.enabled true }} -apiVersion: opensearch.opster.io/v1 -kind: OpenSearchCluster -metadata: - name: {{ .Values.clusterName | default .Release.Name}} - namespace: {{ .Release.Namespace }} -spec: - {{- if .Values.opensearchCluster.bootstrap }} - bootstrap: - {{ toYaml .Values.opensearchCluster.bootstrap | nindent 4 }} - {{- end }} - {{- if .Values.opensearchCluster.initHelper }} - initHelper: - {{- if .Values.opensearchCluster.initHelper.version }} - version: {{ .Values.opensearchCluster.initHelper.version }} - {{ end }} - {{- if .Values.opensearchCluster.initHelper.image }} - image: {{ .Values.opensearchCluster.initHelper.image }} - {{- end }} - {{- if .Values.opensearchCluster.initHelper.imagePullPolicy }} - imagePullPolicy: {{ .Values.opensearchCluster.initHelper.imagePullPolicy }} - {{- end }} - {{- if .Values.opensearchCluster.initHelper.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.opensearchCluster.initHelper.imagePullSecrets | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.initHelper.resources }} - resources: - {{- toYaml .Values.opensearchCluster.initHelper.resources | nindent 6 }} - {{- end }} - {{- end }} - general: - {{- if .Values.opensearchCluster.general.version }} - version: {{ .Values.opensearchCluster.general.version }} - {{- end }} - {{- if .Values.opensearchCluster.general.image }} - image: {{ .Values.opensearchCluster.general.image | quote }} - {{- end }} - {{- if .Values.opensearchCluster.general.httpPort }} - httpPort: {{ .Values.opensearchCluster.general.httpPort }} - {{- end }} - vendor: opensearch - serviceName: {{ .Values.opensearchCluster.general.serviceName }} - {{- if .Values.opensearchCluster.general.pluginsList }} - pluginsList: - {{ toYaml .Values.opensearchCluster.general.pluginsList | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.general.keystore }} - keystore: - {{ toYaml .Values.opensearchCluster.general.keystore | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.general.command}} - command: {{ .Values.opensearchCluster.general.command | quote }} - {{- end }} - {{- if .Values.opensearchCluster.general.setVMMaxMapCount }} - setVMMaxMapCount: {{ .Values.opensearchCluster.general.setVMMaxMapCount }} - {{- end }} - {{- if .Values.opensearchCluster.general.drainDataNodes }} - drainDataNodes: {{ .Values.opensearchCluster.general.drainDataNodes }} - {{- end }} - {{- if .Values.opensearchCluster.general.securityContext }} - securityContext: - {{ toYaml .Values.opensearchCluster.general.securityContext | nindent 6}} - {{- end}} - {{- if .Values.opensearchCluster.general.podSecurityContext }} - podSecurityContext: - {{ toYaml .Values.opensearchCluster.general.podSecurityContext | nindent 6 }} - {{- end}} - {{- if .Values.opensearchCluster.general.additionalVolumes }} - additionalVolumes: - {{- range $key, $val := .Values.opensearchCluster.general.additionalVolumes }} - - name: {{ $val.name }} - path: {{ $val.path }} - secret: - secretName: {{ $val.secret.secretName }} - {{- end -}} - {{- end }} - {{- if .Values.opensearchCluster.general.additionalConfig }} - additionalConfig: - {{ toYaml .Values.opensearchCluster.general.additionalConfig | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.general.monitoring }} - monitoring: - {{ toYaml .Values.opensearchCluster.general.monitoring | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.general.snapshotRepositories }} - snapshotRepositories: - {{- toYaml .Values.opensearchCluster.general.snapshotRepositories | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards }} - dashboards: - {{- if .Values.opensearchCluster.dashboards.image }} - image: {{ .Values.opensearchCluster.dashboards.image | quote }} - {{- end }} - version: {{ .Values.opensearchCluster.dashboards.version }} - {{- if .Values.opensearchCluster.dashboards.enable }} - enable: {{ .Values.opensearchCluster.dashboards.enable }} - {{- end }} - replicas: {{ .Values.opensearchCluster.dashboards.replicas }} - {{- if .Values.opensearchCluster.dashboards.pluginsList }} - pluginsList: - {{ toYaml .Values.opensearchCluster.dashboards.pluginsList | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.basePath }} - basePath: {{ .Values.opensearchCluster.dashboards.basePath }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.labels }} - labels: # Add any extra labels as key-value pairs here - {{ toYaml .Values.opensearchCluster.dashboards.labels | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.annotations }} - annotations: # Add any extra annotations as key-value pairs here - {{ toYaml .Values.opensearchCluster.dashboards.annotations | nindent 6 }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.opensearchCredentialsSecret }} - opensearchCredentialsSecret: - name: {{ .Values.opensearchCluster.dashboards.opensearchCredentialsSecret.name }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.env }} - env: - {{- toYaml .Values.opensearchCluster.dashboards.env | nindent 8 }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.resources }} - resources: - {{- if .Values.opensearchCluster.dashboards.resources.requests }} - requests: - {{- if .Values.opensearchCluster.dashboards.resources.requests.memory }} - memory: {{ .Values.opensearchCluster.dashboards.resources.requests.memory }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.resources.requests.cpu }} - cpu: {{ .Values.opensearchCluster.dashboards.resources.requests.cpu }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.resources.limits }} - limits: - {{- if .Values.opensearchCluster.dashboards.resources.limits.memory }} - memory: {{ .Values.opensearchCluster.dashboards.resources.limits.memory }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.resources.limits.cpu }} - cpu: {{ .Values.opensearchCluster.dashboards.resources.limits.cpu }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.tls }} - tls: - {{- if .Values.opensearchCluster.dashboards.tls.enable }} - enable: {{ .Values.opensearchCluster.dashboards.tls.enable }} # Configure TLS - {{- end }} - {{- if .Values.opensearchCluster.dashboards.tls.generate }} - generate: {{ .Values.opensearchCluster.dashboards.tls.generate }} # Have the Operator generate and sign a certificate - {{- end }} - {{- if .Values.opensearchCluster.dashboards.tls.secret }} - secret: - name: {{ .Values.opensearchCluster.dashboards.tls.secret.name }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.tls.casecret }} - caSecret: - name: {{ .Values.opensearchCluster.dashboards.tls.caSecret.name }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.securityContext }} - securityContext: - {{ toYaml .Values.opensearchCluster.dashboards.securityContext | nindent 6 }} - {{- end}} - {{- if .Values.opensearchCluster.dashboards.podSecurityContext }} - podSecurityContext: - {{ toYaml .Values.opensearchCluster.dashboards.podSecurityContext | nindent 6}} - {{- end}} - {{- if .Values.opensearchCluster.dashboards.additionalVolumes }} - additionalVolumes: - {{- range $key,$val := .Values.opensearchCluster.dashboards.additionalVolumes }} - - name: {{ $val.name }} - path: {{ $val.path }} - secret: - secretName: {{ $val.secretName.name }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.dashboards.additionalConfig }} - additionalConfig: - {{ toYaml .Values.opensearchCluster.dashboards.additionalConfig | nindent 6 }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.confMgmt }} - confMgmt: - {{- if .Values.opensearchCluster.confMgmt.smartScaler }} - smartScaler: {{ .Values.opensearchCluster.confMgmt.smartScaler }} - {{- end }} - {{- end }} - nodePools: - {{- range $key,$val := .Values.opensearchCluster.nodePools }} - - component: {{ $val.component }} - replicas: {{ $val.replicas }} - {{- if $val.pdb }} - pdb: # Add pdb configuration - {{- toYaml $val.pdb | nindent 8 }} - {{- end }} - diskSize: {{ $val.diskSize | quote }} - {{- if $val.jvm }} - jvm: {{ $val.jvm | quote }} - {{- end }} - {{- if $val.nodeSelector }} - nodeSelector: - {{- toYaml $val.nodeSelector | nindent 8 }} - {{- end }} - {{- if $val.affinity }} - affinity: - {{- toYaml $val.affinity | nindent 8 }} - {{- end }} - {{- if $val.tolerations }} - tolerations: - {{- toYaml $val.tolerations | nindent 8 }} - {{- end }} - {{- if $val.labels }} - labels: # Add any extra labels as key-value pairs here - {{ toYaml $val.labels | nindent 8 }} - {{- end }} - {{- if $val.annotations }} - annotations: # Add any extra annotations as key-value pairs here - {{ toYaml $val.annotations | nindent 8 }} - {{- end }} - {{- if $val.priorityClassName }} - priorityClassName: {{ $val.priorityClassName }} - {{- end }} - {{- if $val.env }} - env: - {{- toYaml $val.env | nindent 8 }} - {{- end }} - {{- if $val.resources }} - resources: - {{- if $val.resources.requests }} - requests: - {{- if $val.resources.requests.memory }} - memory: {{ $val.resources.requests.memory }} - {{- end}} - {{- if $val.resources.requests.cpu }} - cpu: {{ $val.resources.requests.cpu }} - {{- end}} - {{- end }} - {{- if $val.resources.limits }} - limits: - {{- if $val.resources.limits.memory }} - memory: {{ $val.resources.limits.memory }} - {{- end}} - {{- if $val.resources.limits.cpu }} - cpu: {{ $val.resources.limits.cpu }} - {{- end }} - {{- end }} - {{- end }} - {{- if $val.roles }} - roles: - {{ toYaml $val.roles | nindent 6 }} - {{- end }} - {{- if $val.persistence }} - persistence: - {{- if $val.persistence.hostPath }} - hostPath: - path: {{ $val.persistence.hostPath.path }} - {{- else if $val.persistence.pvc }} - pvc: - {{- if $val.persistence.pvc.storageClass }} - storageClass: {{ $val.persistence.pvc.storageClass }} - {{- end }} - {{- if $val.persistence.pvc.accessModes }} - accessModes: - {{ toYaml $val.persistence.pvc.accessModes | nindent 10 }} - {{- end }} - {{- else if eq (len $val.persistence.emptyDir) 0 }} - emptyDir: {} - {{- end }} - {{- end }} - {{- if $val.additionalConfig }} - additionalConfig: - {{ toYaml $val.additionalConfig | nindent 8 }} - {{- end }} - {{- if $val.probes }} - probes: - {{ toYaml $val.probes | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.security }} - security: - {{- if .Values.opensearchCluster.security.config }} - config: - {{- if .Values.opensearchCluster.security.config.adminSecret }} - adminSecret: - name: {{ .Values.opensearchCluster.security.config.adminSecret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.adminCredentialsSecret }} - adminCredentialsSecret: - name: {{ .Values.opensearchCluster.security.config.adminCredentialsSecret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.securityConfigSecret }} - securityConfigSecret: - name: {{ .Values.opensearchCluster.security.config.securityConfigSecret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.updateJob }} - updateJob: - {{- if .Values.opensearchCluster.security.config.updateJob.resources }} - resources: - {{- if .Values.opensearchCluster.security.config.updateJob.resources.requests }} - requests: - {{- if .Values.opensearchCluster.security.config.updateJob.resources.requests.memory }} - memory: {{ .Values.opensearchCluster.security.config.updateJob.resources.requests.memory }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.updateJob.resources.requests.cpu }} - cpu: {{ .Values.opensearchCluster.security.config.updateJob.resources.requests.cpu }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.updateJob.resources.limits }} - limits: - {{- if .Values.opensearchCluster.security.config.updateJob.resources.limits.memory }} - memory: {{ .Values.opensearchCluster.security.config.updateJob.resources.limits.memory }} - {{- end }} - {{- if .Values.opensearchCluster.security.config.updateJob.resources.limits.cpu }} - cpu: {{ .Values.opensearchCluster.security.config.updateJob.resources.limits.cpu }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls }} - tls: - {{- if .Values.opensearchCluster.security.tls.transport }} - transport: - {{- if .Values.opensearchCluster.security.tls.http.generate }} - generate: {{ .Values.opensearchCluster.security.tls.transport.generate }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.transport.secret }} - secret: - name: {{ .Values.opensearchCluster.security.tls.transport.secret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.transport.caSecret }} - caSecret: - name: {{ .Values.opensearchCluster.security.tls.transport.caSecret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.transport.adminDn }} - adminDn: - {{ toYaml .Values.opensearchCluster.security.tls.transport.adminDn | nindent 10 }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.transport.nodesDn }} - nodesDn: - {{ toYaml .Values.opensearchCluster.security.tls.transport.nodesDn | nindent 10 }} - {{- end }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.http }} - http: - {{- if .Values.opensearchCluster.security.tls.http.generate }} - generate: {{ .Values.opensearchCluster.security.tls.http.generate }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.http.secret }} - secret: - name: {{ .Values.opensearchCluster.security.tls.http.secret.name }} - {{- end }} - {{- if .Values.opensearchCluster.security.tls.http.caSecret }} - caSecret: - name: {{ .Values.opensearchCluster.security.tls.http.caSecret.name }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/opensearch-cluster/templates/roles.yaml b/charts/opensearch-cluster/templates/roles.yaml new file mode 100644 index 00000000..1425f35a --- /dev/null +++ b/charts/opensearch-cluster/templates/roles.yaml @@ -0,0 +1,25 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.roles }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchRole +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + {{- with .clusterPermissions }} + clusterPermissions: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .indexPermissions }} + indexPermissions: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .tenantPermissions }} + tenantPermissions: {{ . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/serviceaccount.yaml b/charts/opensearch-cluster/templates/serviceaccount.yaml new file mode 100644 index 00000000..d10a0ec1 --- /dev/null +++ b/charts/opensearch-cluster/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "opensearch-cluster.serviceAccountName" . }} + labels: + {{- include "opensearch-cluster.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/tenants.yaml b/charts/opensearch-cluster/templates/tenants.yaml new file mode 100644 index 00000000..fb286bd6 --- /dev/null +++ b/charts/opensearch-cluster/templates/tenants.yaml @@ -0,0 +1,19 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.tenants }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchTenant +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + {{- with .description }} + description: {{ . | toString }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/userrolebinding.yaml b/charts/opensearch-cluster/templates/userrolebinding.yaml new file mode 100644 index 00000000..66ee70fa --- /dev/null +++ b/charts/opensearch-cluster/templates/userrolebinding.yaml @@ -0,0 +1,25 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.usersRoleBinding }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchUserRoleBinding +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + {{- with .users }} + users: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .backendRoles }} + backendRoles: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .roles }} + roles: {{ . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/templates/users.yaml b/charts/opensearch-cluster/templates/users.yaml new file mode 100644 index 00000000..c7253c8c --- /dev/null +++ b/charts/opensearch-cluster/templates/users.yaml @@ -0,0 +1,25 @@ +{{- $labels := include "opensearch-cluster.labels" . }} +{{- $clusterName := include "opensearch-cluster.cluster-name" . }} +{{- range .Values.users }} +--- +apiVersion: opensearch.opster.io/v1 +kind: OpensearchUser +metadata: + name: {{ .name }} + {{- with $.Values.cluster.annotations }} + annotations: {{ . | toYaml | nindent 4 }} + {{- end }} + labels: {{ $labels | nindent 4 }} +spec: + opensearchCluster: + name: {{ $clusterName }} + passwordFrom: + name: {{ .secretName }} + key: {{ .secretKey }} + {{- with .backendRoles }} + backendRoles: {{ . | toYaml | nindent 4 }} + {{- end }} + {{- with .opendistroSecurityRoles }} + opendistroSecurityRoles: {{ . | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/opensearch-cluster/values.yaml b/charts/opensearch-cluster/values.yaml index 2841ea81..5fd0b4ed 100644 --- a/charts/opensearch-cluster/values.yaml +++ b/charts/opensearch-cluster/values.yaml @@ -1,43 +1,243 @@ -opensearchCluster: - enabled: true -# bootstrap: -# Configure settings for the bootstrap pod +# Default values for opensearch-cluster. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # -- Create Service Account + create: false + + # -- Service Account name. Set `general.serviceAccount` to use this Service Account for the Opensearch cluster + name: "" + + # -- Service Account annotations + annotations: {} + +# OpenSearchCluster configuration +cluster: + # -- OpenSearchCluster name, by default release name is used + name: "" + + # -- OpenSearchCluster annotations + annotations: {} + + # -- OpenSearchCluster labels + labels: {} + + # OpenSearchCluster general configuration general: - httpPort: "9200" - version: 2.3.0 - serviceName: "my-cluster" + # -- Extra items to add to the opensearch.yml + additionalConfig: {} + + # -- Additional volumes to mount to all pods in the cluster. Supported volume types configMap, emptyDir, secret (with default Kubernetes configuration schema) + additionalVolumes: [] + # - name: "volume-name" + # path: "/tmp/volume" + ## Whether to restart the pods on content change + # restartPods: false + + # -- Controls whether to drain data notes on rolling restart operations drainDataNodes: true + + # -- Opensearch service http port + httpPort: 9200 + + # -- Opensearch image + image: docker.io/opensearchproject/opensearch + + # -- Default image pull policy + imagePullPolicy: IfNotPresent + + # -- Default image pull secret + # imagePullSecrets: [] + + # -- Populate opensearch keystore before startup + keystore: [] +# - secret: +# name: secret-name +# - secret: +# name: many-secret-values +# keyMappings: +# # Only read "sensitive-value" from the secret, keep its name. +# sensitive-value: sensitive-value + + # Monitoring configuration. Check [documentation](https://github.com/Opster/opensearch-k8s-operator/blob/main/docs/userguide/main.md#adding-opensearch-monitoring-to-your-cluster) how to configure it. + monitoring: + # -- Enable cluster monitoring + enable: false + + # -- Secret with 'username' and 'password' keys for monitoring user. You could also use OpenSearchUser CRD instead of setting it. + monitoringUserSecret: "" + + # -- Custom URL for the monitoring plugin + pluginUrl: "" + + # -- How often to scrape metrics + scrapeInterval: 30s + + # -- Override the tlsConfig of the generated ServiceMonitor + tlsConfig: {} +# insecureSkipVerify: true + + # -- List of Opensearch plugins to install + pluginsList: [] + + # -- Opensearch pod security context configuration + podSecurityContext: {} + + # -- Opensearch securityContext + securityContext: {} + + # -- Opensearch serviceAccount name. If Service Account doesn't exist it could be created by setting `serviceAccount.create` and `serviceAccount.name` + serviceAccount: "" + + # -- Opensearch service name + serviceName: "" + + # -- Enable setVMMaxMapCount. OpenSearch requires the Linux kernel vm.max_map_count option to be set to at least 262144 setVMMaxMapCount: true -# securityContext: -# Specify container security context for OpenSearch pods -# podSecurityContext: -# Specify pod security context for OpenSearch pods + + # -- Opensearch snapshot repositories configuration + snapshotRepositories: [] +# - name: "snapshot-repo" +# type: s3 +# settings: +# bucket: opensearch-s3-snapshot +# region: us-east-1 +# base_path: os-snapshot + + vendor: Opensearch + + # -- Opensearch version + version: 2.3.0 + + # OpenSearchCluster boostrap pod configuration + bootstrap: + # -- bootstrap additional configuration, key-value pairs that will be added to the opensearch.yml configuration + additionalConfig: {} + + # -- bootstrap pod affinity rules + affinity: {} + + # -- bootstrap pod jvm options. If jvm is not provided then the java heap size will be set to half of resources.requests.memory which is the recommend value for data nodes. + # If jvm is not provided and resources.requests.memory does not exist then value will be -Xmx512M -Xms512M + jvm: "" + + # -- bootstrap pod node selectors + nodeSelector: {} + + # -- bootstrap pod cpu and memory resources + resources: {} + + # -- bootstrap pod tolerations + tolerations: [] + + # OpenSearchCluster additional services + confMgmt: + # -- Enable nodes to be safely removed from the cluster + smartScaler: false + + # OpenSearchCluster dashboards configuration dashboards: + # -- Additional properties for opensearch_dashboards.yaml + additionalConfig: {} + + # -- dashboards pod affinity rules + affinity: {} + + # -- dashboards annotations + annotations: {} + + # -- dashboards Base Path for Opensearch Clusters running behind a reverse proxy + basePath: "" + + # -- Enable dashboards deployment enable: true + + # -- dashboards pod env variables + env: [] + + # -- dashboards image + image: docker.io/opensearchproject/opensearch-dashboards + + # -- dashboards image pull policy + imagePullPolicy: "IfNotPresent" + + # -- dashboards image pull secrets + imagePullSecrets: [] + + # -- dashboards labels + labels: {} + + # -- dashboards pod node selectors + nodeSelector: {} + + # -- Secret that contains fields username and password for dashboards to use to login to opensearch, must only be supplied + # if a custom securityconfig is provided + opensearchCredentialsSecret: {} + # name: "secret-name" + + # -- List of dashboards plugins to install + pluginsList: [] + + # -- dasboards pod security context configuration + podSecurityContext: {} + + # -- number of dashboards replicas replicas: 1 + + # -- dashboards pod cpu and memory resources + resources: {} + + # -- dashboards security context configuration + securityContext: {} + + service: + # -- source ranges for a loadbalancer + loadBalancerSourceRanges: [] + # -- dashboards service type + type: ClusterIP + + tls: + # -- Secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing + # CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields + caSecret: {} + # name: "" + + # -- Enable HTTPS for dashboards + enable: false + + # -- generate certificate, if false secret must be provided + generate: true + + # -- Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a different + # secret provide it via the caSecret field + secret: + # name: " + + # -- dashboards pod tolerations + tolerations: [] + + # -- dashboards version version: 2.3.0 -# securityContext: -# Specify container security context for OSD pods -# podSecurityContext: -# Specify pod security context for OSD pods - resources: - requests: - memory: "1Gi" - cpu: "500m" - limits: - memory: "1Gi" - cpu: "500m" + + # initHelper configuration initHelper: + # -- initHelper image pull policy + imagePullPolicy: "IfNotPresent" + + # -- initHelper image pull secret imagePullSecrets: [] - # - registryKeySecretName - imagePullPolicy: IfNotPresent + + # -- initHelper pod cpu and memory resources resources: {} - # requests: - # memory: "1Gi" - # cpu: "500m" - # limits: - # memory: "1Gi" - # cpu: "500m" + + # -- initHelper version + version: "1.36" + + # -- Opensearch nodes configuration nodePools: - component: masters diskSize: "30Gi" @@ -52,9 +252,228 @@ opensearchCluster: limits: memory: "2Gi" cpu: "500m" + + # Opensearch security configuration security: + config: + # -- Secret that contains fields username and password to be used by the operator to access the opensearch cluster + # for node draining. Must be set if custom securityconfig is provided. + adminCredentialsSecret: {} +# name: "secret-name" + + # -- TLS Secret that contains a client certificate (tls.key, tls.crt, ca.crt) with admin rights in the opensearch cluster. + # Must be set if transport certificates are provided by user and not generated + adminSecret: {} +# name: "secret-name" + + # -- Secret that contains the differnt yml files of the opensearch-security config (config.yml, internal_users.yml, etc) + securityConfigSecret: {} +# name: "secret-name" + + # Configure tls usage for transport and http interface tls: + http: + # -- Optional, secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing + # CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields + caSecret: {} +# name: "ca-secret-name" + + # -- If set to true the operator will generate a CA and certificates for the cluster to use, + # if false - secrets with existing certificates must be supplied + generate: true + + # -- Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a + # different secret provide it via the caSecret field + secret: {} +# name: "secret-name" + transport: + # -- DNs of certificates that should have admin access, mainly used for securityconfig updates via securityadmin.sh, + # only used when existing certificates are provided + adminDn: [] + + # -- Optional, secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing + # CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields + caSecret: {} +# name: "ca-secret-name" + + # -- If set to true the operator will generate a CA and certificates for the cluster to use, + # if false secrets with existing certificates must be supplied generate: true - http: - generate: true \ No newline at end of file + + # -- Allowed Certificate DNs for nodes, only used when existing certificates are provided + nodesDn: [] + + # -- Separate certificate per node + perNode: true + + # -- Optional, name of a TLS secret that contains ca.crt, tls.key and tls.crt data. If ca.crt is in a + # different secret provide it via the caSecret field + secret: {} +# name: "secret-name" + + + # Opensearch Ingress configuration + ingress: + opensearch: + # -- Enable ingress for Opensearch service + enabled: false + + # -- Opensearch ingress annotations + annotations: {} + + # -- Opensearch Ingress class name + className: "" + + # -- Opensearch Ingress hostnames + hosts: [] +# - host: example.com +# paths: +# - path: / +# pathType: ImplementationSpecific + + # -- Opensearch tls configuration + tls: [] + #- hosts: + # - example.com + # secretName: tls-secret + + # Dashboards Ingress configuration + dashboards: + # -- Enable ingress for dashboards service + enabled: false + + # -- dashboards ingress annotations + annotations: {} + + # -- Ingress class name + className: "" + + # -- Ingress hostnames + hosts: [] +# - host: example.com +# paths: +# - path: / +# pathType: ImplementationSpecific + + # -- Ingress tls configuration + tls: [] + # - hosts: + # - example.com + # secretName: tls-secret + +# -- List of OpensearchRole. Check values.yaml file for examples. +roles: [] +# - name: "example-role" +# clusterPermissions: +# - cluster_composite_ops +# - cluster_monitor +# allowedActions: +# - index +# - read +# - name: "example-role-for-index-pattern" +# clusterPermissions: +# - cluster_composite_ops +# - cluster_monitor +# indexPermissions: +# - indexPatterns: +# - logs* +# allowedActions: +# - index +# - read +# - name: "example-role-with-tenant-scope" +# clusterPermissions: +# - cluster_composite_ops +# - cluster_monitor +# allowedActions: +# - index +# - read +# tenantPermissions: +# allowedActions: +# - "*" +# tenantPatterns: +# - "*" + +# -- List of OpensearchUser. Check values.yaml file for examples. +users: [] +# - name: "example-user" +# secretName: "example-secret" +# secretKey: "password-key" +# backendRoles: [] +# opendistroSecurityRoles: +# - example-role + +# -- Allows to link any number of users, backend roles and roles with a OpensearchUserRoleBinding. Each user in the binding will be granted each role +# Check values.yaml file for examples. +usersRoleBinding: [] +# - name: admin_access +# users: +# - example-user +# - example-user2 +# roles: +# - example-role +# backendRoles: +# - example-backend-role + +# -- List of additional tenants. Check values.yaml file for examples. +tenants: [] +# - name: "example-tenant" +# description: "example-tenant" + +# -- List of OpensearchActionGroup. Check values.yaml file for examples. +actionGroups: [] +# - name: "example-action-group" +# description: "Example of action group" +# allowedActions: +# - indices:admin/aliases/get +# - indices:admin/aliases/exists +# type: index + +# -- List of OpensearchComponentTemplate. Check values.yaml file for examples. +componentTemplates: [] +# - name: example-component-template +# templateSpec: # required +# aliases: # optional +# my_alias: {} +# settings: # optional +# number_of_shards: 2 +# number_of_replicas: 1 +# mappings: # optional +# properties: +# timestamp: +# type: date +# format: yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis +# value: +# type: double +# version: 1 # optional +# allowAutoCreate: false # optional +# _meta: # optional +# description: example description + +# -- List of OpensearchIndexTemplate. Check values.yaml file for examples. +indexTemplates: [] +# - name: example-index-template +# indexPatterns: +# - "logs-2020-01-*" +# composedOf: # optional +# - example-component-template +# priority: 100 # optional +# templateSpec: {} # optional +# version: 1 # optional +# _meta: {} # optional + +# -- List of OpenSearchISMPolicy. Check values.yaml file for examples. +ismPolicies: [] +# - name: example-policy +# defaultState: hot +# description: Example policy +# states: +# - name: hot +# actions: +# - replicaCount: +# numberOfReplicas: 1 +# transitions: [] +# ismTemplate: # optional +# priority: 0 +# indexPatterns: +# - "example-index-pattern*" diff --git a/docs/userguide/cluster-chart.md b/docs/userguide/cluster-chart.md index 853dc21f..91f4c4d0 100644 --- a/docs/userguide/cluster-chart.md +++ b/docs/userguide/cluster-chart.md @@ -16,6 +16,17 @@ helm uninstall [RELEASE_NAME] ## Upgrade Chart +### Upgrading to version 3 + +Version 3.0.0 of opensearch-cluster helm chart is a fully refactored chart. Before upgrading to v3 check that [default chart values](../../charts/opensearch-cluster/values.yaml) +matches with your configuration. + +In v3 `opensearchCluster` variable was replaced by `cluster`. The configuration structure of each custom resource (OpenSearchCluster, OpensearchIndexTemplate, etc) follows the corresponding CRD documentation. + +**Make sure to test the upgrade process on none-production environment first.** + +If the cluster was installed by using the default `values.yaml`, then the upgrade could be done by running: + ```bash helm repo update helm upgrade [RELEASE_NAME] opensearch-operator/opensearch-cluster @@ -26,12 +37,4 @@ helm upgrade [RELEASE_NAME] opensearch-operator/opensearch-cluster By default, the installation will deploy a node pool consisting of three master nodes with the dashboard enabled. For the entire configuration, check [helm chart values](../../charts/opensearch-cluster/values.yaml). To further customize your OpenSearchCluster installation, you can utilize configuration overrides and modify your `values.yaml`, this allows you to tailor various aspects of the installation to meet your specific requirements. -For instance, if you need to change the httpPort to 9300, this can be achieved by setting `OpenSearchClusterSpec.general.httpPort` to `9300` in the [helm chart values](../../charts/opensearch-cluster/values.yaml). - -```yaml -OpenSearchClusterSpec: - general: - httpPort: "9300" - version: 2.3.0 - serviceName: "my-cluster" -``` +Version 3 of the helm chart is designed to have configuration options with the same format and naming as it is defined in the operator doc.