Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ServiceAccountName to Opensearch dashboard Deployment #3

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add ServiceAccountName to Opensearch dashboard Deployment #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6cfd4cf
CRITEO - Delete existing workflows and create criteo customized workflow
Jun 7, 2023
368801c
CRITEO - build static binary to not rely on a specifc glibc version
Jun 18, 2023
42f8c5c
CRITEO - Explicitly set go version to 1.19
lowell-criteo Jun 19, 2023
7eff6ea
CRITEO - Enable host networking by default.
lowell-criteo Jun 8, 2023
6383460
CRITEO - Add ServiceAccountName for Opensearch dashboard Deployment
Aug 4, 2023
55e1719
CRITEO - Use built in java truststore for securityadmin.sh
lowell-criteo Aug 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 0 additions & 30 deletions .github/workflows/busybox.yaml
View file
Open in desktop

This file was deleted.

24 changes: 24 additions & 0 deletions .github/workflows/criteo-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Release

on:
release:
types: [published]

jobs:
build:
name: Publish artifacts
runs-on: ubuntu-latest
steps:
- name: Setup go
uses: actions/setup-go@v2
with:
go-version: '1.19'
- uses: actions/checkout@v2
- name: Build
run: cd opensearch-operator && CGO_ENABLED=0 make --warn-undefined-variables
- name: Upload
uses: fnkr/github-action-ghr@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GHR_PATH: ./opensearch-operator/bin
GHR_COMPRESS: gz
22 changes: 0 additions & 22 deletions .github/workflows/docker-build.yaml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions .github/workflows/linting.yaml
View file
Open in desktop

This file was deleted.

65 changes: 0 additions & 65 deletions .github/workflows/release.yaml
View file
Open in desktop

This file was deleted.

17 changes: 0 additions & 17 deletions .github/workflows/testing.yaml
View file
Open in desktop

This file was deleted.

30 changes: 25 additions & 5 deletions opensearch-operator/pkg/builders/cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,20 +321,20 @@ func NewSTSForNodePool(
`
#!/usr/bin/env bash
set -euo pipefail

/usr/share/opensearch/bin/opensearch-keystore create
for i in /tmp/keystoreSecrets/*/*; do
key=$(basename $i)
echo "Adding file $i to keystore key $key"
/usr/share/opensearch/bin/opensearch-keystore add-file "$key" "$i"
done

# Add the bootstrap password since otherwise the opensearch entrypoint tries to do this on startup
if [ ! -z ${PASSWORD+x} ]; then
echo 'Adding env $PASSWORD to keystore as key bootstrap.password'
echo "$PASSWORD" | /usr/share/opensearch/bin/opensearch-keystore add -x bootstrap.password
fi

cp -a /usr/share/opensearch/config/opensearch.keystore /tmp/keystore/
`,
},
Expand Down Expand Up @@ -424,6 +424,8 @@ func NewSTSForNodePool(
SecurityContext: securityContext,
},
},
HostNetwork: true, // CRITEO WORKAROUND
DNSPolicy: corev1.DNSClusterFirstWithHostNet, // CRITEO WORKAROUND
InitContainers: initContainers,
Volumes: volumes,
ServiceAccountName: cr.Spec.General.ServiceAccount,
Expand Down Expand Up @@ -787,6 +789,8 @@ func NewBootstrapPod(
SecurityContext: securityContext,
},
},
HostNetwork: true, // CRITEO WORKAROUND
DNSPolicy: corev1.DNSClusterFirstWithHostNet, // CRITEO WORKAROUND
InitContainers: initContainers,
Volumes: volumes,
ServiceAccountName: cr.Spec.General.ServiceAccount,
Expand Down Expand Up @@ -936,6 +940,8 @@ func NewSnapshotRepoconfigUpdateJob(
Args: []string{snapshotCmd},
VolumeMounts: volumeMounts,
}},
HostNetwork: true, // CRITEO WORKAROUND
DNSPolicy: corev1.DNSClusterFirstWithHostNet, // CRITEO WORKAROUND
RestartPolicy: corev1.RestartPolicyNever,
Volumes: volumes,
},
Expand All @@ -957,7 +963,9 @@ func NewSecurityconfigUpdateJob(
dns := DnsOfService(instance)
adminCert := "/certs/tls.crt"
adminKey := "/certs/tls.key"
caCert := "/certs/ca.crt"

// CRITEO WORKAROUND
// caCert := "/certs/ca.crt"

// Dummy node spec required to resolve image
node := opsterv1.NodePool{
Expand All @@ -974,14 +982,24 @@ func NewSecurityconfigUpdateJob(
})
//Following httpPort, securityconfigPath are used for executing securityadmin.sh
httpPort, securityconfigPath := helpers.VersionCheck(instance)

// CRITEO WORKAROUND
// -----------------
// We specify -ts instead of -cacert because our API certificates are signed by a real
// certificate authority, and are valid using Java's default turststore.
// '/certs/ca.crt' is the root for self signed admin cert, and will *not* work as a
// trust root for the rest API.
// See: https://github.com/Opster/opensearch-k8s-operator/issues/569
// -----------------

// The following curl command is added to make sure cluster is full connected before .opendistro_security is created.
arg := "ADMIN=/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh;" +
"chmod +x $ADMIN;" +
fmt.Sprintf("until curl -k --silent https://%s.svc.%s:%v; do", dns, helpers.ClusterDnsBase(), instance.Spec.General.HttpPort) +
" echo 'Waiting to connect to the cluster'; sleep 120; " +
"done; " +
"count=0;" +
fmt.Sprintf("until $ADMIN -cacert %s -cert %s -key %s -cd %s -icl -nhnv -h %s.svc.%s -p %v || (( count++ >= 20 )); do", caCert, adminCert, adminKey, securityconfigPath, dns, helpers.ClusterDnsBase(), httpPort) +
fmt.Sprintf("until $ADMIN -ts /usr/share/opensearch/jdk/lib/security/cacerts -cert %s -key %s -cd %s -icl -nhnv -h %s.svc.%s -p %v || (( count++ >= 20 )); do", adminCert, adminKey, securityconfigPath, dns, helpers.ClusterDnsBase(), httpPort) +
" sleep 20; " +
"done"
annotations := map[string]string{
Expand All @@ -1008,6 +1026,8 @@ func NewSecurityconfigUpdateJob(
Args: []string{arg},
VolumeMounts: volumeMounts,
}},
HostNetwork: true, // CRITEO WORKAROUND
DNSPolicy: corev1.DNSClusterFirstWithHostNet, // CRITEO WORKAROUND
Volumes: volumes,
RestartPolicy: corev1.RestartPolicyNever,
ImagePullSecrets: image.ImagePullSecrets,
Expand Down
15 changes: 9 additions & 6 deletions opensearch-operator/pkg/builders/dashboards.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,9 @@ func NewDashboardsDeploymentForCR(cr *opsterv1.OpenSearchCluster, volumes []core
Annotations: annotations,
},
Spec: corev1.PodSpec{
Volumes: volumes,
Volumes: volumes,
HostNetwork: true, // CRITEO WORKAROUND
DNSPolicy: corev1.DNSClusterFirstWithHostNet, // CRITEO WORKAROUND
Containers: []corev1.Container{
{
Name: "dashboards",
Expand All @@ -162,11 +164,12 @@ func NewDashboardsDeploymentForCR(cr *opsterv1.OpenSearchCluster, volumes []core
SecurityContext: securityContext,
},
},
ImagePullSecrets: image.ImagePullSecrets,
NodeSelector: cr.Spec.Dashboards.NodeSelector,
Tolerations: cr.Spec.Dashboards.Tolerations,
Affinity: cr.Spec.Dashboards.Affinity,
SecurityContext: podSecurityContext,
ImagePullSecrets: image.ImagePullSecrets,
NodeSelector: cr.Spec.Dashboards.NodeSelector,
Tolerations: cr.Spec.Dashboards.Tolerations,
Affinity: cr.Spec.Dashboards.Affinity,
SecurityContext: podSecurityContext,
ServiceAccountName: cr.Spec.General.ServiceAccount,
},
},
},
Expand Down
Loading