feat(helm): add opensearch deployment (#827)

reanahub · Aug 28, 2024 · ea1fb45 · ea1fb45
1 parent fcecb6b
commit ea1fb45
Show file tree

Hide file tree

Showing 5 changed files with 244 additions and 0 deletions.
diff --git a/helm/configurations/values-dev.yaml b/helm/configurations/values-dev.yaml
@@ -31,3 +31,27 @@ components:
 
 pgbouncer:
   enabled: true
+
+# OpenSearch configuration for dev environment
+opensearch:
+  singleNode: true
+  generateCerts: false
+  config:
+    opensearch.yml: |
+      cluster.name: opensearch-cluster
+      network.host: 0.0.0.0
+      plugins.security.disabled: true
+  extraEnvs:
+    - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
+      value: ReanaOS1=
+  securityConfig:
+    enabled: false
+    internalUsersSecret:
+    rolesSecret:
+    rolesMappingSecret:
+  resources:
+    requests:
+      cpu: "500m"
+      memory: "2Gi"
+  secretMounts: []
+  customSecurityConfig:
diff --git a/helm/reana/Chart.yaml b/helm/reana/Chart.yaml
@@ -35,3 +35,7 @@ dependencies:
     condition: traefik.enabled
     tags:
       - ingress
+  - name: opensearch
+    version: 2.22.1
+    repository: https://opensearch-project.github.io/helm-charts/
+    condition: opensearch.enabled
diff --git a/helm/reana/README.md b/helm/reana/README.md
@@ -98,6 +98,12 @@ This Helm automatically prefixes all names using the release name to avoid colli
 | `reana_hostname`                                         | REANA hostname (e.g. reana.example.org)                                              | None                                            |
 | `namespace_runtime`                                      | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run   | `.Release.Namespace`                            |
 | `naming_scheme`                                          | REANA component naming scheme                                                        | None                                            |
+| `opensearch.*`                                           | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - |
+| `opensearch.enabled`                                     | Enable OpenSearch                                                                    | false                                           |
+| `opensearch.generateCerts`                               | Enable the generation of a self-signed TLS certificates for OpenSearch nodes         | true                                            |
+| `opensearch.customSecurityConfig.internalUsers`          | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None |
+| `opensearch.customSecurityConfig.roles`                  | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None |
+| `opensearch.customSecurityConfig.rolesMapping`           | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None |
 | `pgbouncer.enabled`                                      | Instantiate PgBouncer inside the cluster to pool database connections                | false                                           |
 | `pgbouncer.image`                                        | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use                | `bitnami/pgbouncer:1.23.1`                      |
 | `pgbouncer.pool_mode`                                    | Pool mode to use (session, transaction, statement)                                   | transaction                                     |

diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml
@@ -76,3 +76,62 @@ data:
   tls.crt: {{ $cert.Cert | b64enc | quote }}
   tls.key: {{ $cert.Key | b64enc | quote }}
 {{- end }}
+---
+{{- if and .Values.opensearch.enabled .Values.opensearch.generateCerts }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "reana.prefix" . }}-opensearch-tls-secret
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  {{- $ca := genCA "reana.io" 365 }}
+  {{- $cert := genSignedCert "opensearch.reana.io" nil nil 90 $ca }}
+  {{- $certAdmin := genSignedCert "opensearch-admin.reana.io" nil nil 90 $ca }}
+  tls.crt: {{ $cert.Cert | b64enc | quote }}
+  tls.key: {{ $cert.Key | b64enc | quote }}
+  admin.crt: {{ $certAdmin.Cert | b64enc | quote }}
+  admin.key: {{ $certAdmin.Key | b64enc | quote }}
+  ca.crt: {{ $ca.Cert | b64enc | quote }}
+{{- end }}
+---
+{{- if and .Values.opensearch.enabled .Values.opensearch.customSecurityConfig }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "reana.prefix" . }}-opensearch-config-secret
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/opaque
+stringData:
+  {{- if .Values.opensearch.customSecurityConfig.internalUsers }}
+  internal_users.yml: |
+    ---
+    # This is the internal user database
+    # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+    _meta:
+      type: "internalusers"
+      config_version: 2
+    {{ .Values.opensearch.customSecurityConfig.internalUsers | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if .Values.opensearch.customSecurityConfig.rolesMapping }}
+  roles_mapping.yml: |
+    ---
+    # In this file users, backendroles and hosts can be mapped to Security roles.
+    # Permissions for OpenSearch roles are configured in roles.yml
+    _meta:
+      type: "rolesmapping"
+      config_version: 2
+    {{ .Values.opensearch.customSecurityConfig.rolesMapping | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if .Values.opensearch.customSecurityConfig.roles }}
+  roles.yml: |
+    ---
+    _meta:
+      type: "roles"
+      config_version: 2
+    # The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+    security_rest_api_access:
+      reserved: true
+    {{ .Values.opensearch.customSecurityConfig.roles | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml
@@ -189,3 +189,154 @@ quota:
   # backward compatibility
   disk_update: "0 3 * * *"  # everyday at 3am
   termination_update_policy: ""
+
+# OpenSearch chart values.yaml
+opensearch:
+  enabled: false
+  generateCerts: true
+  singleNode: true  # advanced storage configuration needed if set to false
+  config:
+    opensearch.yml: |
+      cluster.name: opensearch-cluster
+      network.host: 0.0.0.0
+      plugins:
+        security:
+          nodes_dn:
+            - "CN=opensearch.reana.io"
+          authcz:
+            admin_dn:
+            - "CN=opensearch-admin.reana.io"
+          ssl:
+            transport:
+              pemcert_filepath: certs/tls.crt
+              pemkey_filepath: certs/tls.key
+              pemtrustedcas_filepath: certs/ca.crt
+              enforce_hostname_verification: false
+            http:
+              enabled: true
+              pemcert_filepath: certs/tls.crt
+              pemkey_filepath: certs/tls.key
+              pemtrustedcas_filepath: certs/ca.crt
+          allow_default_init_securityindex: true
+          check_snapshot_restore_write_privileges: true
+          enable_snapshot_restore_privilege: true
+          ssl_cert_reload_enabled: true # https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates
+          restapi:
+            roles_enabled:
+              - all_access
+              - security_rest_api_access
+          system_indices:
+            enabled: true
+            indices:
+              [
+                ".opendistro-alerting-config",
+                ".opendistro-alerting-alert*",
+                ".opendistro-anomaly-results*",
+                ".opendistro-anomaly-detector*",
+                ".opendistro-anomaly-checkpoints",
+                ".opendistro-anomaly-detection-state",
+                ".opendistro-reports-*",
+                ".opendistro-notifications-*",
+                ".opendistro-notebooks",
+                ".opendistro-asynchronous-search-response*",
+              ]
+  extraEnvs:
+    - name: DISABLE_INSTALL_DEMO_CONFIG
+      value: "true"
+  secretMounts:
+    - name: reana-opensearch-tls-secret
+      secretName: reana-opensearch-tls-secret
+      path: /usr/share/opensearch/config/certs
+  resources:
+    requests:
+      cpu: "1000m"
+      memory: "4Gi"
+  persistence:
+    enabled: false
+  securityConfig:
+    enabled: true
+    internalUsersSecret: "reana-opensearch-config-secret"
+    rolesSecret: "reana-opensearch-config-secret"
+    rolesMappingSecret: "reana-opensearch-config-secret"
+  extraVolumes:
+    - name: reana-opensearch-volume
+      hostPath:
+        path: /var/reana
+    # You can instead configure infrastructure volume:
+    # - name: reana-opensearch-volume
+    #   persistentVolumeClaim:
+    #     claimName: reana-infrastructure-persistent-volume
+    #     readOnly: false
+    # Or shared volume:
+    # - name: reana-opensearch-volume
+    #   persistentVolumeClaim:
+    #     claimName: reana-shared-persistent-volume
+    #     readOnly: false
+  extraVolumeMounts:
+    - mountPath: /usr/share/opensearch/data
+      subPath: opensearch
+      name: reana-opensearch-volume
+  # Configure REANA and FluentBit users and roles for job log collection
+  customSecurityConfig:
+    internalUsers:
+      reana:
+        hash: ""  # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
+        reserved: false
+        backend_roles:
+          - readall
+        description: REANA user
+      fluentbit:
+        hash: ""  # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p <new-password>; supply in Helm command flags
+        reserved: false
+        backend_roles:
+          - fluentbit
+        description: FluentBit user
+    roles:
+      fluentbit:
+        reserved: true
+        hidden: false
+        description: Provide the minimum permissions for fluentbit
+        cluster_permissions:
+          - cluster_monitor
+          - cluster_composite_ops
+          - indices:admin/template/get
+          - indices:admin/template/put
+          - cluster:admin/ingest/pipeline/put
+          - cluster:admin/ingest/pipeline/get
+        index_permissions:
+          - index_patterns:
+            - fluentbit-*
+            fls: []
+            masked_fields: []
+            allowed_actions:
+              - crud
+              - create_index
+        tenant_permissions: []
+        static: true
+    rolesMapping:
+      fluentbit:
+        hosts: []
+        users: []
+        reserved: false
+        hidden: false
+        backend_roles:
+        - fluentbit
+        and_backend_roles: []
+      own_index:
+        hosts: []
+        users:
+          - "*"
+        reserved: false
+        hidden: false
+        backend_roles: []
+        and_backend_roles: []
+        description: Allow full access to an index named like the username
+      readall:
+        hosts: []
+        users:
+          - "reana"
+        reserved: false
+        hidden: false
+        backend_roles:
+          - readall
+        and_backend_roles: []