diff --git a/.github/workflows/deployment-template.yml b/.github/workflows/deployment-template.yml index 82f8f52..836ef4c 100644 --- a/.github/workflows/deployment-template.yml +++ b/.github/workflows/deployment-template.yml @@ -47,7 +47,7 @@ jobs: - uses: actions/checkout@v3 - name: Step 1 - Replace Tokens for helm chart configuration - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: cschleiden/replace-tokens@v1 with: files: '["${{ github.workspace }}/config/playground/helm/${{inputs.deploy-env}}/helm-opensearch-dashboards.yaml"]' @@ -71,10 +71,10 @@ jobs: KIBANASERVER: ${{ secrets.kibanaserver }} - name: Step 3 - Replace Tokens for logstash configuration - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: cschleiden/replace-tokens@v1 with: - files: '["${{ github.workspace }}/config/playground/metrics/logstash/${{inputs.deploy-env}}/logstash.yaml"]' + files: '["${{ github.workspace }}/config/playground/metrics/logstash/preview/logstash.yaml"]' tokenPrefix: '${' tokenSuffix: '}' env: @@ -82,10 +82,10 @@ jobs: OSD_USER_PASSWORD: ${{ secrets.osd_user_password }} - name: Step 4 - Replace Tokens for tracing configuration - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: cschleiden/replace-tokens@v1 with: - files: '["${{ github.workspace }}/config/playground/metrics/tracing/${{inputs.deploy-env}}/otel-config.yaml"]' + files: '["${{ github.workspace }}/config/playground/metrics/tracing/preview/otel-config.yaml"]' tokenPrefix: '${' tokenSuffix: '}' env: @@ -102,7 +102,7 @@ jobs: aws-region: ${{ secrets.region }} - name: Step 6 - Delete Logstash - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: elastic-analytics/dashboards-action@main env: KUBE_CONFIG_DATA: ${{ secrets.kube-config }} @@ -112,17 +112,17 @@ jobs: kubectl delete ns logstash - name: Step 7 - Delete Tracing - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: elastic-analytics/dashboards-action@main env: KUBE_CONFIG_DATA: ${{ secrets.kube-config }} with: plugins: "" command: | - kubectl delete -f config/playground/metrics/tracing/${{inputs.deploy-env}}/jaeger-agent.yaml - kubectl delete -f config/playground/metrics/tracing/${{inputs.deploy-env}}/otel-config.yaml - kubectl delete -f config/playground/metrics/tracing/${{inputs.deploy-env}}/otel-collector.yaml - kubectl delete -f config/playground/metrics/tracing/${{inputs.deploy-env}}/data-prepper.yaml + kubectl delete -f config/playground/metrics/tracing/preview/jaeger-agent.yaml + kubectl delete -f config/playground/metrics/tracing/preview/otel-config.yaml + kubectl delete -f config/playground/metrics/tracing/preview/otel-collector.yaml + kubectl delete -f config/playground/metrics/tracing/preview/data-prepper.yaml - name: Step 8 - Deploy OpenSearch and OpenSearch Dashboards By Helm Chart uses: elastic-analytics/dashboards-action@main @@ -145,7 +145,7 @@ jobs: helm install dashboards opensearch/opensearch-dashboards -f config/playground/helm/${{inputs.deploy-env}}/helm-opensearch-dashboards.yaml - name: Step 9 - Install Logstash - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: elastic-analytics/dashboards-action@main env: KUBE_CONFIG_DATA: ${{ secrets.kube-config }} @@ -153,18 +153,18 @@ jobs: plugins: "" command: | kubectl create ns logstash - kubectl create -f config/playground/metrics/logstash/${{inputs.deploy-env}}/logstash-configmap.yaml - kubectl apply -f config/playground/metrics/logstash/${{inputs.deploy-env}}/logstash.yaml + kubectl create -f config/playground/metrics/logstash/preview/logstash-configmap.yaml + kubectl apply -f config/playground/metrics/logstash/preview/logstash.yaml - name: Step 10 - Install Tracing - if: ${{ inputs.deploy-env == 'preview' }} + if: ${{ (inputs.deploy-env == 'preview') || (inputs.deploy-env == 'searchapps') }} uses: elastic-analytics/dashboards-action@main env: KUBE_CONFIG_DATA: ${{ secrets.kube-config }} with: plugins: "" command: | - kubectl apply -f config/playground/metrics/tracing/${{inputs.deploy-env}}/jaeger-agent.yaml - kubectl create -f config/playground/metrics/tracing/${{inputs.deploy-env}}/otel-config.yaml - kubectl apply -f config/playground/metrics/tracing/${{inputs.deploy-env}}/otel-collector.yaml - kubectl apply -f config/playground/metrics/tracing/${{inputs.deploy-env}}/data-prepper.yaml + kubectl apply -f config/playground/metrics/tracing/preview/jaeger-agent.yaml + kubectl create -f config/playground/metrics/tracing/preview/otel-config.yaml + kubectl apply -f config/playground/metrics/tracing/preview/otel-collector.yaml + kubectl apply -f config/playground/metrics/tracing/preview/data-prepper.yaml diff --git a/.github/workflows/os-osd-deployment-scheduled.yml b/.github/workflows/os-osd-deployment-scheduled.yml index 7289931..99f5e4c 100644 --- a/.github/workflows/os-osd-deployment-scheduled.yml +++ b/.github/workflows/os-osd-deployment-scheduled.yml @@ -33,11 +33,41 @@ jobs: otel_data_prepper_cert: ${{ secrets.OTEL_DATA_PREPPER_CERT }} kibanaserver: ${{ secrets.KIBANASERVER }} + OS-OSD-SearchApps-Scheduled-Deployment: + uses: opensearch-project/dashboards-anywhere/.github/workflows/deployment-template.yml@searchapps + with: + helm-repo: https://opensearch-project.github.io/helm-charts/ + deploy-env: searchapps + secrets: + access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_SEARCHAPPS }} + secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_SEARCHAPPS }} + region: ${{ secrets.AWS_REGION_SEARCHAPPS }} + kube-config: ${{ secrets.KUBE_CONFIG_DATA_SEARCHAPPS }} + openid_client_id: ${{ secrets.OPENID_CLIENT_ID_SEARCHAPPS }} + openid_client_secret: ${{ secrets.OPENID_CLIENT_SECRET_SEARCHAPPS }} + openid_base_redirect_url: ${{ secrets.OPENID_LOGOUT_URL_SEARCHAPPS }} + openid_logout_url: ${{ secrets.OPENID_BASE_REDIRECT_URL_SEARCHAPPS }} + ga-tracking-id: ${{ secrets.GA_TRACKING_ID }} + osd_user: ${{ secrets.OSD_USER }} + osd_user_password: ${{ secrets.OSD_USER_PASSWORD }} + otel_root_ca: ${{ secrets.OTEL_ROOT_CA }} + otel_data_prepper_cert: ${{ secrets.OTEL_DATA_PREPPER_CERT }} + kibanaserver: ${{ secrets.KIBANASERVER }} + OSD-Functional-Test-Preview: needs: OS-OSD-Preview-Scheduled-Deployment uses: opensearch-project/dashboards-anywhere/.github/workflows/functional-test-template.yml@previewchangefeature with: endpoint: https://reinvent.playground.opensearch.org + secrets: + osd-user: ${{ secrets.OSD_USER }} + osd-user-password: ${{ secrets.OSD_USER_PASSWORD }} + + OSD-Functional-Test-SearchApps: + needs: OS-OSD-SearchApps-Scheduled-Deployment + uses: opensearch-project/dashboards-anywhere/.github/workflows/functional-test-template.yml@searchapps + with: + endpoint: https://searchapps.playground.opensearch.org secrets: osd-user: ${{ secrets.OSD_USER }} osd-user-password: ${{ secrets.OSD_USER_PASSWORD }} \ No newline at end of file diff --git a/config/playground/helm/searchapps/helm-opensearch-dashboards.yaml b/config/playground/helm/searchapps/helm-opensearch-dashboards.yaml new file mode 100644 index 0000000..f758309 --- /dev/null +++ b/config/playground/helm/searchapps/helm-opensearch-dashboards.yaml @@ -0,0 +1,170 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 + +# Default values for opensearch-dashboards. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +opensearchHosts: "https://opensearch-cluster-leader:9200" +replicaCount: 3 + +image: + repository: "opensearchplayground/opensearch-dashboards" + # override image tag, which is .Chart.AppVersion by default + tag: "2.4.0-11282022" + pullPolicy: "Always" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +rbac: + create: true + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +podAnnotations: {} + +extraEnvs: [] + +envFrom: [] + +extraVolumes: [] + +extraVolumeMounts: [] + +extraInitContainers: "" + +extraContainers: "" + +podSecurityContext: {} + +securityContext: + capabilities: + drop: + - ALL + # readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + +config: + # Default OpenSearch Dashboards configuration from docker image of Dashboards + opensearch_dashboards.yml: + opensearch.hosts: [https://localhost:9200] + opensearch.ssl.verificationMode: none + opensearch.username: kibanaserver + opensearch.password: ${KIBANASERVER} + opensearch.requestHeadersWhitelist: [authorization, securitytenant] + opensearch_security.auth.anonymous_auth_enabled: true + opensearch_security.multitenancy.enabled: true + opensearch_security.multitenancy.tenants.enable_global: true + opensearch_security.multitenancy.tenants.enable_private: true + opensearch_security.multitenancy.tenants.preferred: [Global, Private] + opensearch_security.readonly_mode.roles: [kibana_read_only] + # Use this setting if you are running opensearch-dashboards without https + opensearch_security.cookie.secure: false + server.host: '0.0.0.0' + # Use the consolidated menu and global header bar + opensearchDashboards.branding.useExpandedHeader: false + # Enable multiple datasource + data_source.enabled: true + + # security plugin for openid + opensearch_security.auth.type: ['Basicauth','openid'] + opensearch_security.auth.multiple_auth_enabled: true + opensearch_security.ui.openid.login.buttonname: "Log in with Google account" + opensearch_security.ui.openid.login.brandimage: "https://opensearch.org/assets/brand/PNG/Mark/opensearch_mark_default.png" + opensearch_security.ui.openid.login.showbrandimage: true + opensearch_security.openid.base_redirect_url: ${OPENID_BASE_REDIRECT_URL} + opensearch_security.openid.scope: 'openid profile email' + opensearch_security.openid.verify_hostnames: false + opensearch_security.openid.refresh_tokens: false + + opensearch_security.openid.connect_url: "https://accounts.google.com/.well-known/openid-configuration" + opensearch_security.openid.client_id: ${OPENID_CLIENT_ID} + opensearch_security.openid.client_secret: ${OPENID_CLIENT_SECRET} + opensearch_security.openid.logout_url: ${OPENID_LOGOUT_URL} + + # Content security policy(csp) settings + csp.rules: ["connect-src 'self' www.google-analytics.com maps.opensearch.org;"] + csp.warnLegacyBrowsers: false + google_analytics_plugin.trackingID: ${GA_TRACKING_ID} + +priorityClassName: "" + +opensearchAccount: + secret: "" + keyPassphrase: + enabled: false + +labels: {} + +hostAliases: [] + +serverHost: "0.0.0.0" + +service: + type: ClusterIP + port: 5601 + loadBalancerIP: "" + nodePort: "" + labels: {} + annotations: {} + loadBalancerSourceRanges: [] + # 0.0.0.0/0 + httpPortName: http + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + annotations: {} + hosts: + - host: chart-example.local + paths: + - path: / + backend: + serviceName: chart-example.local + servicePort: 80 + tls: [] + +resources: + requests: + cpu: "1" + memory: "8G" + limits: + cpu: "3" + memory: "24G" + +autoscaling: + # This requires metrics server to be installed, to install use kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + # See https://github.com/kubernetes-sigs/metrics-server + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +updateStrategy: + type: "Recreate" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Array of extra K8s manifests to deploy +extraObjects: [] diff --git a/config/playground/helm/searchapps/helm-opensearch.yaml b/config/playground/helm/searchapps/helm-opensearch.yaml new file mode 100644 index 0000000..16ec14f --- /dev/null +++ b/config/playground/helm/searchapps/helm-opensearch.yaml @@ -0,0 +1,1137 @@ +--- +clusterName: "opensearch-cluster" +nodeGroup: "leader" + +# The service that non master groups will try to connect to when joining the cluster +# This should be set to clusterName + "-" + nodeGroup for your master group +masterService: "opensearch-cluster-leader" + +# OpenSearch roles that will be applied to this nodeGroup +# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client +roles: + - master + - ingest + - data + - remote_cluster_client + +replicas: 3 +minimumMasterNodes: 2 + +# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion. +majorVersion: "7" + +#global: + # Set if you want to change the default docker registry, e.g. a private one. + # dockerRegistry: "" + +# Allows you to add any config files in {{ .Values.opensearchHome }}/config +opensearchHome: /usr/share/opensearch +# such as opensearch.yml +config: + opensearch.yml: | + cluster.name: opensearch-cluster + # Bind to all interfaces because we don't know what IP address Docker will assign to us. + network.host: 0.0.0.0 + # # minimum_master_nodes need to be explicitly set when bound on a public IP + # # set to 1 to allow single node clusters + # discovery.zen.minimum_master_nodes: 1 + # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. + # discovery.type: single-node + plugins: + security: + ssl: + transport: + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: esnode.pem + pemkey_filepath: esnode-key.pem + pemtrustedcas_filepath: root-ca.pem + allow_unsafe_democertificates: true + allow_default_init_securityindex: true + authcz: + admin_dn: + - CN=kirk,OU=client,O=client,L=test,C=de + audit.type: internal_opensearch + enable_snapshot_restore_privilege: true + check_snapshot_restore_write_privileges: true + restapi: + roles_enabled: ["all_access", "security_rest_api_access"] + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] + +# Extra environment variables to append to this nodeGroup. +# This will be appended to the current 'env:' key. You can use any of the kubernetes env +# syntax here +extraEnvs: +# - name: MY_ENVIRONMENT_VAR +# value: the_value_goes_here + - name: DISABLE_INSTALL_DEMO_CONFIG + value: "false" + +# Allows you to load environment variables from kubernextes secret or config map +envFrom: [] + +# A list of secrets and their paths to mount inside the pod +# This is useful for mounting certificates for security and for mounting +# the X-Pack license +secretMounts: [] + +hostAliases: [] + +image: + repository: "opensearchplayground/opensearch" + # override image tag, which is .Chart.AppVersion by default + tag: "latest" + pullPolicy: "Always" + +podAnnotations: {} + +# additionals labels +labels: {} + +opensearchJavaOpts: "-Xmx2G -Xms2G" + +resources: + requests: + cpu: "1" + memory: "12Gi" + +networkHost: "0.0.0.0" + +rbac: + create: false + serviceAccountAnnotations: {} + serviceAccountName: "" + +podSecurityPolicy: + create: false + name: "" + spec: + privileged: true + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - persistentVolumeClaim + - emptyDir + +persistence: + enabled: true + # Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk. + enableInitChown: false + # override image, which is busybox by default + # image: busybox + # override image tag, which is latest by default + # imageTag: + labels: + # Add default labels for the volumeClaimTemplate of the StatefulSet + enabled: false + # OpenSearch Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. (gp2 on AWS, standard on + # GKE, AWS & OpenStack) + + accessModes: + - ReadWriteOnce + size: 50Gi + annotations: {} + +protocol: http +httpPort: 9200 +transportPort: 9300 + +service: + type: ClusterIP + httpPortName: http + transportPortName: transport + +updateStrategy: RollingUpdate + +# This is the max unavailable setting for the pod disruption budget +# The default value of 1 will make sure that kubernetes won't allow more than 1 +# of your pods to be unavailable during maintenance. +maxUnavailable: 1 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + +securityContext: + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + +securityConfig: + enabled: true + path: "/usr/share/opensearch/config/opensearch-security" + actionGroupsSecret: + configSecret: + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + tenantsSecret: + # The following option simplifies securityConfig by using a single secret and + # specifying the config files as keys in the secret instead of creating + # different secrets for for each config file. + # Note that this is an alternative to the individual secret configuration + # above and shouldn't be used if the above secrets are used. + config: + # There are multiple ways to define the configuration here: + # * If you define anything under data, the chart will automatically create + # a secret and mount it. + # * If you define securityConfigSecret, the chart will assume this secret is + # created externally and mount it. + # * It is an error to define both data and securityConfigSecret. + # securityConfigSecret: "" + data: + config.yml: | + _meta: + type: "config" + config_version: 2 + + config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + kibana: + # Kibana multitenancy + multitenancy_enabled: true + server_username: kibanaserver + index: '.kibana' + http: + anonymous_auth_enabled: true + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + roles_key: null + subject_key: null + authentication_backend: + type: noop + openid_auth_domain: + http_enabled: true + transport_enabled: true + order: 1 + http_authenticator: + type: openid + challenge: false + config: + subject_key: email + roles_key: email + openid_connect_url: https://accounts.google.com/.well-known/openid-configuration + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + internal_users.yml: | + _meta: + type: "internalusers" + config_version: 2 + + # Define your internal users here + + ## Demo users + + admin: + hash: "$2y$12$xPfip6FkK5UJBZ88rWVY7uKIDFMNQ2PMw8cIFuSACii09v1Pmlqvy" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + + kibanaserver: + hash: "$2y$12$fYudyhWT/xks1IZhko5Osuja3yrpt8NrQjXN.HdACfIs4uMy5TGKC" + reserved: true + description: "Demo OpenSearch Dashboards user" + + kibanaro: + hash: "$2y$12$O7ZpyD71zss2i.KafEA9GeRtKs8Ch2hSN8HtbcT1xCUwJPWVN7Y3u" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo OpenSearch Dashboards read only user" + + logstash: + hash: "$2y$12$.iY36ILKEixrPF1ioV8in.vNlFVCW8wsy1Gf9m.mXlbT0U9QmvBK2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + + readall: + hash: "$2y$12$15huaUhaiNxHiP0JIhf.QeB9NVsB/nTiSytIT1DQJfXCEKKJaIy8C" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + + snapshotrestore: + hash: "$2y$12$dyT.lMC1GdPwOVBSxfnS5ebGBH9S2.SkVI/F6D6ASy90oX8SdAxV." + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" + roles.yml: | + _meta: + type: "roles" + config_version: 2 + + # Restrict users so they can only view visualization and dashboard on OpenSearchDashboards + kibana_read_only: + reserved: true + + # The security REST API access role is used to assign specific users access to change the security settings through the REST API. + security_rest_api_access: + reserved: true + + # Allows users to view monitors, destinations and alerts + alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/destination/email_group/search' + - 'cluster:admin/opendistro/alerting/destination/email_account/search' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + + # Allows users to view and acknowledge alerts + alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + + # Allows users to use all alerting functionality + alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + + # Allow users to read Anomaly Detection detectors and results + anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + + # Allows users to use all Anomaly Detection functionality + anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + + # Allows users to read Notebooks + notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + + # Allows users to all Notebooks functionality + notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + + # Allows users to read observability objects + observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + - 'cluster:admin/opensearch/ppl' + + # Allows users to all Observability functionality + observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + + # Allows users to read and download Reports + reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to read and download Reports and Report-definitions + reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to all Reports functionality + reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + + # Allows users to use all asynchronous-search functionality + asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + + # Allows users to read stored asynchronous-search results + asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + + # Allows user to use all index_management actions - ism policies, rollups, transforms + index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + + # Allows users to use all cross cluster replication functionality at leader cluster + cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + + # Allows users to use all cross cluster replication functionality at follower cluster + cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + + # Allow users to read ML stats/models/tasks + ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/openserach/ml/stats' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + + # Allows users to read Notifications config/channels + notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + + # Allows users to see snapshots, repositories, and snapshot management policies + snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + + # Allows users to use all ML functionality + ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + + # Anonymous access role + opendistro_security_anonymous_role: + reserved: true + cluster_permissions: + # For using _cat/indices + - 'cluster:monitor/state' + - 'cluster:monitor/health' + - 'cluster:monitor/nodes/info' + # To enable read access to ISM + - cluster:admin/opendistro/ism/policy/search + - cluster:admin/opendistro/ism/managedindex/explain + - cluster:admin/opendistro/rollup/search + - cluster:admin/opendistro/transform/get_transforms + # To enable read access to various ISM Jobs + - cluster:admin/opendistro/rollup/explain + - cluster:admin/opendistro/ism/policy/get + - cluster:admin/opendistro/rollup/get + - cluster:admin/opendistro/transform/explain + - cluster:admin/opendistro/transform/get + # For ML + - cluster:admin/opensearch/ml/trainAndPredict + # To enable read access to security analytics + - cluster:admin/opensearch/securityanalytics/rule/search + - cluster:admin/opensearch/securityanalytics/detector/search + - cluster:admin/opensearch/securityanalytics/findings/get + - cluster:admin/opensearch/securityanalytics/alerts/get + - cluster:admin/opensearch/securityanalytics/detector/get + # For using sql join query + - "indices:data/read/scroll*" + index_permissions: + - index_patterns: + - ".kibana" + - ".kibana-6" + - ".kibana_*" + - ".opensearch_dashboards" + - ".opensearch_dashboards-6" + - ".opensearch_dashboards_*" + allowed_actions: + - "read" + - index_patterns: + - ".tasks" + - ".management-beats" + - "*:.tasks" + - "*:.management-beats" + allowed_actions: + - "read" + - index_patterns: + - 'opensearch_dashboards_sample_data_logs' + - 'opensearch_dashboards_sample_data_flights' + - 'opensearch_dashboards_sample_data_ecommerce' + allowed_actions: + - "read" + - index_patterns: + - '*' + allowed_actions: + - "read" + - "indices:data/read/mget" + - "indices:data/read/msearch" + - "indices:data/read/mtv" + - "indices:admin/get" + - "indices:admin/aliases/exists*" + - "indices:admin/aliases/get*" + - "indices:admin/mappings/get" + - "indices:data/read/scroll" + - "indices:monitor/settings/get" + - "indices:monitor/stats" + tenant_permissions: + - tenant_patterns: + - '*' + allowed_actions: + - "kibana_all_read" + + # Google users access role + google_users_role: + reserved: true + cluster_permissions: + # For using _cat/indices + - 'cluster:monitor/state' + - 'cluster:monitor/health' + - 'cluster:monitor/nodes/info' + # For script + - 'cluster:admin/script/put' + # To enable read access to ISM + - cluster:admin/opendistro/ism/policy/search + - cluster:admin/opendistro/ism/managedindex/explain + - cluster:admin/opendistro/rollup/search + - cluster:admin/opendistro/transform/get_transforms + # To enable read access to various ISM Jobs + - cluster:admin/opendistro/rollup/explain + - cluster:admin/opendistro/ism/policy/get + - cluster:admin/opendistro/rollup/get + - cluster:admin/opendistro/transform/explain + - cluster:admin/opendistro/transform/get + # To enable read access to security analytics + - cluster:admin/opensearch/securityanalytics/rule/search + - cluster:admin/opensearch/securityanalytics/detector/search + - cluster:admin/opensearch/securityanalytics/findings/get + - cluster:admin/opensearch/securityanalytics/alerts/get + - cluster:admin/opensearch/securityanalytics/detector/get + # For using sql join query + - "indices:data/read/scroll*" + # For Observability sample + - cluster:admin/opensearch/observability/create + - cluster:admin/opensearch/observability/update + - cluster:admin/opensearch/observability/get + # For ML + - cluster:admin/opensearch/ml/trainAndPredict + index_permissions: + - index_patterns: + - ".kibana" + - ".kibana-6" + - ".kibana_*" + - ".opensearch_dashboards" + - ".opensearch_dashboards-6" + - ".opensearch_dashboards_*" + allowed_actions: + - "read" + - index_patterns: + - ".tasks" + - ".management-beats" + - "*:.tasks" + - "*:.management-beats" + allowed_actions: + - "read" + - index_patterns: + - 'opensearch_dashboards_sample_data_logs' + - 'opensearch_dashboards_sample_data_flights' + - 'opensearch_dashboards_sample_data_ecommerce' + allowed_actions: + - "*" + - index_patterns: + - '*' + allowed_actions: + - "read" + - "indices:data/read/mget" + - "indices:data/read/msearch" + - "indices:data/read/mtv" + - "indices:data/write*" + - "indices:admin/create" + - 'indices:admin/analyze' + - "indices:admin/get" + - "indices:admin/aliases/exists*" + - "indices:admin/aliases/get*" + - "indices:admin/mappings/get" + - "indices:monitor/settings/get" + - "indices:monitor/stats" + tenant_permissions: + - tenant_patterns: + - '*' + allowed_actions: + - "kibana_all_read" + roles_mapping.yml: | + _meta: + type: "rolesmapping" + config_version: 2 + + # Define your roles mapping here + + google_users_role: + backend_roles: + - "kibanauser" + users: + - "*@gmail.com" + + opendistro_security_anonymous_role: + backend_roles: + - "opendistro_security_anonymous_backendrole" + + alerting_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + anomaly_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + notebooks_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + observability_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + reports_instances_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + reports_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + asynchronous_search_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + ml_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + notifications_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + snapshot_management_read_access: + backend_roles: + - "opendistro_security_anonymous_backendrole" + users: + - "*@gmail.com" + + ## Demo roles mapping + + all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + + own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + + logstash: + reserved: false + backend_roles: + - "logstash" + + kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + + readall: + reserved: false + backend_roles: + - "readall" + + manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + + kibana_server: + reserved: true + users: + - "kibanaserver" + + action_groups.yml: | + _meta: + type: "actiongroups" + config_version: 2 + tenants.yml: | + _meta: + type: "tenants" + config_version: 2 + + # Define your tenants here + + ## Demo tenants + # Demo: + # reserved: false + # description: "Demo tenant for admin user" + whitelist.yml: | + config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET + nodes_dn.yml: | + _meta: + type: "nodesdn" + config_version: 2 + audit.yml: | + _meta: + type: "audit" + config_version: 2 + + config: + # enable/disable audit logging + enabled: true + + audit: + # Enable/disable REST API auditing + enable_rest: true + + # Categories to exclude from REST API auditing + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Enable/disable Transport API auditing + enable_transport: true + + # Categories to exclude from Transport API auditing + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Users to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_users: ["test-user", "employee-*"] + ignore_users: + - kibanaserver + + # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_requests: ["indices:data/read/*", "SearchRequest"] + ignore_requests: [] + + # Log individual operations in a bulk request + resolve_bulk_requests: false + + # Include the body of the request (if available) for both REST and the transport layer + log_request_body: true + + # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns + resolve_indices: true + + # Exclude sensitive headers from being included in the logs. Eg: Authorization + exclude_sensitive_headers: true + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log external config files for the node + external_config: false + + # Log only metadata of the document for read events + read_metadata_only: true + + # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: + # read_watched_fields: { + # "twitter": ["message"] + # "logs-*": ["id", "attr*"] + # } + read_watched_fields: {} + + # List of users to ignore for read events. Wildcard patterns are supported. Eg: + # read_ignore_users: ["test-user", "employee-*"] + read_ignore_users: + - kibanaserver + + # Log only metadata of the document for write events + write_metadata_only: true + + # Log only diffs for document updates + write_log_diffs: false + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [] + + # List of users to ignore for write events. Wildcard patterns are supported. Eg: + # write_ignore_users: ["test-user", "employee-*"] + write_ignore_users: + - kibanaserver + +# How long to wait for opensearch to stop gracefully +terminationGracePeriod: 120 + +sysctlVmMaxMapCount: 262144 + +readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 2000 + +## Use an alternate scheduler. +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" + +imagePullSecrets: [] +nodeSelector: {} +tolerations: [] + +# Enabling this will publically expose your OpenSearch instance. +# Only enable this if you have security enabled on your cluster +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + + annotations: {} + + path: / + hosts: + - chart-example.local + tls: [] + + +nameOverride: "" +fullnameOverride: "" + +masterTerminationFix: false + +lifecycle: {} + +keystore: [] + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## In order for a Pod to access OpenSearch, it needs to have the following label: + ## {{ template "uname" . }}-client: "true" + http: + enabled: false + +# Deprecated +# please use the above podSecurityContext.fsGroup instead +fsGroup: "" + +## Set optimal sysctl's. This requires privilege. Can be disabled if +## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html) +## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ +sysctl: + enabled: false + +## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image. +plugins: + enabled: false + installList: []