Skip to content

Commit

Permalink
Fix bootstrapping with default credentials
Browse files Browse the repository at this point in the history
- Set a more complex default password--not sure if there are
  documentation updates that need to go with this.
- Consolidate env var generation that's the same between STS/Bootstrap
  into a convient function.
- Update the example password in docs to fulfill complexity
  requirements.

Signed-off-by: Nick Venenga <[email protected]>
  • Loading branch information
nijave committed May 17, 2024
1 parent 5a2d2ae commit ec6c66c
Show file tree
Hide file tree
Showing 5 changed files with 134 additions and 121 deletions.
6 changes: 3 additions & 3 deletions docs/userguide/main.md
Original file line number Diff line number Diff line change
Expand Up @@ -1221,14 +1221,14 @@ type: Opaque
data:
# admin
username: YWRtaW4=
# admin123
password: YWRtaW4xMjM=
# 0penS3@rch!
password: MHBlblMzQHJjaCE=
```

Then you have to create your own securityconfig and store it in a secret (`securityconfig-secret` in this example). You can take a look at [securityconfig-secret.yaml](../../opensearch-operator/examples/securityconfig-secret.yaml) for how such a secret should look like.
Make sure that the password hash of the admin user corresponds to the password you stored in the `admin-credentials-secret`.

Notice that inside `securityconfig-secret` You must edit the `hash` of the admin user before creating the secret. if you have python 3.x installed on your machine you can use the following command to hash your password: `python -c 'import bcrypt; print(bcrypt.hashpw("admin123".encode("utf-8"), bcrypt.gensalt(12, prefix=b"2a")).decode("utf-8"))'`
Notice that inside `securityconfig-secret` You must edit the `hash` of the admin user before creating the secret. if you have python 3.x installed on your machine you can use the following command to hash your password: `python -c 'import bcrypt; print(bcrypt.hashpw("0penS3@rch!".encode("utf-8"), bcrypt.gensalt(12, prefix=b"2a")).decode("utf-8"))'`

```yaml
internal_users.yml: |-
Expand Down
128 changes: 57 additions & 71 deletions opensearch-operator/pkg/builders/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ const (
)

func NewSTSForNodePool(
username string,
cr *opsterv1.OpenSearchCluster,
node opsterv1.NodePool,
configChecksum string,
volumes []corev1.Volume,
volumeMounts []corev1.VolumeMount,
extraConfig map[string]string,
envVars []corev1.EnvVar,
) *appsv1.StatefulSet {
// To make sure disksize is not passed as empty
var disksize string
Expand Down Expand Up @@ -466,41 +466,13 @@ func NewSTSForNodePool(
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Env: []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make elasticsearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}},
},
{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
},
{
Name: "node.roles",
Value: strings.Join(selectedRoles, ","),
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
},
Env: append(envVars, corev1.EnvVar{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
}, corev1.EnvVar{
Name: "node.roles",
Value: strings.Join(selectedRoles, ","),
}),
Name: "opensearch",
Command: mainCommand,
Image: image.GetImage(),
Expand Down Expand Up @@ -757,6 +729,7 @@ func NewBootstrapPod(
cr *opsterv1.OpenSearchCluster,
volumes []corev1.Volume,
volumeMounts []corev1.VolumeMount,
envVars []corev1.EnvVar,
) *corev1.Pod {
labels := map[string]string{
helpers.ClusterLabel: cr.Name,
Expand Down Expand Up @@ -798,41 +771,13 @@ func NewBootstrapPod(
podSecurityContext := cr.Spec.General.PodSecurityContext
securityContext := cr.Spec.General.SecurityContext

env := []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make elasticsearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}},
},
{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
},
{
Name: "node.roles",
Value: masterRole,
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
}
env := append(envVars, corev1.EnvVar{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
}, corev1.EnvVar{
Name: "node.roles",
Value: masterRole,
})

// Append additional config to env vars, use General.AdditionalConfig by default, overwrite with Bootstrap.AdditionalConfig
extraConfig := cr.Spec.General.AdditionalConfig
Expand Down Expand Up @@ -981,6 +926,47 @@ func STSInNodePools(sts appsv1.StatefulSet, nodepools []opsterv1.NodePool) bool
return false
}

func CommonEnvVars(cr *opsterv1.OpenSearchCluster, passwordSecretName string) []corev1.EnvVar {
return []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make OpenSearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{
APIVersion: "v1",
FieldPath: "metadata.name",
}},
},
{
Name: "OPENSEARCH_INITIAL_ADMIN_PASSWORD",
ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: passwordSecretName},
Key: "password",
Optional: pointer.Bool(false),
}},
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
}
}

func NewSecurityconfigUpdateJob(
instance *opsterv1.OpenSearchCluster,
jobName string,
Expand Down
Loading

0 comments on commit ec6c66c

Please sign in to comment.