Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Fix bootstrapping with default credentials #816

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

WIP: Fix bootstrapping with default credentials #816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docs/userguide/main.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1221,14 +1221,14 @@ type: Opaque
data:
# admin
username: YWRtaW4=
# admin123
password: YWRtaW4xMjM=
# 0penS3@rch!
password: MHBlblMzQHJjaCE=
```

Then you have to create your own securityconfig and store it in a secret (`securityconfig-secret` in this example). You can take a look at [securityconfig-secret.yaml](../../opensearch-operator/examples/securityconfig-secret.yaml) for how such a secret should look like.
Make sure that the password hash of the admin user corresponds to the password you stored in the `admin-credentials-secret`.

Notice that inside `securityconfig-secret` You must edit the `hash` of the admin user before creating the secret. if you have python 3.x installed on your machine you can use the following command to hash your password: `python -c 'import bcrypt; print(bcrypt.hashpw("admin123".encode("utf-8"), bcrypt.gensalt(12, prefix=b"2a")).decode("utf-8"))'`
Notice that inside `securityconfig-secret` You must edit the `hash` of the admin user before creating the secret. if you have python 3.x installed on your machine you can use the following command to hash your password: `python -c 'import bcrypt; print(bcrypt.hashpw("0penS3@rch!".encode("utf-8"), bcrypt.gensalt(12, prefix=b"2a")).decode("utf-8"))'`

```yaml
internal_users.yml: |-
Expand Down
128 changes: 57 additions & 71 deletions opensearch-operator/pkg/builders/cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ const (
)

func NewSTSForNodePool(
username string,
cr *opsterv1.OpenSearchCluster,
node opsterv1.NodePool,
configChecksum string,
volumes []corev1.Volume,
volumeMounts []corev1.VolumeMount,
extraConfig map[string]string,
envVars []corev1.EnvVar,
) *appsv1.StatefulSet {
// To make sure disksize is not passed as empty
var disksize string
Expand Down Expand Up @@ -466,41 +466,13 @@ func NewSTSForNodePool(
Spec: corev1.PodSpec{
Containers: []corev1.Container{
{
Env: []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make elasticsearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}},
},
{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
},
{
Name: "node.roles",
Value: strings.Join(selectedRoles, ","),
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
},
Env: append(envVars, corev1.EnvVar{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
}, corev1.EnvVar{
Name: "node.roles",
Value: strings.Join(selectedRoles, ","),
}),
Name: "opensearch",
Command: mainCommand,
Image: image.GetImage(),
Expand Down Expand Up @@ -757,6 +729,7 @@ func NewBootstrapPod(
cr *opsterv1.OpenSearchCluster,
volumes []corev1.Volume,
volumeMounts []corev1.VolumeMount,
envVars []corev1.EnvVar,
) *corev1.Pod {
labels := map[string]string{
helpers.ClusterLabel: cr.Name,
Expand Down Expand Up @@ -798,41 +771,13 @@ func NewBootstrapPod(
podSecurityContext := cr.Spec.General.PodSecurityContext
securityContext := cr.Spec.General.SecurityContext

env := []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make elasticsearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.name"}},
},
{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
},
{
Name: "node.roles",
Value: masterRole,
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
}
env := append(envVars, corev1.EnvVar{
Name: "OPENSEARCH_JAVA_OPTS",
Value: jvm,
}, corev1.EnvVar{
Name: "node.roles",
Value: masterRole,
})

// Append additional config to env vars, use General.AdditionalConfig by default, overwrite with Bootstrap.AdditionalConfig
extraConfig := cr.Spec.General.AdditionalConfig
Expand Down Expand Up @@ -981,6 +926,47 @@ func STSInNodePools(sts appsv1.StatefulSet, nodepools []opsterv1.NodePool) bool
return false
}

func CommonEnvVars(cr *opsterv1.OpenSearchCluster, passwordSecretName string) []corev1.EnvVar {
return []corev1.EnvVar{
{
Name: "cluster.initial_master_nodes",
Value: BootstrapPodName(cr),
},
{
Name: "discovery.seed_hosts",
Value: DiscoveryServiceName(cr),
},
{
Name: "cluster.name",
Value: cr.Name,
},
{
Name: "network.bind_host",
Value: "0.0.0.0",
},
{
// Make OpenSearch announce its hostname instead of IP so that certificates using the hostname can be verified
Name: "network.publish_host",
ValueFrom: &corev1.EnvVarSource{FieldRef: &corev1.ObjectFieldSelector{
APIVersion: "v1",
FieldPath: "metadata.name",
}},
},
{
Name: "OPENSEARCH_INITIAL_ADMIN_PASSWORD",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does the 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' means? I only see the definition here, but I can't find a place to use this environment variable. Did I miss something? Thanks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yiippee it is env. variable which needs to be set prior running the pod. https://opensearch.org/blog/replacing-default-admin-credentials/

ValueFrom: &corev1.EnvVarSource{SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: passwordSecretName},
Key: "password",
Optional: pointer.Bool(false),
}},
},
{
Name: "http.port",
Value: fmt.Sprint(cr.Spec.General.HttpPort),
},
}
}

func NewSecurityconfigUpdateJob(
instance *opsterv1.OpenSearchCluster,
jobName string,
Expand Down
Loading
Loading