Hi team,
I am trying to enable OpenSearch snapshots to Azure blob storage. My OpenSearch cluster is on Kubernetes and I deployed it using Helm.
Based on some research that I did, I learned that the repository-azure plugin has to be installed and the credentials have to be configured when building the OpenSearch Docker image. i.e. similar to how it has been done for S3 - Take and restore snapshots - OpenSearch Documentation
Passing account credentials at Docker image build time would not be possible because we deploy the same Docker image to multiple environments. Each environment needs to store snapshots in different blob storage accounts. Is there a way to pass Azure account credentials through Kubernetes secrets and enable the repository-azure plugin using the Helm chart?
I am looking for something like this - How to use Azure Storage plugin in ECK for Snapshot - Elastic Cloud on Kubernetes (ECK) - Discuss the Elastic Stack
But I have been unable to figure out where to pass that secret in OpenSearch
We have solved this by building a custom container with the storage plugin but using init containers to push the credentials. Best of both worlds.
@neographikal thanks for the reply. Can you explain how you pushed the credentials from the init-container?
From what I understood, the credentials are added by running the opensearch-keystore add command. This command is available in the OpenSearch container. So I am a bit confused how you did it from the init-container
Sure, we use terraform:
init_container {
name = "create-volume-keystore"
image = var.opensearch_image
volume_mount {
name = "data-volume"
mount_path = "/usr/share/opensearch/data"
}
volume_mount {
name = "volume-keystore"
mount_path = "/tmp/keystore/"
}
volume_mount {
name = "opensearch-config-volume"
mount_path = "/usr/share/opensearch/config/keystore.sh"
sub_path = "keystore.sh"
}
env {
name = "AZ_ACCOUNT"
value = var.opensearch-azure-account
}
env {
name = "AZ_KEY"
value = var.opensearch-azure-key
}
#!/bin/bash
#This script creates the java key store and pushes the azure account and key in it
#The Azure plugin needs to be installed in the image already (otherwise the startup of the containers is dependent on the availability of Github)
rm -f /usr/share/opensearch/config/opensearch.keystore
/usr/share/opensearch/bin/opensearch-keystore create
echo $AZ_ACCOUNT | /usr/share/opensearch/bin/opensearch-keystore add --stdin azure.client.default.account
echo $AZ_KEY | /usr/share/opensearch/bin/opensearch-keystore add --stdin azure.client.default.key
cp /usr/share/opensearch/config/opensearch.keystore /tmp/keystore/
ls /tmp/keystore/
Thank you @neographikal. I will try these steps