Is it possible to make OpenSearch Cluster to be exposed externally via 80 port?

yeonghyeonKo · July 22, 2024, 8:03am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

kubernetes: v1.25.6
opensearch-operator: v2.5.1
opensearch & opensearch-dashboards: v2.7.0
(from On-premise Harbor Repository)

Describe the issue:

With opensearch.ssl.verificationMode: none option in opensearchCluster.general.dashboards.additionalConfig , Service for test-opensearch-cluster-dashboards is successfully exposed externally via 80 port.

But I want also make opensearch-cluster to be exposed via 80 port for connecting with Filebeat, KafkaConnector, etc.

Is there any option for not allowing ssl.verification when it comes to the cluster of OpenSearch, instead of dashboard?

Configuration:

opensearchCluster:
  enabled: true
  general:
    httpPort: "9200"
    image: harbor-srep01.xxx.com/library/opensearchproject/opensearch:v2.7.0
    serviceName: "test-opensearch-cluster"
    drainDataNodes: true
    # https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#security-context-for-pods-and-containers
    setVMMaxMapCount: true # In some cases, set general.setVMMaxMapCount to false as this feature also launches an init container with root
    podSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
    securityContext:
      allowPrivilegeEscalation: true
      privileged: true
  # https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#deal-with-max-virtual-memory-areas-vmmax_map_count-errors
  # https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#custom-init-helper
  initHelper:
    image: "harbor-srep01.xxx.com/nexus/docker-mig/library/busybox:1.31.1"
    imagePullPolicy: IfNotPresent
  dashboards:
    enable: true
    replicas: 1
    image: harbor-srep01.xxx.com/library/opensearchproject/opensearch-dashboards:v2.7.0
    resources:
      requests:
        memory: "1Gi"
        cpu: "500m"
      limits:
        memory: "1Gi"
        cpu: "500m"
    tls:
      enable: false
    opensearchCredentialsSecret:
      name: admin-credentials-secret
    additionalConfig:
      # https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/
      opensearch.ssl.verificationMode: none
  nodePools:
    - component: master
      replicas: 3
      pdb:
        enable: false
        # enable: true
        # minAvailable: 1
      diskSize: "10Gi"
      persistence:
        pvc:
          storageClass: "sc-nfs-app-retain"
          accessModes:
           - ReadWriteOnce
      roles:
        - "cluster_manager"
        - "master"
      # https://github.com/opensearch-project/opensearch-k8s-operator/issues/669#issuecomment-1829833573
      # Suggestion: 1000m CPU & 2048Mi memory
      resources:
        requests:
          memory: "4Gi"
          cpu: "1"
        limits:
          memory: "4Gi"
          cpu: "2"
      env:
        - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
          value: "hcpOss12~!"
    - component: data
      replicas: 2
      diskSize: "100Gi"
      persistence:
        pvc:
          storageClass: "sc-nfs-app-retain"
          accessModes:
           - ReadWriteOnce
      roles:
        - "data"
        - "ingest"
        - "ml"
      resources:
        requests:
          memory: "8Gi"
          cpu: "2"
        limits:
          memory: "8Gi"
          cpu: "4"
      env:
        - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
          value: "hcpOss12~!"
  security:
    tls:
      transport:
        generate: true
        perNode: true
      # https://opensearch-project.github.io/opensearch-k8s-operator/docs/userguide/main.html#node-httprest-api
      http:
        generate: true
    config:
      adminCredentialsSecret: # these are the admin credentials for the Operator to use
         name: admin-credentials-secret
      securityConfigSecret:  # this is the whole security configuration for OpenSearch
         name: securityconfig-secret

Relevant Logs or Screenshots:

pablo · August 14, 2024, 11:26pm

The above option is used to verify the certificate of the OpenSearch node by the OpenSearch Dashboards service.

The above option controls OpenSearch Dashboards’ frontend access through HTTP (port 80) or HTTPS (443)

Why do you want to connect through port 80 to the OpenSearch cluster?
I think the best way would be to set up an ingress.

yeonghyeonKo · August 15, 2024, 7:17am

@pablo Thanks for answering me.

The reason why I want connecting to the OpenSearch Cluster through port 80 is for indexing data using KafkaConnect or other client such as python codes.

I don’t want to care about security(ex. tis) but do ingest data from outside without any restriction just like OpenSearch Dashboard (verificationMode: none) service can command to the Cluster through port 80.

pablo · August 15, 2024, 9:11am

@yeonghyeonKo As per OpenSearch Operator documentation the HTTP endpoint is always secured in OpenSearch Operator

github.com

opensearch-project/opensearch-k8s-operator/blob/main/docs/designs/security.md

# Security Controller

The security controller deals with everything related to the opensearch-security plugin. This entails two areas:

* Configuring TLS for nodes: Provides default encryption of communication between OpenSearch cluster nodes by [generating self-signed certificates](https://opensearch.org/docs/latest/security-plugin/configuration/generate-certificates/) and configuring them for all nodes. A user may also supply externally managed (e.g. from a company CA) certificates to be used.
* Managing the securityconfig: Allows the user to provide a custom securityconfig and takes care of applying that to the OpenSearch cluster when it changes.

The controller is configured via the `security` object in the cluster spec. If no config is provided the controller will fall back to the demo certificates and configuration that is included with the opensearch docker image.

All generated keys and certificates by the operator are stored in Kubernetes secrets to be securely used by the cluster pods. The operator has two modes for generating/using the certificates: By default it will generate one certificate that is used by all nodes, if the operator is switched to a per-node mode it will generate a certificate for each node.

## CRD

```yaml
spec:
  # ...
  security:
    tls:
      transport:
        perNode: false # If set to true the operator will generate a key+certificate per node instead of just one for all nodes

This file has been truncated. show original

This is controlled by plugins.security.ssl.http.enabled: true in opensearch.yml and I couldn’t change it with an additional configuration option.

OpenSearch operates on port 9200 by default, but you can change that in general settings.

yeonghyeonKo · August 16, 2024, 2:32am

As you commented, I use OpenSearch Operator for hosting the cluster and dashboard. According to the document, it recommends to generate a set of key+certificate outside and inject through a Secret (k8s api resource).

Anyway I will use an Ingress to port forward from 9200 to 80 (with a Secret including certificates). Thank you!

Topic		Replies	Views
Unable to create opensearch cluster on kubernetes with opensearchoperator OpenSearch	4	1118	January 27, 2023
Unable to access opensearch cluster from external IP Security	6	1983	September 23, 2021
How to enable tenants on Opensearch K8s Operator cluster? OpenSearch	1	64	June 24, 2024
CCS setup for kubernetes clusters Cross-Cluster Replication discuss , configure , install	1	531	July 11, 2022
Multiple exceptions related to plugins.security Security	1	392	April 30, 2024

Is it possible to make OpenSearch Cluster to be exposed externally via 80 port?

Related Topics