Opensearch with istio

DevOps Kubernetes
1

Versions
operator 2.3
opensearch 2.3

Describe the issue:
unfortunately we can’t get istio to run together with opensearch.

so far we have done everything with Elastic and would like to switch to opensearch.
At Elastic we only need to set these settings and it works as expected

http:
tls:
selfSignedCertificate:
disabled: true

annotations:
traffic.sidecar.istio.io/includeInboundPorts: “*”
traffic.sidecar.istio.io/excludeOutboundPorts: “9300”
traffic.sidecar.istio.io/excludeInboundPorts: “9300”

unfortunately, it seems that tls cannot be completely disabled in opensearch + dashboards and thus we encounter certificate errors as soon as we add only the annotations.

while browsing the forum I could already find some others who have had a similar usecase. Unfortunately I could not find a suitable solution there.

hopefully someone can give me a good hint.

best regards,
Danjin

2

Hey @Danjin

Have you tried putting logstash infront of Opensearch?

3

@Gsmitt not yet. I am not sure how logstash can help to disable tls between dashboards and opensearch

4

Hey @Danjin

I was going of this statement.

My idea was using logstash. The input could be used without certificates and the connection from Logstash → Openseach could use certificates and/or credentials.

Example:

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Opensearch pipeline.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "admin"
    password => "changeme"
  }
}
5

I probably did not express myself clearly. I meant with add annotations:

  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: "*"
    traffic.sidecar.istio.io/excludeOutboundPorts: "9300"
    traffic.sidecar.istio.io/excludeInboundPorts: "9300"

at the moment i dont have any problems with adding data to opensearch because i dont have a stable opensearch cluster + frontend. Opensearch can’t communicate with itselfs or dashboards.

6

we found a way to use istio + opensearch in the same namespace.
if someone is interested, here is the configuration:

namespace.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: my-namespace
  labels:
    istio-injection: enabled

peer-authentication.yaml

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-policy
  namespace: my-namespace
spec:
  mtls:
    mode: STRICT

opensearch.yaml

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: my-first-cluster
  namespace: my-namespace
spec:
  general:
    httpPort: 9200
    serviceName: my-first-cluster
    version: 2.7.0

  dashboards:
    annotations:
      traffic.sidecar.istio.io/includeInboundPorts: "*"
      traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
      traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    version: 2.7.0
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"

  nodePools:
    - component: nodes
      replicas: 3
      diskSize: "5Gi"
      nodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "cluster_manager"
        - "data"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"

best regards,
Danjin

2 Likes
7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.