Security configuration in OpenSearch Helm Charts

Security
1

** On behalf of a user of Slack **

Hi, i am having a hard time finding a complete example for a helm chart setup with security enabled, using a external cryptographic key pair, defining an admin user and password and disabling installing the demo config without analyzer agent and without dashboard. Whats the best starting point for that? PS. i got it working to get the external cryptographic key pair ssl security but i dont get the admin user setup.

I basically want to implement a GitHub - opensearch-project/helm-charts: โ˜ธ A community repository for Helm Charts of OpenSearch Project. ยท GitHub with:

  • fully encrypted with cert-manager certs which are generated centrally so i can import them to other services talking to opensearch
  • security enabled in general
  • not using the default demo configuration but my own very basic one
  • provide admin user and password to the service which needs to interact with opensearch

all if possible within the helm values yaml.

2

The easiest way to have a fully custom security plugin is by using securityConfig.config.securityConfigSecret in values.yml
However, since this is not a demo configuration, you need to add a few more things.

  1. Disable demo configuration and set initial admin password
extraEnvs:
  - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
    value: Eliatra123
  - name: DISABLE_INSTALL_DEMO_CONFIG
    value: "true"
  1. Create a secret with certificates
certs/
โ”œโ”€โ”€ esnode-key.pem
โ”œโ”€โ”€ esnode.pem
โ”œโ”€โ”€ kirk-key.pem
โ”œโ”€โ”€ kirk.pem
โ””โ”€โ”€ root-ca.pem

kubectl create secret generic securitysecrets --from-file=/sg_testing/kubernetes/helmchart/opensearch-charts-current/certs
  1. Set secret with certificates
secretMounts:
  - name: securitycerts
    secretName: securitysecrets
    path: /usr/share/opensearch/config/certs
  1. Create a secret with the security configuration
security-config/
โ”œโ”€โ”€ action_groups.yml
โ”œโ”€โ”€ config.yml
โ”œโ”€โ”€ internal_users.yml
โ”œโ”€โ”€ roles_mapping.yml
โ”œโ”€โ”€ roles.yml
โ””โ”€โ”€ tenants.yml

kubectl create secret generic securityconfig --from-file=/sg_testing/kubernetes/helmchart/opensearch-charts-current/security-config
  1. Set a secret with the security configuration
securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret:
  rolesSecret:
  rolesMappingSecret:
  tenantsSecret:
  config:
    securityConfigSecret: "securityconfig"
  1. Uncomment the security configuration in opensearch.yml and point all certificate options to the mount folder from step 3.
  opensearch.yml: |
    cluster.name: opensearch-cluster

    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
    network.host: 0.0.0.0

    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
    # Implicitly done if ".singleNode" is set to "true".
    # discovery.type: single-node

    # Start OpenSearch Security Demo Configuration
    # WARNING: revise all the lines below before you go into production
    plugins:
       security:
         ssl:
           transport:
             pemcert_filepath: certs/esnode.pem
             pemkey_filepath: certs/esnode-key.pem
             pemtrustedcas_filepath: certs/root-ca.pem
             enforce_hostname_verification: false
           http:
             enabled: true
             pemcert_filepath: certs/esnode.pem
             pemkey_filepath: certs/esnode-key.pem
             pemtrustedcas_filepath: certs/root-ca.pem
         allow_unsafe_democertificates: true
         allow_default_init_securityindex: true
         authcz:
           admin_dn:
             - CN=kirk,OU=client,O=client,L=test,C=de
         audit.type: internal_opensearch
         enable_snapshot_restore_privilege: true
         check_snapshot_restore_write_privileges: true
         restapi:
           roles_enabled: ["all_access", "security_rest_api_access"]
         system_indices:
           enabled: true
           indices:
             [
               ".opendistro-alerting-config",
               ".opendistro-alerting-alert*",
               ".opendistro-anomaly-results*",
               ".opendistro-anomaly-detector*",
               ".opendistro-anomaly-checkpoints",
               ".opendistro-anomaly-detection-state",
               ".opendistro-reports-*",
               ".opendistro-notifications-*",
               ".opendistro-notebooks",
               ".opendistro-asynchronous-search-response*",
             ]
3

This is super useful thank you @pablo !!