search

cht42 / opensearch-kubernetes

Opensearch cluster with kubernetes
6 stars 2 forks source link

Permission denied with opensearch 2.9.0 #1

Open Sbaljepa opened 1 year ago

Sbaljepa commented 1 year ago

Hi Im using opensearch 2.9.0m currently when Im running it is giving permission denied for opensearch-docker-entrypoint.sh

kubectl logs -f opensearch-0 /bin/bash: ./opensearch-docker-entrypoint.sh: Permission denied

Sbaljepa commented 1 year ago

`apiVersion: v1 kind: ConfigMap metadata: name: opensearch-config data: opensearch.yml: |

Contents of opensearch.yml

cluster.name: os-cluster
network.host: 0.0.0.0
discovery.seed_hosts: opensearch
cluster.initial_master_nodes: opensearch-master-0

plugins.security.allow_unsafe_democertificates: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemtrustedcas_filepath: certificates/ca/ca.pem
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/ca/ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.transport.pemkey_filepath: certificates/opensearch/opensearch.key # relative path
plugins.security.ssl.transport.pemcert_filepath: certificates/opensearch/opensearch.pem
plugins.security.ssl.http.pemkey_filepath: certificates/opensearch/opensearch.key
plugins.security.ssl.http.pemcert_filepath: certificates/opensearch/opensearch.pem

plugins.security.authcz.admin_dn:
  - 'CN=ADMIN,O=UN,L=UN,ST=UN,C=UN'
plugins.security.nodes_dn:
  - 'CN=opensearch,O=UN,L=UN,ST=UN,C=UN'

config.yml: |

Contents of config.yml

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: false
              pemtrustedcas_filepath: /usr/share/opensearch/config/certificates/ca/ca.pem
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: http://*******:8080/auth/realms/Grouptest/.well-known/openid-configuration
        authentication_backend:
          type: noop

apiVersion: v1 kind: ConfigMap metadata: name: opensearch-security-admin-config data: setup.sh: |

!/bin/bash

set -e

export JAVA_HOME=/usr/share/opensearch/jdk
export PATH=$PATH:$JAVA_HOME/bin

chmod +x /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh

/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
  -cacert /usr/share/opensearch/config/certificates/ca/ca.pem \
  -cert /usr/share/opensearch/config/certificates/admin/admin.pem \
  -key /usr/share/opensearch/config/certificates/admin/admin.key \
  -cd /usr/share/opensearch/plugins/opensearch-security/securityconfig \
  -h $os_node -nhnv -icl

apiVersion: apps/v1 kind: StatefulSet metadata: name: opensearch spec: serviceName: "opensearch" replicas: 1 selector: matchLabels: app: opensearch template: metadata: labels: app: opensearch spec: containers:

apiVersion: v1 kind: Service metadata: name: opensearch labels: app: opensearch spec: selector: app: opensearch type: NodePort ports:

apiVersion: batch/v1 kind: Job metadata: name: opensearch-security-admin spec: template: spec: restartPolicy: OnFailure initContainers: