search

hitachienergy / epiphany

Cloud and on-premises automation for Kubernetes centered industrial grade solutions.
Apache License 2.0
138 stars 107 forks source link

[BUG] Make OpenSearch Dashboards user configurable #3238

Closed przemyslavic closed 2 years ago

przemyslavic commented 2 years ago

Describe the bug In the OpenSearch Dashboards schema, we theoretically have the option to set a username and password.

---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
specification:
  dashboards_user: kibanaserver
  dashboards_user_password: PASSWORD_TO_CHANGE

But it is not entirely true. These values ​​are only used to render the template, so they really need to be set correctly for the cluster to work. This means that if you change the username and password to anything you like, the dashbaords will most probably not work, because neither the user nor the password will match/exist at all. Users are created in the OpenSearch role and that's where we create the kibanaserver user and the filebeatservice user, which means that in the dashboard configuration we cannot freely change the user name. It must only be kibanaserver.

Same with the password. If we want to change the password from the default, we have to change it in the dashboard configuration and in the configuration for the logging/opensearch component, because that's where it is actually set.

---
kind: configuration/logging
title: Logging Config
name: default
provider: aws
specification:
  kibanaserver_password: XXXXX
---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
provider: aws
specification:
  dashboards_user: kibanaserver
  dashboards_user_password: XXXXX

So if we want to have a configurable user in one place, the logging and opensearch roles should read the dashboard configuration and create such a user and password automatically. Otherwise, changing these parameters in only one place will result in broken dashboards as the user or password will not be correct.

All hardcoded values for username in templates related to the opensearch / logging component (including filebeat and dashbaords) have to be verified and set automatically according to the schema.

How to reproduce Steps to reproduce the behavior:

  1. Deploy any cluster with logging component enabled
  2. Change username and password for dashbaords 
    ---
kind: configuration/opensearch-dashboards
title: "OpenSearch-Dashboards"
name: default
provider: aws
specification:
dashboards_user: testuser
dashboards_user_password: testpass
  3. execute epicli apply ...

Expected behavior OpenSearch Dashboards should be available and accessible to the user and password that has been set

Environment

epicli version: [2.0.1dev]

Describe alternatives you've considered Use kibanaserver user and password that is set in logging/opensearch configuration and remove it from dashboards schema.

DoD checklist

cicharka commented 2 years ago

According to my talk with @przemyslavic, we will keep previous way of configuring dashboards user, therefore dashboards user configuration for opensearch-dashboards will be removed -> the reasons behind such a decision: