Closed zalseryani closed 1 year ago
dblock
commented
1 year ago Looks like a dup of https://github.com/opensearch-project/opensearch-devops/issues/120, I'll close this one.
I'm 99% sure this is caused by making non-TLS requests from the nginx proxy to a TLS-enabled OpenSearch. I believe plugins.security.ssl.http.enabled=false is what you're looking for.
zalseryani
commented
1 year ago I will test it and keep you updated, thank you very much for your time and support :)
zalseryani
commented
1 year ago @dblock it worked thank you very much :+1:
dblock
commented
1 year ago @zalseryani Glad that worked! Care to grok through the documentation and see if we're doing a poor job documenting this? (And maybe contribute some updates if you have time?).
zalseryani
commented
1 year ago @dblock
I would like to provide support in documentation after having a very good experience in administrating opensearch.
Any repo for doing that or having a policy for such a contribution?
Thank you and sorry for the delay.
YeonghyeonKO
commented
4 months ago Is there anyone who deployed via opensearch-operator resolve the same issue?
plugins.security.ssl.http.enabled=false option doesn't allow security config enabled.
(ex. securityconfig-update Job cannot connect to a cluster, so .opendistro_security index isn't created)
@zalseryani @dblock What was your environment when you configured the opensearch cluster? My host/environment is as below:
Gihchathur
commented
3 months ago @YeonghyeonKO, I believe the issue might be due to the demo configurations. Setting the OPENSEARCH_INITIAL_ADMIN_PASSWORD automatically enables the demo configs, which override your plugins.security.ssl.http.enabled=false setting. You can check the opensearch.yml file for these demo configurations.
YeonghyeonKO
commented
3 months ago @Gihchathur I chose the way that opensearch k8s operator generates TLS certificates for both Transport(9300) and HTTP(9200?).
[opensearch@test-opensearch-cluster-ml-0 config]$ ls
jvm.options log4j2.properties opensearch-notifications-core opensearch-performance-analyzer opensearch-security opensearch.yml tls-transport
jvm.options.d opensearch-notifications opensearch-observability opensearch-reports-scheduler opensearch.keystore tls-http
[opensearch@test-opensearch-cluster-ml-0 config]$ cd tls-http
[opensearch@test-opensearch-cluster-ml-0 tls-http]$ ls
ca.crt tls.crt tls.keyopensearchCluster.dashboards has a config about ssl.verificationMode so that I can open url(http://test-opensearch-cluster-dashboards.xxx.com) without tls security. But what I want also is an endpoint of cluster itself (for indexing data from outside).. do you have any idea in this situation?
This is my yaml:
opensearchCluster:
enabled: true
general:
httpPort: "9200"
image: harbor-srep01.xxx.com/library/opensearchproject/opensearch:v2.15.0
serviceName: "test-opensearch-cluster"
drainDataNodes: true
# https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#security-context-for-pods-and-containers
setVMMaxMapCount: true # In some cases, set general.setVMMaxMapCount to false as this feature also launches an init container with root
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
securityContext:
allowPrivilegeEscalation: true
privileged: true
# https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#deal-with-max-virtual-memory-areas-vmmax_map_count-errors
# https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/userguide/main.md#custom-init-helper
initHelper:
image: "harbor-srep01.xxx.com/nexus/docker-mig/library/busybox:1.31.1"
imagePullPolicy: IfNotPresent
dashboards:
enable: true
replicas: 1
image: harbor-srep01.xxx.com/library/opensearchproject/opensearch-dashboards:v2.15.0
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "1Gi"
cpu: "500m"
tls:
enable: false
opensearchCredentialsSecret:
name: admin-credentials-secret
additionalConfig:
# https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/
opensearch.ssl.verificationMode: none
nodePools:
- component: master
replicas: 3
pdb:
enable: false
# enable: true
# minAvailable: 1
diskSize: "10Gi"
persistence:
pvc:
storageClass: "sc-nfs-app-retain"
accessModes:
- ReadWriteOnce
roles:
- "cluster_manager"
- "master"
# https://github.com/opensearch-project/opensearch-k8s-operator/issues/669#issuecomment-1829833573
# Suggestion: 1000m CPU & 2048Mi memory
resources:
requests:
memory: "4Gi"
cpu: "1"
limits:
memory: "4Gi"
cpu: "2"
# env:
# - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
# value: "hcpOss12~!"
- component: data
replicas: 2
diskSize: "100Gi"
persistence:
pvc:
storageClass: "sc-nfs-app-retain"
accessModes:
- ReadWriteOnce
roles:
- "data"
- "ingest"
resources:
requests:
memory: "8Gi"
cpu: "2"
limits:
memory: "8Gi"
cpu: "4"
- component: ml
replicas: 1
diskSize: "10Gi"
persistence:
pvc:
storageClass: "sc-nfs-app-retain"
accessModes:
- ReadWriteOnce
roles:
- "ml"
resources:
requests:
memory: "24Gi"
cpu: "4"
limits:
memory: "24Gi"
cpu: "8"
security:
tls:
transport:
generate: true
perNode: true
# https://opensearch-project.github.io/opensearch-k8s-operator/docs/userguide/main.html#node-httprest-api
http:
generate: true
config:
adminCredentialsSecret: # these are the admin credentials for the Operator to use
name: admin-credentials-secret
securityConfigSecret: # this is the whole security configuration for OpenSearch
name: securityconfig-secret
Issue
Deploying OpenSearch 2.6.0 with Helm chart 2.11.3 with nginx-ingress configuration, and I am not able to access opensearch engine using the ingress domain,
Opensearch pods logs when hitting the request
Kindly advise, Thank you.