How to configure a secret in opensearch.yml config.

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.

https://opensearch.org/docs/latest/opensearch/install/helm/

Apache License 2.0

170 stars 228 forks source link

How to configure a secret in opensearch.yml config. #458

Closed vamsi-amazon closed 8 months ago

vamsi-amazon commented 1 year ago

Is your feature request related to a problem? Please describe. I am looking out for a way to configure opensearch.yml with a secret.

For eg: plugins.query.datasources.masterkey: "secret" Above master key can't be committed to github, so we need a way to integrate opensearch.yml with secrets in K8s.

vamsi-amazon commented 1 year ago

@prudhvigodithi Any idea on this?

prudhvigodithi commented 1 year ago

Hey @vamsi-amazon, you can pre-create the secret and mount the secret using extraVolumes: and extraVolumeMounts

Example:

      volumeMounts:
        - name: opensearch-config
          mountPath: "/usr/share/opensearch/opensearch.yml"
          readOnly: true
  volumes:
    - name: opensearch-config
      secret:
        secretName: opensearch-config-secret
        optional: true

When you add as secret, make sure you comment this line https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml#L48 that asks for opensearch.yml: setting.

vamsi-amazon commented 1 year ago

@prudhvigodithi are you suggesting to create entire opensearch.yml as a secret volume and mount it?

prudhvigodithi commented 1 year ago

yes @vamsi-amazon , that how a secret and a k8s secret mount works, the secrets will be encoded and will replace the mount path (the full file path or directory), so it needs to be a complete file.

Flyingliuhub commented 1 year ago

Is there a way just for using k8's secrets inside of opensearch.yml, not whole file plugins.query.datasources.encryption.masterkey: {K8's secret}

prudhvigodithi commented 1 year ago

Is this setting plugins.query.datasources.masterkey: "secret" supported as environment variable ?

Flyingliuhub commented 1 year ago

@vamsi-amazon Is your setting supported as env variable?

vamsi-amazon commented 1 year ago

@prudhvigodithi @Flyingliuhub I didn't know what that means?

prudhvigodithi commented 1 year ago

@vamsi-amazon certain OpenSearch configs can be passed as environment values ex cluster.initial_master_nodes, network.publish_host etc, in the same manner can this plugins.query.datasources.masterkey: "secret" passed as environment values? More examples https://github.com/Opster/opensearch-k8s-operator/blob/main/opensearch-operator/pkg/builders/cluster.go#L379-L412 Adding @TheAlgo @bbarani @peterzhuamazon

prudhvigodithi commented 8 months ago

Closing this issue, please feel free to re-open if required. Thanks Adding @bbarani @peterzhuamazon