search

opensearch-project / opensearch-k8s-operator

OpenSearch Kubernetes Operator
Apache License 2.0
397 stars 209 forks source link

spec.general.monitoring.pluginUrl with authentication #629

Open sergeiwaigant opened 1 year ago

sergeiwaigant commented 1 year ago

Hi there.

We are running OpenSearch in an on-prem environment and have to fetch the monitoring plugin through an Artifactory which has authentication enabled. First of all I have to add OPENSEARCH_JAVA_OPTS to spec.nodePools[].env with -Djavax.net.ssl.trustStore=/usr/share/opensearch/config/company-ca/company.truststore.jks, otherwise I am getting the following error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The main issue that I see is, that the authentication is not working when I am giving spec.general.monitoring.pluginUrl as https://{{ artifactory_user }}:{{ artifactory_token }}@{{ artifactory_url }}/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip

The error message is:

-> Installing https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
-> Downloading https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
-> Failed installing https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
-> Rolling back https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
-> Rolled back https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 401 for URL: https://artifactory_user:artifactory_token@artifactory.fqdn/artifactory/thirdparty.generic.release/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:2000)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
    at org.opensearch.plugins.InstallPluginCommand.downloadZip(InstallPluginCommand.java:455)
    at org.opensearch.plugins.InstallPluginCommand.download(InstallPluginCommand.java:341)
    at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:273)
    at org.opensearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:250)
    at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
    at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
    at org.opensearch.cli.MultiCommand.execute(MultiCommand.java:104)
    at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
    at org.opensearch.cli.Command.main(Command.java:101)
    at org.opensearch.plugins.PluginCli.main(PluginCli.java:60)

Can someone check and maybe confirm that this is not possible at the moment? Is it possible to configure an init container where we could download the plugin zip upfront?

Regards Sergei

IIIRADIII commented 1 year ago

Hi @sergeiwaigant Just to check that the problem is not in credentials itself, can you confirm that you can download the same .zip file from artifactory using curl or wget and the same form of basic auth?

sergeiwaigant commented 1 year ago

Hi @sergeiwaigant

Just to check that the problem is not in credentials itself, can you confirm that you can download the same .zip file from artifactory using curl or wget and the same form of basic auth?

Yeah sure. I verified that the auth credentials are valid and they were working with curl perfectly.

swoehrl-mw commented 1 year ago

Hi @sergeiwaigant. The operator delegates actual installation of plugins to opensearch. And AFAIK that does not allow to provide credentials for a plugin URL. Not really sure what the best course of action is as I don't believe there is anything simple the operator can do.

Would you be able create a custom/extended opensearch docker image with the monitoring plugin already included? Or could you predownload the plugin to a location and mount that into the pods?