diff --git a/helm/configurations/values-dev.yaml b/helm/configurations/values-dev.yaml index 5164f1ac..19df7192 100644 --- a/helm/configurations/values-dev.yaml +++ b/helm/configurations/values-dev.yaml @@ -31,3 +31,28 @@ components: pgbouncer: enabled: true + +# OpenSearch configuration for dev environment +opensearch: + generateCerts: false + config: + opensearch.yml: | + cluster.name: opensearch-cluster + network.host: 0.0.0.0 + plugins: + security: + disabled: true + extraEnvs: + - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD + value: ReanaOS1= + resources: + requests: + cpu: "1000m" + memory: "2Gi" + securityConfig: + enable: false + internalUsersSecret: + rolesSecret: + rolesMappingSecret: + secretMounts: [] + customSecurityConfig: diff --git a/helm/reana/Chart.yaml b/helm/reana/Chart.yaml index 668ac5ea..45c4acc5 100644 --- a/helm/reana/Chart.yaml +++ b/helm/reana/Chart.yaml @@ -35,3 +35,7 @@ dependencies: condition: traefik.enabled tags: - ingress + - name: opensearch + version: 2.22.1 + repository: https://opensearch-project.github.io/helm-charts/ + condition: opensearch.enabled diff --git a/helm/reana/README.md b/helm/reana/README.md index fdfee412..462a6df1 100644 --- a/helm/reana/README.md +++ b/helm/reana/README.md @@ -98,6 +98,12 @@ This Helm automatically prefixes all names using the release name to avoid colli | `reana_hostname` | REANA hostname (e.g. reana.example.org) | None | | `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` | | `naming_scheme` | REANA component naming scheme | None | +| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - | +| `opensearch.enabled` | Enable OpenSearch | false | +| `opensearch.generateCerts` | Enable the generation of a self-signed TLS certificates for OpenSearch nodes | true | +| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None | +| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None | +| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None | | `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false | | `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` | | `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction | diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml index b211ab5c..e5bdc1fe 100644 --- a/helm/reana/templates/secrets.yaml +++ b/helm/reana/templates/secrets.yaml @@ -76,3 +76,62 @@ data: tls.crt: {{ $cert.Cert | b64enc | quote }} tls.key: {{ $cert.Key | b64enc | quote }} {{- end }} +--- +{{- if and .Values.opensearch.enabled .Values.opensearch.generateCerts }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "reana.prefix" . }}-opensearch-tls-secret + namespace: {{ .Release.Namespace }} +type: kubernetes.io/tls +data: + {{- $ca := genCA "reana.io" 365 }} + {{- $cert := genSignedCert "opensearch.reana.io" nil nil 90 $ca }} + {{- $certAdmin := genSignedCert "opensearch-admin.reana.io" nil nil 90 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + admin.crt: {{ $certAdmin.Cert | b64enc | quote }} + admin.key: {{ $certAdmin.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} +--- +{{- if and .Values.opensearch.enabled .Values.opensearch.customSecurityConfig }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "reana.prefix" . }}-opensearch-config-secret + namespace: {{ .Release.Namespace }} +type: kubernetes.io/opaque +stringData: + {{- if .Values.opensearch.customSecurityConfig.internalUsers }} + internal_users.yml: | + --- + # This is the internal user database + # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + _meta: + type: "internalusers" + config_version: 2 + {{ .Values.opensearch.customSecurityConfig.internalUsers | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.opensearch.customSecurityConfig.rolesMapping }} + roles_mapping.yml: | + --- + # In this file users, backendroles and hosts can be mapped to Security roles. + # Permissions for OpenSearch roles are configured in roles.yml + _meta: + type: "rolesmapping" + config_version: 2 + {{ .Values.opensearch.customSecurityConfig.rolesMapping | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.opensearch.customSecurityConfig.roles }} + roles.yml: | + --- + _meta: + type: "roles" + config_version: 2 + # The security REST API access role is used to assign specific users access to change the security settings through the REST API. + security_rest_api_access: + reserved: true + {{ .Values.opensearch.customSecurityConfig.roles | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml index 4189eea5..cf6f912e 100644 --- a/helm/reana/values.yaml +++ b/helm/reana/values.yaml @@ -189,3 +189,154 @@ quota: # backward compatibility disk_update: "0 3 * * *" # everyday at 3am termination_update_policy: "" + +# OpenSearch chart values.yaml +opensearch: + enabled: false + generateCerts: true + singleNode: true # advanced storage configuration needed if set to false + config: + opensearch.yml: | + cluster.name: opensearch-cluster + network.host: 0.0.0.0 + plugins: + security: + nodes_dn: + - "CN=opensearch.reana.io" + authcz: + admin_dn: + - "CN=opensearch-admin.reana.io" + ssl: + transport: + pemcert_filepath: certs/tls.crt + pemkey_filepath: certs/tls.key + pemtrustedcas_filepath: certs/ca.crt + enforce_hostname_verification: false + http: + enabled: true + pemcert_filepath: certs/tls.crt + pemkey_filepath: certs/tls.key + pemtrustedcas_filepath: certs/ca.crt + allow_default_init_securityindex: true + check_snapshot_restore_write_privileges: true + enable_snapshot_restore_privilege: true + ssl_cert_reload_enabled: true # https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates + restapi: + roles_enabled: + - all_access + - security_rest_api_access + system_indices: + enabled: true + indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opendistro-asynchronous-search-response*", + ] + extraEnvs: + - name: DISABLE_INSTALL_DEMO_CONFIG + value: "true" + secretMounts: + - name: reana-opensearch-tls-secret + secretName: reana-opensearch-tls-secret + path: /usr/share/opensearch/config/certs + resources: + requests: + cpu: "1000m" + memory: "4Gi" + persistence: + enabled: false + securityConfig: + enabled: true + internalUsersSecret: "reana-opensearch-config-secret" + rolesSecret: "reana-opensearch-config-secret" + rolesMappingSecret: "reana-opensearch-config-secret" + extraVolumes: + - name: reana-opensearch-volume + hostPath: + path: /var/reana + # You can instead configure infrastructure volume: + # - name: reana-opensearch-volume + # persistentVolumeClaim: + # claimName: reana-infrastructure-persistent-volume + # readOnly: false + # Or shared volume: + # - name: reana-opensearch-volume + # persistentVolumeClaim: + # claimName: reana-shared-persistent-volume + # readOnly: false + extraVolumeMounts: + - mountPath: /usr/share/opensearch/data + subPath: opensearch + name: reana-opensearch-volume + # Configure REANA and FluentBit users and roles for job log collection + customSecurityConfig: + internalUsers: + reana: + hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags + reserved: false + backend_roles: + - readall + description: REANA user + fluentbit: + hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags + reserved: false + backend_roles: + - fluentbit + description: FluentBit user + roles: + fluentbit: + reserved: true + hidden: false + description: Provide the minimum permissions for fluentbit + cluster_permissions: + - cluster_monitor + - cluster_composite_ops + - indices:admin/template/get + - indices:admin/template/put + - cluster:admin/ingest/pipeline/put + - cluster:admin/ingest/pipeline/get + index_permissions: + - index_patterns: + - fluentbit-* + fls: [] + masked_fields: [] + allowed_actions: + - crud + - create_index + tenant_permissions: [] + static: true + rolesMapping: + fluentbit: + hosts: [] + users: [] + reserved: false + hidden: false + backend_roles: + - fluentbit + and_backend_roles: [] + own_index: + hosts: [] + users: + - "*" + reserved: false + hidden: false + backend_roles: [] + and_backend_roles: [] + description: Allow full access to an index named like the username + readall: + hosts: [] + users: + - "reana" + reserved: false + hidden: false + backend_roles: + - readall + and_backend_roles: []