Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-07 08:07:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/opensearch] Make TLS secret keys configurable (#21287)

Browse Source 
Signed-off-by: Max Nitze <max.nitze@mgm-tp.com>
Co-authored-by: Max Nitze <max.nitze@mgm-tp.com>
This commit is contained in:
Max Nitze
2023-12-18 13:17:19 +01:00
committed by GitHub
parent fe8f17639a
commit 41624768b6
10 changed files with 139 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/opensearch/Chart.yaml
View File

@@ -30,4 +30,4 @@ maintainers:
name: opensearch
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/opensearch
version: 0.5.4
version: 0.6.0

14
bitnami/opensearch/README.md
View File

@@ -122,13 +122,27 @@ helm delete --purge my-release
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------- | --------------------------- |
| `security.tls.admin.existingSecret` | Existing secret containing the certificates for admin | `""` |
| `security.tls.admin.certKey` | Key containing the crt for admin certificate (defaults to admin.crt) | `""` |
| `security.tls.admin.keyKey` | Key containing the key for admin certificate (defaults to admin.key) | `""` |
| `security.tls.restEncryption` | Enable SSL/TLS encryption for OpenSearch REST API. | `false` |
| `security.tls.autoGenerated` | Create self-signed TLS certificates. | `true` |
| `security.tls.verificationMode` | Verification mode for SSL communications. | `full` |
| `security.tls.master.existingSecret` | Existing secret containing the certificates for the master nodes | `""` |
| `security.tls.master.certKey` | Key containing the crt for master nodes certificate (defaults to tls.crt) | `""` |
| `security.tls.master.keyKey` | Key containing the key for master nodes certificate (defaults to tls.key) | `""` |
| `security.tls.master.caKey` | Key containing the ca for master nodes certificate (defaults to ca.crt) | `""` |
| `security.tls.data.existingSecret` | Existing secret containing the certificates for the data nodes | `""` |
| `security.tls.data.certKey` | Key containing the crt for data nodes certificate (defaults to tls.crt) | `""` |
| `security.tls.data.keyKey` | Key containing the key for data nodes certificate (defaults to tls.key) | `""` |
| `security.tls.data.caKey` | Key containing the ca for data nodes certificate (defaults to ca.crt) | `""` |
| `security.tls.ingest.existingSecret` | Existing secret containing the certificates for the ingest nodes | `""` |
| `security.tls.ingest.certKey` | Key containing the crt for ingest nodes certificate (defaults to tls.crt) | `""` |
| `security.tls.ingest.keyKey` | Key containing the key for ingest nodes certificate (defaults to tls.key) | `""` |
| `security.tls.ingest.caKey` | Key containing the ca for ingest nodes certificate (defaults to ca.crt) | `""` |
| `security.tls.coordinating.existingSecret` | Existing secret containing the certificates for the coordinating nodes | `""` |
| `security.tls.coordinating.certKey` | Key containing the crt for coordinating nodes certificate (defaults to tls.crt) | `""` |
| `security.tls.coordinating.keyKey` | Key containing the key for coordinating nodes certificate (defaults to tls.key) | `""` |
| `security.tls.coordinating.caKey` | Key containing the ca for coordinating nodes certificate (defaults to ca.crt) | `""` |
| `security.tls.keystoreFilename` | Name of the keystore file | `opensearch.keystore.jks` |
| `security.tls.truststoreFilename` | Name of the truststore | `opensearch.truststore.jks` |
| `security.tls.usePemCerts` | Use this variable if your secrets contain PEM certificates instead of JKS/PKCS12 | `false` |

94
bitnami/opensearch/templates/_helpers.tpl
View File

@@ -311,63 +311,95 @@ Create the name of the ingest service account to use
{{- end -}}
{{/*
Return the opensearch TLS credentials secret for master nodes.
Return the opensearch TLS credentials secret for typed nodes.
*/}}
{{- define "opensearch.master.tlsSecretName" -}}
{{- $secretName := .Values.security.tls.master.existingSecret -}}
{{- define "opensearch.node.tlsSecretName" -}}
{{- $secretName := index .context.Values.security.tls .nodeRole "existingSecret" -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- printf "%s" (tpl $secretName .context) -}}
{{- else -}}
{{- printf "%s-crt" (include "opensearch.master.fullname" .) -}}
{{- printf "%s-crt" (include (printf "opensearch.%s.fullname" .nodeRole) .context) -}}
{{- end -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret items for typed nodes.
*/}}
{{- define "opensearch.node.tlsSecretItems" -}}
{{- $items := list }}
{{- $items = append $items (dict "key" (include "opensearch.node.tlsSecretCertKey" (dict "nodeRole" .nodeRole "context" .context)) "path" "tls.crt") }}
{{- $items = append $items (dict "key" (include "opensearch.node.tlsSecretKeyKey" (dict "nodeRole" .nodeRole "context" .context)) "path" "tls.key") }}
{{- $items = append $items (dict "key" (include "opensearch.node.tlsSecretCAKey" (dict "nodeRole" .nodeRole "context" .context)) "path" "ca.crt") }}
{{ $items | toYaml }}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret key of the certificate for typed nodes.
*/}}
{{- define "opensearch.node.tlsSecretCertKey" -}}
{{- include "opensearch.tlsSecretKey" (dict "type" .nodeRole "secretKey" "certKey" "defaultKey" "tls.crt" "context" .context) -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret key of the certificates key for typed nodes.
*/}}
{{- define "opensearch.node.tlsSecretKeyKey" -}}
{{- include "opensearch.tlsSecretKey" (dict "type" .nodeRole "secretKey" "keyKey" "defaultKey" "tls.key" "context" .context) -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret key of the ca certificate for typed nodes.
*/}}
{{- define "opensearch.node.tlsSecretCAKey" -}}
{{- include "opensearch.tlsSecretKey" (dict "type" .nodeRole "secretKey" "caKey" "defaultKey" "ca.crt" "context" .context) -}}
{{- end -}}
{{/*
Return the opensearch admin TLS credentials secret for all nodes.
*/}}
{{- define "opensearch.admin.tlsSecretName" -}}
{{- $secretName := .Values.security.tls.admin.existingSecret -}}
{{- $secretName := .context.Values.security.tls.admin.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- printf "%s" (tpl $secretName .context) -}}
{{- else -}}
{{- printf "%s-admin-crt" (include "common.names.fullname" .) -}}
{{- printf "%s-admin-crt" (include "common.names.fullname" .context) -}}
{{- end -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret for coordinating nodes.
Return the opensearch TLS credentials secret items for all nodes.
*/}}
{{- define "opensearch.coordinating.tlsSecretName" -}}
{{- $secretName := .Values.security.tls.coordinating.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-crt" (include "opensearch.coordinating.fullname" .) -}}
{{- end -}}
{{- define "opensearch.admin.tlsSecretItems" -}}
{{- $items := list }}
{{- $items = append $items (dict "key" (include "opensearch.admin.tlsSecretCertKey" (dict "context" .context)) "path" "admin.crt") }}
{{- $items = append $items (dict "key" (include "opensearch.admin.tlsSecretKeyKey" (dict "context" .context)) "path" "admin.key") }}
{{ $items | toYaml }}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret for data nodes.
Return the opensearch TLS credentials secret key of the certificate for all nodes.
*/}}
{{- define "opensearch.data.tlsSecretName" -}}
{{- $secretName := .Values.security.tls.data.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-crt" (include "opensearch.data.fullname" .) -}}
{{- end -}}
{{- define "opensearch.admin.tlsSecretCertKey" -}}
{{- include "opensearch.tlsSecretKey" (dict "type" "admin" "secretKey" "certKey" "defaultKey" "admin.crt" "context" .context) -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret for ingest nodes.
Return the opensearch TLS credentials secret key of the certificates key for all nodes.
*/}}
{{- define "opensearch.ingest.tlsSecretName" -}}
{{- $secretName := .Values.security.tls.ingest.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-crt" (include "opensearch.ingest.fullname" .) -}}
{{- define "opensearch.admin.tlsSecretKeyKey" -}}
{{- include "opensearch.tlsSecretKey" (dict "type" "admin" "secretKey" "keyKey" "defaultKey" "admin.key" "context" .context) -}}
{{- end -}}
{{/*
Return the opensearch TLS credentials secret key of the given type.
*/}}
{{- define "opensearch.tlsSecretKey" -}}
{{- $secretConfig := index .context.Values.security.tls .type -}}
{{- if $secretConfig.externalSecret }}
{{ index $secretConfig .secretKey | default .defaultKey }}
{{- else }}
{{- printf .defaultKey }}
{{- end }}
{{- end -}}
{{/*

6
bitnami/opensearch/templates/coordinating/statefulset.yaml
View File

@@ -267,9 +267,11 @@ spec:
defaultMode: 256
sources:
- secret:
name: {{ include "opensearch.coordinating.tlsSecretName" . }}
name: {{ include "opensearch.node.tlsSecretName" (dict "nodeRole" "coordinating" "context" $) }}
items: {{- include "opensearch.node.tlsSecretItems" (dict "nodeRole" "coordinating" "context" $) | nindent 20 }}
- secret:
name: {{ include "opensearch.admin.tlsSecretName" . }}
name: {{ include "opensearch.admin.tlsSecretName" (dict "context" $) }}
items: {{- include "opensearch.admin.tlsSecretItems" (dict "context" $) | nindent 20 }}
{{- end }}
{{- if .Values.initScripts }}
- name: custom-init-scripts

4
bitnami/opensearch/templates/dashboards/deployment.yaml
View File

@@ -170,9 +170,9 @@ spec:
{{- if .Values.security.enabled }}
- name: opensearch-certificates
secret:
secretName: {{ include "opensearch.master.tlsSecretName" . }}
secretName: {{ include "opensearch.node.tlsSecretName" (dict "nodeRole" "master" "context" $) }}
items:
- key: ca.crt
- key: {{ include "opensearch.node.tlsSecretCAKey" (dict "nodeRole" "master" "context" $) }}
path: ca.crt
{{- end }}
{{- if .Values.dashboards.tls.enabled }}

6
bitnami/opensearch/templates/data/statefulset.yaml
View File

@@ -290,9 +290,11 @@ spec:
defaultMode: 256
sources:
- secret:
name: {{ include "opensearch.data.tlsSecretName" . }}
name: {{ include "opensearch.node.tlsSecretName" (dict "nodeRole" "data" "context" $) }}
items: {{- include "opensearch.node.tlsSecretItems" (dict "nodeRole" "data" "context" $) | nindent 20 }}
- secret:
name: {{ include "opensearch.admin.tlsSecretName" . }}
name: {{ include "opensearch.admin.tlsSecretName" (dict "context" $) }}
items: {{- include "opensearch.admin.tlsSecretItems" (dict "context" $) | nindent 20 }}
{{- end }}
{{- if .Values.initScripts }}
- name: custom-init-scripts

6
bitnami/opensearch/templates/ingest/statefulset.yaml
View File

@@ -268,9 +268,11 @@ spec:
defaultMode: 256
sources:
- secret:
name: {{ include "opensearch.ingest.tlsSecretName" . }}
name: {{ include "opensearch.node.tlsSecretName" (dict "nodeRole" "ingest" "context" $) }}
items: {{- include "opensearch.node.tlsSecretItems" (dict "nodeRole" "ingest" "context" $) | nindent 20 }}
- secret:
name: {{ include "opensearch.admin.tlsSecretName" . }}
name: {{ include "opensearch.admin.tlsSecretName" (dict "context" $) }}
items: {{- include "opensearch.admin.tlsSecretItems" (dict "context" $) | nindent 20 }}
{{- end }}
{{- if .Values.initScripts }}
- name: custom-init-scripts

6
bitnami/opensearch/templates/master/statefulset.yaml
View File

@@ -302,9 +302,11 @@ spec:
defaultMode: 256
sources:
- secret:
name: {{ include "opensearch.master.tlsSecretName" . }}
name: {{ include "opensearch.node.tlsSecretName" (dict "nodeRole" "master" "context" $) }}
items: {{- include "opensearch.node.tlsSecretItems" (dict "nodeRole" "master" "context" $) | nindent 20 }}
- secret:
name: {{ include "opensearch.admin.tlsSecretName" . }}
name: {{ include "opensearch.admin.tlsSecretName" (dict "context" $) }}
items: {{- include "opensearch.admin.tlsSecretItems" (dict "context" $) | nindent 20 }}
{{- end }}
{{- if .Values.initScripts }}
- name: custom-init-scripts

1
bitnami/opensearch/templates/tls-secret.yaml
View File

@@ -123,4 +123,3 @@ data:
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}
{{- end }}

47
bitnami/opensearch/values.yaml
View File

@@ -225,9 +225,13 @@ security:
tls:
## @section OpenSearch admin parameters
## @param security.tls.admin.existingSecret Existing secret containing the certificates for admin
## @param security.tls.admin.certKey Key containing the crt for admin certificate (defaults to admin.crt)
## @param security.tls.admin.keyKey Key containing the key for admin certificate (defaults to admin.key)
##
admin:
existingSecret: ""
certKey: ""
keyKey: ""
## @param security.tls.restEncryption Enable SSL/TLS encryption for OpenSearch REST API.
##
restEncryption: false
@@ -241,19 +245,54 @@ security:
## Ref: https://www.open.co/guide/en/opensearch/reference/current/security-settings.html
##
verificationMode: "full"
## @param security.tls.master.existingSecret Existing secret containing the certificates for the master nodes
## @param security.tls.data.existingSecret Existing secret containing the certificates for the data nodes
## @param security.tls.ingest.existingSecret Existing secret containing the certificates for the ingest nodes
## @param security.tls.coordinating.existingSecret Existing secret containing the certificates for the coordinating nodes
## TLS configuration for master nodes
##
master:
## @param security.tls.master.existingSecret Existing secret containing the certificates for the master nodes
## @param security.tls.master.certKey Key containing the crt for master nodes certificate (defaults to tls.crt)
## @param security.tls.master.keyKey Key containing the key for master nodes certificate (defaults to tls.key)
## @param security.tls.master.caKey Key containing the ca for master nodes certificate (defaults to ca.crt)
##
existingSecret: ""
certKey: ""
keyKey: ""
caKey: ""
## TLS configuration for data nodes
##
data:
## @param security.tls.data.existingSecret Existing secret containing the certificates for the data nodes
## @param security.tls.data.certKey Key containing the crt for data nodes certificate (defaults to tls.crt)
## @param security.tls.data.keyKey Key containing the key for data nodes certificate (defaults to tls.key)
## @param security.tls.data.caKey Key containing the ca for data nodes certificate (defaults to ca.crt)
##
existingSecret: ""
certKey: ""
keyKey: ""
caKey: ""
## TLS configuration for ingest nodes
##
ingest:
## @param security.tls.ingest.existingSecret Existing secret containing the certificates for the ingest nodes
## @param security.tls.ingest.certKey Key containing the crt for ingest nodes certificate (defaults to tls.crt)
## @param security.tls.ingest.keyKey Key containing the key for ingest nodes certificate (defaults to tls.key)
## @param security.tls.ingest.caKey Key containing the ca for ingest nodes certificate (defaults to ca.crt)
##
existingSecret: ""
certKey: ""
keyKey: ""
caKey: ""
## TLS configuration for coordinating nodes
##
coordinating:
## @param security.tls.coordinating.existingSecret Existing secret containing the certificates for the coordinating nodes
## @param security.tls.coordinating.certKey Key containing the crt for coordinating nodes certificate (defaults to tls.crt)
## @param security.tls.coordinating.keyKey Key containing the key for coordinating nodes certificate (defaults to tls.key)
## @param security.tls.coordinating.caKey Key containing the ca for coordinating nodes certificate (defaults to ca.crt)
##
existingSecret: ""
certKey: ""
keyKey: ""
caKey: ""
## @param security.tls.keystoreFilename Name of the keystore file
##
keystoreFilename: opensearch.keystore.jks