From 645371f609fb4959b65e80e216484c1221a18c12 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 21 Nov 2024 13:34:23 -0500 Subject: [PATCH 1/5] Allow security plugin's install_demo_configuration write to opensearch.yml Signed-off-by: Craig Perkins --- charts/opensearch/values.yaml | 76 +++++++++++++++++------------------ 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml index 02e356f4..8e5c6eaf 100644 --- a/charts/opensearch/values.yaml +++ b/charts/opensearch/values.yaml @@ -58,44 +58,44 @@ config: # Start OpenSearch Security Demo Configuration # WARNING: revise all the lines below before you go into production - plugins: - security: - ssl: - transport: - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - enforce_hostname_verification: false - http: - enabled: true - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - allow_unsafe_democertificates: true - allow_default_init_securityindex: true - authcz: - admin_dn: - - CN=kirk,OU=client,O=client,L=test,C=de - audit.type: internal_opensearch - enable_snapshot_restore_privilege: true - check_snapshot_restore_write_privileges: true - restapi: - roles_enabled: ["all_access", "security_rest_api_access"] - system_indices: - enabled: true - indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opendistro-asynchronous-search-response*", - ] + # plugins: + # security: + # ssl: + # transport: + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # enforce_hostname_verification: false + # http: + # enabled: true + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # allow_unsafe_democertificates: true + # allow_default_init_securityindex: true + # authcz: + # admin_dn: + # - CN=kirk,OU=client,O=client,L=test,C=de + # audit.type: internal_opensearch + # enable_snapshot_restore_privilege: true + # check_snapshot_restore_write_privileges: true + # restapi: + # roles_enabled: ["all_access", "security_rest_api_access"] + # system_indices: + # enabled: true + # indices: + # [ + # ".opendistro-alerting-config", + # ".opendistro-alerting-alert*", + # ".opendistro-anomaly-results*", + # ".opendistro-anomaly-detector*", + # ".opendistro-anomaly-checkpoints", + # ".opendistro-anomaly-detection-state", + # ".opendistro-reports-*", + # ".opendistro-notifications-*", + # ".opendistro-notebooks", + # ".opendistro-asynchronous-search-response*", + # ] ######## End OpenSearch Security Demo Configuration ######## # log4j2.properties: From f28a8f9b1a9aedf424910db9bdd083183832cbf4 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 21 Nov 2024 16:47:34 -0500 Subject: [PATCH 2/5] Increment to 2.27.1 Signed-off-by: Craig Perkins --- charts/opensearch/CHANGELOG.md | 9 +++++++++ charts/opensearch/Chart.yaml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index 2e91071a..4cd8fb13 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -14,6 +14,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security --- +## [2.27.1] +### Added +### Changed +### Deprecated +### Removed +### Fixed +- Remove default opensearch.yml config in Values.yaml to avoid security plugin conflicts +### Security +--- ## [2.27.0] ### Added - Updated OpenSearch appVersion to 2.18.0 diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml index 835a0d50..a5bce599 100644 --- a/charts/opensearch/Chart.yaml +++ b/charts/opensearch/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.27.0 +version: 2.27.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 4cd2ba0ac855191aad87bd137dbd5457f0f86432 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 21 Nov 2024 18:03:58 -0500 Subject: [PATCH 3/5] Change target branch Signed-off-by: Craig Perkins --- ct.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct.yaml b/ct.yaml index d523e917..7662285a 100644 --- a/ct.yaml +++ b/ct.yaml @@ -1,3 +1,3 @@ # See https://github.com/helm/chart-testing#configuration -target-branch: main +target-branch: fix-demo-security helm-extra-args: --timeout 1000s From 1f1da4e76f2bebe88df5c4a1eeae850323f6440a Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 21 Nov 2024 18:20:35 -0500 Subject: [PATCH 4/5] Comment out in ci/ci-ingress-class-name-values.yaml Signed-off-by: Craig Perkins --- charts/opensearch/CHANGELOG.md | 3 +- .../ci/ci-ingress-class-name-values.yaml | 76 +++++++++---------- ct.yaml | 2 +- 3 files changed, 41 insertions(+), 40 deletions(-) diff --git a/charts/opensearch/CHANGELOG.md b/charts/opensearch/CHANGELOG.md index 4cd8fb13..5234649b 100644 --- a/charts/opensearch/CHANGELOG.md +++ b/charts/opensearch/CHANGELOG.md @@ -530,7 +530,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed ### Security -[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.27.0...HEAD +[Unreleased]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.27.1...HEAD +[2.27.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.27.0...opensearch-2.27.1 [2.27.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.26.1...opensearch-2.27.0 [2.26.1]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.26.0...opensearch-2.26.1 [2.26.0]: https://github.com/opensearch-project/helm-charts/compare/opensearch-2.25.0...opensearch-2.26.0 diff --git a/charts/opensearch/ci/ci-ingress-class-name-values.yaml b/charts/opensearch/ci/ci-ingress-class-name-values.yaml index c02e2756..6110205c 100644 --- a/charts/opensearch/ci/ci-ingress-class-name-values.yaml +++ b/charts/opensearch/ci/ci-ingress-class-name-values.yaml @@ -53,44 +53,44 @@ config: # Start OpenSearch Security Demo Configuration # WARNING: revise all the lines below before you go into production - plugins: - security: - ssl: - transport: - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - enforce_hostname_verification: false - http: - enabled: true - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - allow_unsafe_democertificates: true - allow_default_init_securityindex: true - authcz: - admin_dn: - - CN=kirk,OU=client,O=client,L=test,C=de - audit.type: internal_opensearch - enable_snapshot_restore_privilege: true - check_snapshot_restore_write_privileges: true - restapi: - roles_enabled: ["all_access", "security_rest_api_access"] - system_indices: - enabled: true - indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opendistro-asynchronous-search-response*", - ] + # plugins: + # security: + # ssl: + # transport: + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # enforce_hostname_verification: false + # http: + # enabled: true + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # allow_unsafe_democertificates: true + # allow_default_init_securityindex: true + # authcz: + # admin_dn: + # - CN=kirk,OU=client,O=client,L=test,C=de + # audit.type: internal_opensearch + # enable_snapshot_restore_privilege: true + # check_snapshot_restore_write_privileges: true + # restapi: + # roles_enabled: ["all_access", "security_rest_api_access"] + # system_indices: + # enabled: true + # indices: + # [ + # ".opendistro-alerting-config", + # ".opendistro-alerting-alert*", + # ".opendistro-anomaly-results*", + # ".opendistro-anomaly-detector*", + # ".opendistro-anomaly-checkpoints", + # ".opendistro-anomaly-detection-state", + # ".opendistro-reports-*", + # ".opendistro-notifications-*", + # ".opendistro-notebooks", + # ".opendistro-asynchronous-search-response*", + # ] ######## End OpenSearch Security Demo Configuration ######## # log4j2.properties: diff --git a/ct.yaml b/ct.yaml index 7662285a..d523e917 100644 --- a/ct.yaml +++ b/ct.yaml @@ -1,3 +1,3 @@ # See https://github.com/helm/chart-testing#configuration -target-branch: fix-demo-security +target-branch: main helm-extra-args: --timeout 1000s From 695d5692038f4e38ae8da5fc3ac8e862b9fcd418 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 21 Nov 2024 18:22:13 -0500 Subject: [PATCH 5/5] Comment out demo security values Signed-off-by: Craig Perkins --- .../ci/ci-ingress-class-name-values.yaml | 6 +- .../opensearch/ci/ci-rbac-enabled-values.yaml | 82 +++++++++---------- charts/opensearch/ci/ci-values.yaml | 82 +++++++++---------- 3 files changed, 85 insertions(+), 85 deletions(-) diff --git a/charts/opensearch/ci/ci-ingress-class-name-values.yaml b/charts/opensearch/ci/ci-ingress-class-name-values.yaml index 6110205c..d78f930f 100644 --- a/charts/opensearch/ci/ci-ingress-class-name-values.yaml +++ b/charts/opensearch/ci/ci-ingress-class-name-values.yaml @@ -51,8 +51,8 @@ config: # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. # discovery.type: single-node - # Start OpenSearch Security Demo Configuration - # WARNING: revise all the lines below before you go into production + # # Start OpenSearch Security Demo Configuration + # # WARNING: revise all the lines below before you go into production # plugins: # security: # ssl: @@ -91,7 +91,7 @@ config: # ".opendistro-notebooks", # ".opendistro-asynchronous-search-response*", # ] - ######## End OpenSearch Security Demo Configuration ######## + # ######## End OpenSearch Security Demo Configuration ######## # log4j2.properties: # Extra environment variables to append to this nodeGroup diff --git a/charts/opensearch/ci/ci-rbac-enabled-values.yaml b/charts/opensearch/ci/ci-rbac-enabled-values.yaml index b2463d55..91b4a595 100755 --- a/charts/opensearch/ci/ci-rbac-enabled-values.yaml +++ b/charts/opensearch/ci/ci-rbac-enabled-values.yaml @@ -51,47 +51,47 @@ config: # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. # discovery.type: single-node - # Start OpenSearch Security Demo Configuration - # WARNING: revise all the lines below before you go into production - plugins: - security: - ssl: - transport: - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - enforce_hostname_verification: false - http: - enabled: true - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - allow_unsafe_democertificates: true - allow_default_init_securityindex: true - authcz: - admin_dn: - - CN=kirk,OU=client,O=client,L=test,C=de - audit.type: internal_opensearch - enable_snapshot_restore_privilege: true - check_snapshot_restore_write_privileges: true - restapi: - roles_enabled: ["all_access", "security_rest_api_access"] - system_indices: - enabled: true - indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opendistro-asynchronous-search-response*", - ] - ######## End OpenSearch Security Demo Configuration ######## + # # Start OpenSearch Security Demo Configuration + # # WARNING: revise all the lines below before you go into production + # plugins: + # security: + # ssl: + # transport: + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # enforce_hostname_verification: false + # http: + # enabled: true + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # allow_unsafe_democertificates: true + # allow_default_init_securityindex: true + # authcz: + # admin_dn: + # - CN=kirk,OU=client,O=client,L=test,C=de + # audit.type: internal_opensearch + # enable_snapshot_restore_privilege: true + # check_snapshot_restore_write_privileges: true + # restapi: + # roles_enabled: ["all_access", "security_rest_api_access"] + # system_indices: + # enabled: true + # indices: + # [ + # ".opendistro-alerting-config", + # ".opendistro-alerting-alert*", + # ".opendistro-anomaly-results*", + # ".opendistro-anomaly-detector*", + # ".opendistro-anomaly-checkpoints", + # ".opendistro-anomaly-detection-state", + # ".opendistro-reports-*", + # ".opendistro-notifications-*", + # ".opendistro-notebooks", + # ".opendistro-asynchronous-search-response*", + # ] + # ######## End OpenSearch Security Demo Configuration ######## # log4j2.properties: # Extra environment variables to append to this nodeGroup diff --git a/charts/opensearch/ci/ci-values.yaml b/charts/opensearch/ci/ci-values.yaml index fbd24cc8..b09ef89a 100755 --- a/charts/opensearch/ci/ci-values.yaml +++ b/charts/opensearch/ci/ci-values.yaml @@ -51,47 +51,47 @@ config: # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again. # discovery.type: single-node - # Start OpenSearch Security Demo Configuration - # WARNING: revise all the lines below before you go into production - plugins: - security: - ssl: - transport: - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - enforce_hostname_verification: false - http: - enabled: true - pemcert_filepath: esnode.pem - pemkey_filepath: esnode-key.pem - pemtrustedcas_filepath: root-ca.pem - allow_unsafe_democertificates: true - allow_default_init_securityindex: true - authcz: - admin_dn: - - CN=kirk,OU=client,O=client,L=test,C=de - audit.type: internal_opensearch - enable_snapshot_restore_privilege: true - check_snapshot_restore_write_privileges: true - restapi: - roles_enabled: ["all_access", "security_rest_api_access"] - system_indices: - enabled: true - indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opendistro-asynchronous-search-response*", - ] - ######## End OpenSearch Security Demo Configuration ######## + # # Start OpenSearch Security Demo Configuration + # # WARNING: revise all the lines below before you go into production + # plugins: + # security: + # ssl: + # transport: + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # enforce_hostname_verification: false + # http: + # enabled: true + # pemcert_filepath: esnode.pem + # pemkey_filepath: esnode-key.pem + # pemtrustedcas_filepath: root-ca.pem + # allow_unsafe_democertificates: true + # allow_default_init_securityindex: true + # authcz: + # admin_dn: + # - CN=kirk,OU=client,O=client,L=test,C=de + # audit.type: internal_opensearch + # enable_snapshot_restore_privilege: true + # check_snapshot_restore_write_privileges: true + # restapi: + # roles_enabled: ["all_access", "security_rest_api_access"] + # system_indices: + # enabled: true + # indices: + # [ + # ".opendistro-alerting-config", + # ".opendistro-alerting-alert*", + # ".opendistro-anomaly-results*", + # ".opendistro-anomaly-detector*", + # ".opendistro-anomaly-checkpoints", + # ".opendistro-anomaly-detection-state", + # ".opendistro-reports-*", + # ".opendistro-notifications-*", + # ".opendistro-notebooks", + # ".opendistro-asynchronous-search-response*", + # ] + # ######## End OpenSearch Security Demo Configuration ######## # log4j2.properties: # Extra environment variables to append to this nodeGroup