opensearch-k8s-operator
opensearch-k8s-operator copied to clipboard
Published
20 hours ago •
opensearch-project
opensearch-project
getting error in integrating keycloak with opensearch
Hi Team, Am trying to integrate keycloak with opensearch using k8s opster operator. Getting some error. Refer the below yaml files and error details.
opensearch.yaml
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
name: my-cluster1
namespace: opensearch
spec:
security:
config:
adminCredentialsSecret:
name: a-admin-credentials-secret
securityConfigSecret:
name: a-securityconfig-secret
tls:
transport:
generate: true
http:
generate: true
general:
serviceName: my-cluster1
version: 2.8.0
pluginsList: ["repository-s3"]
drainDataNodes: true
setVMMaxMapCount: true
dashboards:
additionalConfig:
logging.verbose: "true"
server.name: my-cluster1-dashboards
server.host: 0.0.0.0
server.ssl.enabled: "true"
server.ssl.key: /usr/share/opensearch-dashboards/config/opensearch.example.org.key
server.ssl.certificate: /usr/share/opensearch-dashboards/config/opensearch.example.org.cert
opensearch_security.auth.type: "openid"
opensearch_security.auth.multiple_auth_enabled: "True"
opensearch_security.openid.connect_url: https://x.x.x.x/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: <dashboard-url>
opensearch_security.openid.client_id: xxxxxx
opensearch_security.openid.client_secret: xxxxxxxxxx
opensearch_security.openid.scope: openid profile email
opensearch_security.openid.header: Authorization
opensearch_security.openid.trust_dynamic_headers: "true"
opensearch.optimizedHealthcheckId: "my-cluster1"
opensearch.hosts: "https://<opensearch-svc-ip>:9200"
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch_security.openid.verify_hostnames: "false"
opensearch_security.cookie.secure: "false"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: |
["securitytenant","Authorization","security_tenant"]
opensearchCredentialsSecret:
name: a-admin-credentials-secret
enable: true
version: 2.8.0
replicas: 1
resources:
requests:
memory: "512Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "200m"
nodePools:
- component: masters
replicas: 3
diskSize: "5Gi"
jvm: "-Dopensearch.allow_insecure_settings=true"
resources:
requests:
memory: "2Gi"
cpu: "500m"
limits:
memory: "3Gi"
cpu: "1000m"
roles:
- "data"
- "master"
- "ingest"
# persistence:
# pvc:
# storageClass: mystorageclass
# accessModes: # You can change the accessMode
# - ReadWriteOnce
admin-credentials-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: a-admin-credentials-secret
namespace: opensearch
type: Opaque
data:
# admin
username: YWRtaW4=
# admin123
password: YWRtaW4xMjMK
securityconfig-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: a-securityconfig-secret
namespace: opensearch
type: Opaque
stringData:
internal_users.yml: |-
_meta:
type: "internalusers"
config_version: 2
admin:
hash: "$2a$12$vZHSkfDt1zB/rSLZ/GtIsuEpQ2O9aP8QorCXVSQMmptAD/9XpPSnK"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
anomalyadmin:
hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
reserved: false
opendistro_security_roles:
- "anomaly_full_access"
description: "Demo anomaly admin user, using internal role"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo OpenSearch Dashboards user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user, using external role mapping"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user, using external role mapping"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user, using external role mapping"
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
authz: {}
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: "https://x.x.x.x/protocol/openid-connect/certs"
subject_key: preferred_username
roles_key: roles
openid_connect_url: "https://x.x.x.x/.well-known/openid-configuration"
authentication_backend:
type: noop
Opensearch pods are running fine and health is 100%, but dashboard pod is not running. Dashboard logs shows:-
Unable to retrieve version information from OpenSearch nodes.
{
"level": "unavailable",
"summary": "[59] services are unavailable",
"detail": "See the status page for more information",
"meta": {
"affectedServices": {
"opensearch": {
"level": "unavailable",
"summary": "Waiting for OpenSearch",
"meta": {
"warningNodes": [],
"incompatibleNodes": []
}
}
.
.
.
}
}
}
