Merge pull request #1 from iam404/disable-security-plugin

Allow Option to Disable Security Plugin, TLS & add ability to set podManagementPolicy to Parallel

charts/opensearch-operator/files/opensearch.opster.io_opensearchclusters.yaml

@@ -4849,6 +4849,14 @@ spec:
                               type: string
                           type: object
                       type: object
+                    podManagementPolicy:
+                      default: OrderedReady
+                      description: PodManagementPolicyType defines the policy for
+                        creating pods under a stateful set.
+                      enum:
+                      - OrderedReady
+                      - Parallel
+                      type: string
                     priorityClassName:
                       type: string
                     probes:
@@ -5302,6 +5310,8 @@ spec:
                             type: object
                         type: object
                     type: object
+                  disable:
+                    type: boolean
                   tls:
                     description: Configure tls usage for transport and http interface
                     properties:

opensearch-operator/api/v1/opensearch_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1
 
 import (
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -106,8 +107,12 @@ type ReadinessProbeConfig struct {
 }
 
 type NodePool struct {
-	Component                 string                            `json:"component"`
-	Replicas                  int32                             `json:"replicas"`
+	Component string `json:"component"`
+	Replicas  int32  `json:"replicas"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=OrderedReady;Parallel
+	// +kubebuilder:default:=OrderedReady
+	PodManagementPolicy       appsv1.PodManagementPolicyType    `json:"podManagementPolicy,omitempty"`
 	DiskSize                  string                            `json:"diskSize,omitempty"`
 	Resources                 corev1.ResourceRequirements       `json:"resources,omitempty"`
 	Jvm                       string                            `json:"jvm,omitempty"`
@@ -219,8 +224,9 @@ type DashboardsTlsConfig struct {
 
 // Security defines options for managing the opensearch-security plugin
 type Security struct {
-	Tls    *TlsConfig      `json:"tls,omitempty"`
-	Config *SecurityConfig `json:"config,omitempty"`
+	Disable bool            `json:"disable,omitempty"`
+	Tls     *TlsConfig      `json:"tls,omitempty"`
+	Config  *SecurityConfig `json:"config,omitempty"`
 }
 
 // Configure tls usage for transport and http interface

opensearch-operator/config/crd/bases/opensearch.opster.io_opensearchclusters.yaml

@@ -4849,6 +4849,14 @@ spec:
                               type: string
                           type: object
                       type: object
+                    podManagementPolicy:
+                      default: OrderedReady
+                      description: PodManagementPolicyType defines the policy for
+                        creating pods under a stateful set.
+                      enum:
+                      - OrderedReady
+                      - Parallel
+                      type: string
                     priorityClassName:
                       type: string
                     probes:
@@ -5302,6 +5310,8 @@ spec:
                             type: object
                         type: object
                     type: object
+                  disable:
+                    type: boolean
                   tls:
                     description: Configure tls usage for transport and http interface
                     properties:

opensearch-operator/pkg/builders/cluster.go

@@ -279,8 +279,9 @@ func NewSTSForNodePool(
 
 	// Because the http endpoint requires auth we need to do it as a curl script
 	httpPort := PortForCluster(cr)
+	portScheme := SchemeForCluster(cr)
 
-	curlCmd := "curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail https://localhost:" + fmt.Sprint(httpPort)
+	curlCmd := "curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail " + fmt.Sprint(portScheme) + "://localhost:" + fmt.Sprint(httpPort)
 	readinessProbe := corev1.Probe{
 		InitialDelaySeconds: readinessProbeInitialDelaySeconds,
 		PeriodSeconds:       readinessProbePeriodSeconds,
@@ -455,7 +456,7 @@ func NewSTSForNodePool(
 			Selector: &metav1.LabelSelector{
 				MatchLabels: matchLabels,
 			},
-			PodManagementPolicy: appsv1.OrderedReadyPodManagement,
+			PodManagementPolicy: node.PodManagementPolicy,
 			UpdateStrategy: appsv1.StatefulSetUpdateStrategy{
 				Type: appsv1.OnDeleteStatefulSetStrategyType,
 			},
@@ -931,6 +932,16 @@ func NewBootstrapPod(
 	return pod
 }
 
+func SchemeForCluster(cr *opsterv1.OpenSearchCluster) string {
+
+	if cr.Spec.Security.Disable {
+		return fmt.Sprintf("http")
+	}
+
+	return fmt.Sprintf("https")
+
+}
+
 func PortForCluster(cr *opsterv1.OpenSearchCluster) int32 {
 	httpPort := int32(9200)
 	if cr.Spec.General.HttpPort > 0 {
@@ -940,8 +951,9 @@ func PortForCluster(cr *opsterv1.OpenSearchCluster) int32 {
 }
 
 func URLForCluster(cr *opsterv1.OpenSearchCluster) string {
+	httpScheme := SchemeForCluster(cr)
 	httpPort := PortForCluster(cr)
-	return fmt.Sprintf("https://%s.svc.%s:%d", DnsOfService(cr), helpers.ClusterDnsBase(), httpPort)
+	return fmt.Sprintf("%s://%s.svc.%s:%d", httpScheme, DnsOfService(cr), helpers.ClusterDnsBase(), httpPort)
 }
 
 func PasswordSecret(cr *opsterv1.OpenSearchCluster, username, password string) *corev1.Secret {

opensearch-operator/pkg/builders/dashboards.go

@@ -120,7 +120,12 @@ func NewDashboardsDeploymentForCR(cr *opsterv1.OpenSearchCluster, volumes []core
 		},
 	}
 
-	mainCommand := helpers.BuildMainCommandOSD("./bin/opensearch-dashboards-plugin", cr.Spec.Dashboards.PluginsList, "./opensearch-dashboards-docker-entrypoint.sh")
+	removePluginList := []string{}
+	// Remove Security Plugin when Security is disabled
+	if cr.Spec.Security.Disable {
+		removePluginList = []string{"securityDashboards"}
+	}
+	mainCommand := helpers.BuildMainCommandOSD("./bin/opensearch-dashboards-plugin", cr.Spec.Dashboards.PluginsList, removePluginList, "./opensearch-dashboards-docker-entrypoint.sh")
 
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{

opensearch-operator/pkg/helpers/reconcile-helpers.go

@@ -147,7 +147,7 @@ func BuildMainCommand(installerBinary string, pluginsList []string, batchMode bo
 	return mainCommand
 }
 
-func BuildMainCommandOSD(installerBinary string, pluginsList []string, entrypoint string) []string {
+func BuildMainCommandOSD(installerBinary string, pluginsList []string, removePluginsList []string, entrypoint string) []string {
 	var mainCommand []string
 	mainCommand = append(mainCommand, "/bin/bash", "-c")
 
@@ -156,6 +156,11 @@ func BuildMainCommandOSD(installerBinary string, pluginsList []string, entrypoin
 		com = com + installerBinary + " install" + " '" + strings.Replace(plugin, "'", "\\'", -1) + "'"
 		com = com + " && "
 	}
+
+	for _, plugin := range removePluginsList {
+		com = com + installerBinary + " remove" + " '" + strings.Replace(plugin, "'", "\\'", -1) + "'"
+		com = com + " && "
+	}
 	com = com + entrypoint
 
 	mainCommand = append(mainCommand, com)

opensearch-operator/pkg/reconcilers/cluster.go

@@ -182,8 +182,9 @@ func (r *ClusterReconciler) reconcileNodeStatefulSet(nodePool opsterv1.NodePool,
 	}
 
 	// Detect cluster failure and initiate parallel recovery
+	// Unless PodManagementPolicy is already set as "Parallel" while cluster creation
 	if helpers.ParallelRecoveryMode() &&
-		(nodePool.Persistence == nil || nodePool.Persistence.PersistenceSource.PVC != nil) {
+		(nodePool.PodManagementPolicy != appsv1.ParallelPodManagement && (nodePool.Persistence == nil || nodePool.Persistence.PersistenceSource.PVC != nil)) {
 		// This logic only works if the STS uses PVCs
 		// First check if the STS already has a readable status (CurrentRevision == "" indicates the STS is newly created and the controller has not yet updated the status properly)
 		if existing.Status.CurrentRevision == "" {

opensearch-operator/pkg/reconcilers/configuration.go

@@ -60,13 +60,15 @@ func (r *ConfigurationReconciler) Reconcile() (ctrl.Result, error) {
 
 	if len(r.reconcilerContext.OpenSearchConfig) > 0 {
 		// Add some default config for the security plugin
-		r.reconcilerContext.AddConfig("plugins.security.audit.type", "internal_opensearch")
-		r.reconcilerContext.AddConfig("plugins.security.enable_snapshot_restore_privilege", "true")
-		r.reconcilerContext.AddConfig("plugins.security.check_snapshot_restore_write_privileges", "true")
-		r.reconcilerContext.AddConfig("plugins.security.restapi.roles_enabled", `["all_access", "security_rest_api_access"]`)
-		r.reconcilerContext.AddConfig("plugins.security.system_indices.enabled", "true")
-		r.reconcilerContext.AddConfig("plugins.security.system_indices.indices", string(systemIndices))
-
+		// Only of Security Plugin is not disabled
+		if !r.instance.Spec.Security.Disable {
+			r.reconcilerContext.AddConfig("plugins.security.audit.type", "internal_opensearch")
+			r.reconcilerContext.AddConfig("plugins.security.enable_snapshot_restore_privilege", "true")
+			r.reconcilerContext.AddConfig("plugins.security.check_snapshot_restore_write_privileges", "true")
+			r.reconcilerContext.AddConfig("plugins.security.restapi.roles_enabled", `["all_access", "security_rest_api_access"]`)
+			r.reconcilerContext.AddConfig("plugins.security.system_indices.enabled", "true")
+			r.reconcilerContext.AddConfig("plugins.security.system_indices.indices", string(systemIndices))
+		}
 	}
 
 	var sb strings.Builder

opensearch-operator/pkg/reconcilers/securityconfig.go

@@ -88,6 +88,11 @@ func NewSecurityconfigReconciler(
 }
 
 func (r *SecurityconfigReconciler) Reconcile() (ctrl.Result, error) {
+	// Return if Security Plugin is disabled
+	if r.instance.Spec.Security.Disable {
+		return ctrl.Result{}, nil
+	}
+
 	if r.instance.Spec.Security == nil {
 		return ctrl.Result{}, nil
 	}

opensearch-operator/pkg/reconcilers/tls.go

@@ -56,6 +56,13 @@ const (
 )
 
 func (r *TLSReconciler) Reconcile() (ctrl.Result, error) {
+
+	if r.instance.Spec.Security.Disable {
+		r.logger.Info("Security Plugin is disabled. Adding plugins.security.disabled=true to config")
+		r.reconcilerContext.AddConfig("plugins.security.disabled", "true")
+		return ctrl.Result{}, nil
+	}
+
 	if r.instance.Spec.Security == nil || r.instance.Spec.Security.Tls == nil {
 		r.logger.Info("No security specified. Not doing anything")
 		return ctrl.Result{}, nil
@@ -535,12 +542,14 @@ func (r *TLSReconciler) handleHttp() error {
 			mount("http", "key", corev1.TLSPrivateKeyKey, tlsConfig.TlsCertificateConfig.Secret.Name, r.reconcilerContext)
 			mount("http", "cert", corev1.TLSCertKey, tlsConfig.TlsCertificateConfig.Secret.Name, r.reconcilerContext)
 		}
+
 	}
 	// Extend opensearch.yml
 	r.reconcilerContext.AddConfig("plugins.security.ssl.http.enabled", "true")
 	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemcert_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSCertKey))
 	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemkey_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSPrivateKeyKey))
 	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemtrustedcas_filepath", fmt.Sprintf("tls-http/%s", CaCertKey))
+
 	return nil
 }
 

opensearch-operator/pkg/reconcilers/util/util.go

@@ -213,7 +213,8 @@ func CreateAdditionalVolumes(
 
 func OpensearchClusterURL(cluster *opsterv1.OpenSearchCluster) string {
 	return fmt.Sprintf(
-		"https://%s.%s.svc.%s:%v",
+		"%s://%s.%s.svc.%s:%v",
+		builders.SchemeForCluster(cluster),
 		cluster.Spec.General.ServiceName,
 		cluster.Namespace,
 		helpers.ClusterDnsBase(),