[bitnami/opensearch] Enable automated setup of snapshot policies (#29796

)

* [bitnami/opensearch] Conditionally create PVC for snapshots

I've borrowowed most of the config from the dashboards PVC.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Create volumes for snapshots

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Create snapshots post-install hook

This change creates a new job to be run as an optional post-install
hook for creating initial snapshot policies in OpenSearch, along with
relvant ConfigMaps and NetworkPolicies.

I have tried to follow most of Bitnami's conventions for the templates,
but it's hard to tell if everything is 100% aligned with best practices.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Bump chart version

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Remove reundant comment in values

Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Remove another reundant comment

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Add defaults for documented image values

Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/opensearch] Fix typo in nindent

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* [bitnami/opensearch] Add `--show-error` to curl

This drastically improves debugging things when `curl` returns errors.

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* [bitnami/opensearch] Allow UDP/53 in NetworkPolicy

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Add snapshots.image to warnings list

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Move `snapshots.enabled` to the top

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Move `snapshots.persistence.enabled` to the top

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Andreas Lindhé <7773090+lindhe@users.noreply.github.com>
Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
Co-authored-by: Juan José Martos <jotamartos@gmail.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>

bitnami/opensearch/CHANGELOG.md

@@ -1,8 +1,12 @@
 # Changelog
 
-## 1.3.14 (2024-11-08)
+## 1.4.0 (2024-11-15)
 
-* [bitnami/opensearch] Unify seLinuxOptions default value ([#30336](https://github.com/bitnami/charts/pull/30336))
+* [bitnami/opensearch] Enable automated setup of snapshot policies ([#29796](https://github.com/bitnami/charts/pull/29796))
+
+## <small>1.3.14 (2024-11-08)</small>
+
+* [bitnami/opensearch] Unify seLinuxOptions default value (#30336) ([2b670fc](https://github.com/bitnami/charts/commit/2b670fc5c17e0dd5ddafef2c062c1a474d07eb21)), closes [#30336](https://github.com/bitnami/charts/issues/30336)
 
 ## <small>1.3.13 (2024-11-06)</small>
 

bitnami/opensearch/Chart.yaml

@@ -30,4 +30,4 @@ maintainers:
 name: opensearch
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/opensearch
-version: 1.3.14
+version: 1.4.0

bitnami/opensearch/templates/NOTES.txt

@@ -120,4 +120,4 @@ In order to replicate the container startup scripts execute this command:
 {{- end }}
 {{ include "opensearch.validateValues" . }}
 {{- include "common.warnings.resources" (dict "sections" (list "coordinating" "dashboards" "data" "ingest" "master" "sysctlImage" "volumePermissions") "context" $) }}
-{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image) "context" $) }}
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image .Values.snapshots.image) "context" $) }}

bitnami/opensearch/templates/_helpers.tpl

@@ -822,3 +822,44 @@ Return true if a TLS credentials secret object should be created
     {{- true -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create a default fully qualified snapshots name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "opensearch.snapshots.fullname" -}}
+{{- $name := default "snapshots" .Values.snapshots.nameOverride -}}
+{{- if .Values.snapshots.fullnameOverride -}}
+{{- .Values.snapshots.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a global mount path for snapshots volume based on repo path
+*/}}
+{{- define "opensearch.snapshots.mountPath" -}}
+{{- required "Value snapshotRepoPath must be set!" $.Values.snapshotRepoPath -}}
+{{- end -}}
+
+{{/*
+Create name for snapshot API repo data ConfigMap
+*/}}
+{{- define "opensearch.snapshots.repoDataConfigMap" -}}
+{{- printf "%s-repo-data" (include "opensearch.snapshots.fullname" $) -}}
+{{- end -}}
+
+{{/*
+Create name for snapshot API policy data ConfigMap
+*/}}
+{{- define "opensearch.snapshots.policyDataConfigMap" -}}
+{{- printf "%s-policy-data" (include "opensearch.snapshots.fullname" $) -}}
+{{- end -}}
+
+{{/*
+Return the proper Opensearch Snapshots image name
+*/}}
+{{- define "opensearch.snapshots.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.snapshots.image "global" .Values.global) }}
+{{- end -}}

bitnami/opensearch/templates/coordinating/statefulset.yaml

@@ -258,6 +258,10 @@ spec:
             - name: custom-init-scripts-secret
               mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
             {{- end }}
+            {{- if .Values.snapshots.persistence.enabled }}
+            - name: snapshots
+              mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+            {{- end }}
             {{- if .Values.coordinating.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -308,6 +312,11 @@ spec:
             secretName: {{ template "opensearch.initScriptsSecret" . }}
             defaultMode: 0755
         {{- end }}
+        {{- if .Values.snapshots.persistence.enabled }}
+        - name: snapshots
+          persistentVolumeClaim:
+            claimName: {{ include "opensearch.snapshots.fullname" . }}
+        {{- end }}
         {{- if .Values.coordinating.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

bitnami/opensearch/templates/data/statefulset.yaml

@@ -284,6 +284,10 @@ spec:
             - name: custom-init-scripts-secret
               mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
             {{- end }}
+            {{- if .Values.snapshots.persistence.enabled }}
+            - name: snapshots
+              mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+            {{- end }}
             {{- if .Values.data.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -332,6 +336,11 @@ spec:
             secretName: {{ template "opensearch.initScriptsSecret" . }}
             defaultMode: 0755
         {{- end }}
+        {{- if .Values.snapshots.persistence.enabled }}
+        - name: snapshots
+          persistentVolumeClaim:
+            claimName: {{ include "opensearch.snapshots.fullname" . }}
+        {{- end }}
         {{- if .Values.data.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

bitnami/opensearch/templates/ingest/statefulset.yaml

@@ -258,6 +258,10 @@ spec:
             - name: custom-init-scripts-secret
               mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
             {{- end }}
+            {{- if .Values.snapshots.persistence.enabled }}
+            - name: snapshots
+              mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+            {{- end }}
             {{- if .Values.ingest.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -308,6 +312,11 @@ spec:
             secretName: {{ template "opensearch.initScriptsSecret" . }}
             defaultMode: 0755
         {{- end }}
+        {{- if .Values.snapshots.persistence.enabled }}
+        - name: snapshots
+          persistentVolumeClaim:
+            claimName: {{ include "opensearch.snapshots.fullname" . }}
+        {{- end }}
         {{- if .Values.ingest.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

bitnami/opensearch/templates/master/statefulset.yaml

@@ -296,6 +296,10 @@ spec:
             - name: custom-init-scripts-secret
               mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
             {{- end }}
+            {{- if .Values.snapshots.persistence.enabled }}
+            - name: snapshots
+              mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+            {{- end }}
             {{- if .Values.master.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
@@ -344,6 +348,11 @@ spec:
             secretName: {{ template "opensearch.initScriptsSecret" . }}
             defaultMode: 0755
         {{- end }}
+        {{- if .Values.snapshots.persistence.enabled }}
+        - name: snapshots
+          persistentVolumeClaim:
+            claimName: {{ include "opensearch.snapshots.fullname" . }}
+        {{- end }}
         {{- if .Values.master.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

bitnami/opensearch/templates/snapshots/init-job.yaml

@@ -0,0 +1,90 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if $.Values.snapshots.enabled -}}
+{{- $host := (include "opensearch.service.name" $) -}}
+{{- $port := (include "opensearch.service.ports.restAPI" $) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: post-install
+  {{- if .Values.commonAnnotations }}
+  {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: snapshots
+  name: {{ include "opensearch.snapshots.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+spec:
+  template:
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - --silent
+            - --show-error
+            - "file:///dev/null" # Starting with curl 8, a URL is required before the first `--next`
+          {{- range $name, $_ := $.Values.snapshots.repositories }}
+            # Register snapshot repository:
+            - --next
+            - -w
+            - '\n'
+            - -XPUT
+            - -H
+            - "Content-Type: application/json"
+            - -d
+            - "@/run/repo-data/{{ $name }}"
+            - http://{{ $host }}:{{ $port }}/_snapshot/{{ $name }}
+          {{- end }}
+          {{- range $name, $_ := $.Values.snapshots.policies }}
+            # Register snapshot policy:
+            - --next
+            - -w
+            - '\n'
+            - -H
+            - "Content-Type: application/json"
+            - -d
+            - "@/run/policy-data/{{ $name }}"
+            - http://{{ $host }}:{{ $port }}/_plugins/_sm/policies/{{ $name }}
+          {{- end }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.command "context" $) | nindent 12 }}
+          env:
+            - name: BITNAMI_DEBUG
+              value: {{ ternary "true" "false" (or .Values.snapshots.image.debug .Values.diagnosticMode.enabled) | quote }}
+          image: {{ template "opensearch.snapshots.image" . }}
+          imagePullPolicy: {{ .Values.snapshots.image.pullPolicy }}
+          name: {{ include "opensearch.snapshots.fullname" . }}
+          {{- if .Values.snapshots.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.snapshots.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.snapshots.resources }}
+          resources: {{- toYaml .Values.snapshots.resources | nindent 12 }}
+          {{- else if ne .Values.snapshots.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.snapshots.resourcesPreset) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: repo-data
+              mountPath: /run/repo-data/
+            - name: policy-data
+              mountPath: /run/policy-data/
+      {{- with .Values.snapshots.image.pullSecrets }}
+      imagePullPolicy:
+      {{- range . }}
+        - name: {{ . }}
+      {{- end }}
+      {{- end }}
+      restartPolicy: Never
+      {{- if .Values.dashboards.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dashboards.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: policy-data
+          configMap:
+            name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
+        - name: repo-data
+          configMap:
+            name: {{ include "opensearch.snapshots.repoDataConfigMap" . }}
+{{- end -}}

bitnami/opensearch/templates/snapshots/networkpolicy.yaml

@@ -0,0 +1,50 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.snapshots.enabled }}
+---
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/part-of: opensearch
+    app.kubernetes.io/component: snapshots
+  name: {{ template "opensearch.snapshots.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+spec:
+  podSelector:
+    matchLabels:
+      batch.kubernetes.io/job-name: {{ template "opensearch.snapshots.fullname" . }}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: TCP
+        - port: 53
+          protocol: UDP
+    - to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+              {{- if (include "opensearch.coordinating.enabled" .) }}
+              app.kubernetes.io/component: coordinating-only
+              {{- else }}
+              app.kubernetes.io/component: master
+              {{- end }}
+      ports:
+        - port: {{ include "opensearch.service.ports.restAPI" $ }}
+{{- end }}

bitnami/opensearch/templates/snapshots/policies-cm.yaml

@@ -0,0 +1,27 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if $.Values.snapshots.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: snapshots
+  name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+data:
+  {{- range $name, $policy := $.Values.snapshots.policies }}
+    {{- $repo := $policy.snapshot_config.repository -}}
+    {{- if (hasKey $.Values.snapshots.repositories $repo) -}}
+      {{- $name | nindent 2 }}: |
+        {{- $policy | mustToPrettyJson | nindent 4 }}
+    {{- else -}}
+      {{- fail (printf "Repository `%s` is not defined in .snapshots.repositories" $repo) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

bitnami/opensearch/templates/snapshots/pvc.yaml

@@ -0,0 +1,36 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.snapshots.persistence.enabled (not .Values.snapshots.persistence.existingClaim) -}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "opensearch.snapshots.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels .Values.snapshots.persistence.labels ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: snapshots
+  annotations:
+    helm.sh/resource-policy: keep
+  {{- if or .Values.snapshots.persistence.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.snapshots.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
+  {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+  {{- range .Values.snapshots.persistence.accessModes }}
+    - {{ . | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.snapshots.persistence.size | quote }}
+  {{- if .Values.snapshots.persistence.selector }}
+  selector: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.selector "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if .Values.snapshots.persistence.dataSource }}
+  dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.dataSource "context" $) | nindent 4 }}
+  {{- end }}
+  {{- include "common.storage.class" (dict "persistence" .Values.snapshots.persistence "global" .Values.global) | nindent 2 }}
+{{- end -}}