Added basic support for plugins on nodes

charts/opensearch/CHANGELOG.md

@@ -12,6 +12,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Removed
 ### Fixed
 ### Security
+---
+## [1.0.5]
+
+### Added
+- Added the ability to define plugins on node startup via plugins.enabled option.
+
+### Changed
+- Incremented the version to `1.0.5`.
+
 
 ---
 ## [1.0.4]

charts/opensearch/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.4
+version: 1.0.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/opensearch/ci/ci-values.yaml

@@ -2,12 +2,8 @@
 clusterName: "opensearch-cluster"
 nodeGroup: "master"
 
-# The service that non master groups will try to connect to when joining the cluster
-# This should be set to clusterName + "-" + nodeGroup for your master group
 masterService: "opensearch-cluster-master"
 
-# OpenSearch roles that will be applied to this nodeGroup
-# These will be set as environment variables. E.g. node.master=true
 roles:
   master: "true"
   ingest: "true"
@@ -19,25 +15,11 @@ minimumMasterNodes: 1
 
 majorVersion: ""
 
-# Allows you to add any config files in {{ .Values.opensearchHome }}/config
 opensearchHome: /usr/share/opensearch
-# such as opensearch.yml and log4j2.properties
 config:
   opensearch.yml:
     cluster.name: opensearch-cluster
-
-    # Bind to all interfaces because we don't know what IP address Docker will assign to us.
     network.host: 0.0.0.0
-
-    # # minimum_master_nodes need to be explicitly set when bound on a public IP
-    # # set to 1 to allow single node clusters
-    # discovery.zen.minimum_master_nodes: 1
-
-    # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
-    # discovery.type: single-node
-
-    # Start OpenSearch Security Demo Configuration
-    # WARNING: revise all the lines below before you go into production
     plugins:
       security:
         ssl:
@@ -76,43 +58,19 @@ config:
               ".opendistro-notebooks",
               ".opendistro-asynchronous-search-response*",
             ]
-    ######## End OpenSearch Security Demo Configuration ########
-  # log4j2.properties:
 
-# Extra environment variables to append to this nodeGroup
-# This will be appended to the current 'env:' key. You can use any of the kubernetes env
-# syntax here
 extraEnvs: []
-#  - name: MY_ENVIRONMENT_VAR
-#    value: the_value_goes_here
-
-# Allows you to load environment variables from kubernextes secret or config map
 envFrom: []
-# - secretRef:
-#     name: env-secret
-# - configMapRef:
-#     name: config-map
-
-# A list of secrets and their paths to mount inside the pod
-# This is useful for mounting certificates for security and for mounting
-# the X-Pack license
 secretMounts: []
-
 hostAliases: []
-# - ip: "127.0.0.1"
-#   hostnames:
-#   - "foo.local"
-#   - "bar.local"
 
 image: "opensearchproject/opensearch"
-# override image tag, which is .Chart.AppVersion by default
 imageTag: ""
 imagePullPolicy: "IfNotPresent"
 
 podAnnotations: {}
-  # iam.amazonaws.com/role: es-cluster
 
-# additionals labels
+
 labels: {}
 
 opensearchJavaOpts: "-Xmx512M -Xms512M"
@@ -123,20 +81,7 @@ resources:
     memory: "100Mi"
 
 initResources: {}
-  # limits:
-  #   cpu: "25m"
-  #   # memory: "128Mi"
-  # requests:
-  #   cpu: "25m"
-  #   memory: "128Mi"
-
 sidecarResources: {}
-  # limits:
-  #   cpu: "25m"
-  #   # memory: "128Mi"
-  # requests:
-  #   cpu: "25m"
-  #   memory: "128Mi"
 
 networkHost: "0.0.0.0"
 
@@ -163,67 +108,29 @@ podSecurityPolicy:
       - configMap
       - persistentVolumeClaim
       - emptyDir
-
 persistence:
   enabled: true
   labels:
-    # Add default labels for the volumeClaimTemplate of the StatefulSet
     enabled: false
-  # OpenSearch Persistent Volume Storage Class
-  # If defined, storageClassName: <storageClass>
-  # If set to "-", storageClassName: "", which disables dynamic provisioning
-  # If undefined (the default) or set to null, no storageClassName spec is
-  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
-  #   GKE, AWS & OpenStack)
-  #
-  # storageClass: "-"
   accessModes:
     - ReadWriteOnce
   size: 8Gi
   annotations: {}
-
 extraVolumes: []
-  # - name: extras
-  #   emptyDir: {}
-
 extraVolumeMounts: []
-  # - name: extras
-  #   mountPath: /usr/share/extras
-  #   readOnly: true
-
 extraContainers: []
-  # - name: do-something
-  #   image: busybox
-  #   command: ['do', 'something']
-
 extraInitContainers: []
-  # - name: do-somethings
-  #   image: busybox
-  #   command: ['do', 'something']
 
-# This is the PriorityClass settings as defined in
-# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
 priorityClassName: ""
 
-# By default this will make sure two pods don't end up on the same node
-# Changing this to a region would allow you to spread pods across regions
 antiAffinityTopologyKey: "kubernetes.io/hostname"
 
-# Hard means that by default pods will only be scheduled if there are enough nodes for them
-# and that they will never end up on the same node. Setting this to soft will do this "best effort"
 antiAffinity: "soft"
 
-# This is the node affinity settings as defined in
-# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature
 nodeAffinity: {}
 
-# The default is to deploy all pods serially. By setting this to parallel all pods are started at
-# the same time when bootstrapping the cluster
 podManagementPolicy: "Parallel"
 
-# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when
-# there are many services in the current namespace.
-# If you experience slow pod startups you probably want to set this to `false`.
 enableServiceLinks: true
 
 protocol: http
@@ -243,10 +150,6 @@ service:
   externalTrafficPolicy: ""
 
 updateStrategy: RollingUpdate
-
-# This is the max unavailable setting for the pod disruption budget
-# The default value of 1 will make sure that kubernetes won't allow more than 1
-# of your pods to be unavailable during maintenance
 maxUnavailable: 1
 
 podSecurityContext:
@@ -257,7 +160,6 @@ securityContext:
   capabilities:
     drop:
       - ALL
-  # readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
 
@@ -270,18 +172,10 @@ securityConfig:
   rolesSecret:
   rolesMappingSecret:
   tenantsSecret:
-  # The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
-  # Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
   config:
     securityConfigSecret:
     data: {}
-      # config.yml: |-
-      # internal_users.yml: |-
-      # roles.yml: |-
-      # rolesMapping.yml: |-
-    # tenants.yml: |-
 
-# How long to wait for opensearch to stop gracefully
 terminationGracePeriod: 120
 
 sysctlVmMaxMapCount: 262144
@@ -292,76 +186,34 @@ readinessProbe:
   periodSeconds: 10
   successThreshold: 3
   timeoutSeconds: 2000
-
-## Use an alternate scheduler.
-## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
-##
 schedulerName: ""
-
 imagePullSecrets: []
 nodeSelector: {}
 tolerations: []
-
-# Enabling this will publically expose your OpenSearch instance.
-# Only enable this if you have security enabled on your cluster
 ingress:
   enabled: false
   annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
   path: /
   hosts:
     - chart-example.local
   tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
 nameOverride: ""
 fullnameOverride: ""
 
 masterTerminationFix: false
 
 lifecycle: {}
-  # preStop:
-  #   exec:
-  #     command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
-  # postStart:
-  #   exec:
-  #     command:
-  #       - bash
-  #       - -c
-  #       - |
-  #         #!/bin/bash
-  #         # Add a template to adjust number of shards/replicas1
-  #         TEMPLATE_NAME=my_template
-  #         INDEX_PATTERN="logstash-*"
-  #         SHARD_COUNT=8
-  #         REPLICA_COUNT=1
-  #         ES_URL=http://localhost:9200
-  #         while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done
-  #         curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'
-
 keystore: []
 
 networkPolicy:
-  ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
-  ## In order for a Pod to access OpenSearch, it needs to have the following label:
-  ## {{ template "uname" . }}-client: "true"
-  ## Example for default configuration to access HTTP port:
-  ## opensearch-master-http-client: "true"
-  ## Example for default configuration to access transport port:
-  ## opensearch-master-transport-client: "true"
-
   http:
     enabled: false
-
-# Deprecated
-# please use the above podSecurityContext.fsGroup instead
 fsGroup: ""
-
-## Set optimal sysctl's. This requires privilege. Can be disabled if
-## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
-## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
 sysctl:
   enabled: false
+
+
+plugins:
+  enabled: true
+  installList:
+    - https://github.com/aparo/opensearch-prometheus-exporter/releases/download/1.0.0/prometheus-exporter-1.0.0.zip

charts/opensearch/templates/statefulset.yaml

@@ -224,7 +224,7 @@ spec:
         volumeMounts:
           - name: "{{ template "opensearch.uname" . }}"
             mountPath: {{ .Values.opensearchHome }}/data
-{{- end }}      
+{{- end }}
 {{ if .Values.keystore }}
       - name: keystore
         image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}"
@@ -277,6 +277,20 @@ spec:
       - name: "{{ template "opensearch.name" . }}"
         securityContext:
 {{ toYaml .Values.securityContext | indent 10 }}
+      {{- if .Values.plugins.enabled }}
+        command:
+        - sh
+        - -c
+        - |
+          #!/usr/bin/env bash
+          set -euo pipefail
+
+          {{- range $plugin := .Values.plugins.installList }}
+          ./bin/opensearch-plugin install -b {{ $plugin }}
+          {{- end }}
+
+          bash opensearch-docker-entrypoint.sh
+      {{- end }}
         image: "{{ .Values.image }}:{{ .Values.imageTag | default .Chart.AppVersion }}"
         imagePullPolicy: "{{ .Values.imagePullPolicy }}"
         ports:

charts/opensearch/values.yaml

@@ -367,3 +367,9 @@ fsGroup: ""
 ## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
 sysctl:
   enabled: false
+
+## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
+plugins:
+  enabled: false
+  installList: []
+  # - example-fake-plugin