First steps
Once you have followed the steps in Installation for the operator and its dependencies, you will now go through the steps to set up and connect to an OpenSearch instance.
Security plugin configuration
The configuration for the OpenSearch security plugin must be provided in a separate resource, e.g. a Secret:
---
apiVersion: v1
kind: Secret
metadata:
name: opensearch-security-config
stringData:
action_groups.yml: |
---
_meta:
type: actiongroups
config_version: 2
allowlist.yml: |
---
_meta:
type: allowlist
config_version: 2
config:
enabled: false
audit.yml: |
---
_meta:
type: audit
config_version: 2
config:
enabled: false
config.yml: |
---
_meta:
type: config
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
description: Authenticate via HTTP Basic against internal users database
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
authz: {}
internal_users.yml: |
---
_meta:
type: internalusers
config_version: 2
admin:
hash: $2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/e
reserved: true
backend_roles:
- admin
description: OpenSearch admin user
kibanaserver:
hash: $2y$10$vPgQ/6ilKDM5utawBqxoR.7euhVQ0qeGl8mPTeKhmFT475WUDrfQS
reserved: true
description: OpenSearch Dashboards user
nodes_dn.yml: |
---
_meta:
type: nodesdn
config_version: 2
roles.yml: |
---
_meta:
type: roles
config_version: 2
roles_mapping.yml: |
---
_meta:
type: rolesmapping
config_version: 2
all_access:
reserved: false
backend_roles:
- admin
kibana_server:
reserved: true
users:
- kibanaserver
tenants.yml: |
---
_meta:
type: tenants
config_version: 2Apply the Secret:
kubectl apply -f opensearch-security-config.yamlThe passwords in internal_users.yml are hashes using the bcrypt algorithm.
Such a hash can be e.g. generated with htpasswd:
$ htpasswd -nbBC 10 admin AJVFsGJBbpT6mChnq
admin:$2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/eCreation of OpenSearch nodes
OpenSearch nodes must be created as a custom resource; Create a file called opensearch.yaml:
---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
name: simple-opensearch
spec:
image:
custom: opensearchproject/opensearch:3.1.0
productVersion: 3.1.0
nodes:
roleGroups:
default:
replicas: 3
envOverrides:
DISABLE_INSTALL_DEMO_CONFIG: "true"
configOverrides:
opensearch.yml:
plugins.security.allow_default_init_securityindex: "true"
plugins.security.restapi.roles_enabled: all_access
plugins.security.ssl.transport.enabled: "true"
plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/tls/tls.crt
plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/tls/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/tls/ca.crt
plugins.security.ssl.http.enabled: "true"
plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/tls/tls.crt
plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/tls/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/tls/ca.crt
podOverrides:
spec:
containers:
- name: opensearch
volumeMounts:
- name: security-config
mountPath: /usr/share/opensearch/config/opensearch-security
readOnly: true
- name: tls
mountPath: /usr/share/opensearch/config/tls
readOnly: true
securityContext:
fsGroup: 1000
volumes:
- name: security-config
secret:
secretName: opensearch-security-config
- name: tls
ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: tls
secrets.stackable.tech/scope: node,pod,service=simple-opensearch,service=simple-opensearch-nodes-default
spec:
storageClassName: secrets.stackable.tech
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1"And apply it:
kubectl apply -f opensearch.yamlmetadata.name contains the name of the OpenSearch cluster.
The previously created security plugin configuration must be referenced via podOverrides.
You need to wait for the OpenSearch nodes to finish deploying. You can do so with this command:
kubectl rollout status --watch statefulset/simple-opensearch-nodes-default --timeout 600sConnecting to the HTTP endpoint
Once the OpenSearch nodes are created, you can use the REST API of OpenSearch.
To forward the HTTP port (9200) to localhost, run:
kubectl port-forward services/simple-opensearch 9200 > /dev/null 2>&1 &Using the REST API
You can use the REST API as follows:
export CREDENTIALS=admin:AJVFsGJBbpT6mChn
curl \
--insecure \
--user $CREDENTIALS \
--request PUT \
--json '{"name": "Stackable"}' \
https://localhost:9200/sample_index/_doc/1
# Output:
# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
curl \
--insecure \
--user $CREDENTIALS \
--request GET \
https://localhost:9200/sample_index/_doc/1
# Output:
# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}Great! Now you can create your own indexes, populate them with data and search for it.
What’s next
Check the Usage guide to find out more about configuring your OpenSearch instance or have a look at the OpenSearch documentation to ingest, search or visualize your data with OpenSearch Dashboards.