diff --git a/CHANGELOG.md b/CHANGELOG.md index 9704be59..0fce56be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,11 +15,14 @@ All notable changes to this project will be documented in this file. - BREAKING: `configOverrides` now only accepts the known config file `opensearch.yml`. Previously, arbitrary file names were silently accepted and ignored ([#137]). - Bump `stackable-operator` to 0.110.1 ([#137]). +- Replace the generic subject DN in the configuration setting `plugins.security.nodes_dn` with the + FQDNs of the OpenSearch nodes ([#144]). [#129]: https://github.com/stackabletech/opensearch-operator/pull/129 [#130]: https://github.com/stackabletech/opensearch-operator/pull/130 [#137]: https://github.com/stackabletech/opensearch-operator/pull/137 [#141]: https://github.com/stackabletech/opensearch-operator/pull/141 +[#144]: https://github.com/stackabletech/opensearch-operator/pull/144 ## [26.3.0] - 2026-03-16 diff --git a/Cargo.lock b/Cargo.lock index ad93da41..20424737 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1532,7 +1532,7 @@ dependencies = [ [[package]] name = "k8s-version" version = "0.1.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "regex", @@ -2916,7 +2916,7 @@ checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" [[package]] name = "stackable-certs" version = "0.4.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "const-oid", "ecdsa", @@ -2962,7 +2962,7 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.111.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "base64", "clap", @@ -2998,12 +2998,13 @@ dependencies = [ "tracing-appender", "tracing-subscriber", "url", + "winnow", ] [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "proc-macro2", @@ -3014,7 +3015,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.1.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "jiff", "k8s-openapi", @@ -3031,7 +3032,7 @@ dependencies = [ [[package]] name = "stackable-telemetry" version = "0.6.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "axum", "clap", @@ -3055,7 +3056,7 @@ dependencies = [ [[package]] name = "stackable-versioned" version = "0.10.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "kube", "schemars", @@ -3069,7 +3070,7 @@ dependencies = [ [[package]] name = "stackable-versioned-macros" version = "0.10.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "convert_case", "convert_case_extras", @@ -3087,7 +3088,7 @@ dependencies = [ [[package]] name = "stackable-webhook" version = "0.9.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "arc-swap", "async-trait", @@ -3938,9 +3939,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" +checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1" dependencies = [ "memchr", ] diff --git a/Cargo.nix b/Cargo.nix index 232ee994..9115a015 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4883,9 +4883,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "k8s_version"; authors = [ @@ -9595,9 +9595,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_certs"; authors = [ @@ -9793,9 +9793,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_operator"; authors = [ @@ -9955,6 +9955,10 @@ rec { packageId = "url"; features = [ "serde" ]; } + { + name = "winnow"; + packageId = "winnow"; + } ]; features = { "certs" = [ "dep:stackable-certs" ]; @@ -9973,9 +9977,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -10008,9 +10012,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_shared"; authors = [ @@ -10089,9 +10093,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_telemetry"; authors = [ @@ -10199,9 +10203,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_versioned"; authors = [ @@ -10249,9 +10253,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10317,9 +10321,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_webhook"; authors = [ @@ -13945,9 +13949,9 @@ rec { }; "winnow" = rec { crateName = "winnow"; - version = "1.0.2"; + version = "1.0.3"; edition = "2021"; - sha256 = "1l7xnfvlgy4da6gq5ip2bgcm8i9d0rwzaxg1p88nlw8lxy5p1q9f"; + sha256 = "1wajycd3krn6h699vydjv7hm0ll5l31p899qzpk59y2is74y34h5"; dependencies = [ { name = "memchr"; diff --git a/Cargo.toml b/Cargo.toml index 91d645f1..edc11039 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,4 +29,5 @@ tracing = "0.1" uuid = "1.18" [patch."https://github.com/stackabletech/operator-rs"] -# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/annotation-auto-tls-cert-subject-dn" } +# stackable-operator = { path = "../operator-rs/crates/stackable-operator" } diff --git a/crate-hashes.json b/crate-hashes.json index 86f2b840..4e0f1877 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,12 +1,12 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#k8s-version@0.1.3": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-certs@0.4.0": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-operator-derive@0.3.1": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-operator@0.111.1": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-shared@0.1.0": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-telemetry@0.6.3": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-versioned-macros@0.10.0": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-versioned@0.10.0": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-webhook@0.9.1": "0lj969rjbxairjglrnaq0xhabvdrq5nd6wl1i0y9pr50nhh7zvgk", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#k8s-version@0.1.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-certs@0.4.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator-derive@0.3.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator@0.111.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-shared@0.1.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-telemetry@0.6.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned-macros@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-webhook@0.9.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file diff --git a/rust/operator-binary/src/controller/build/node_config.rs b/rust/operator-binary/src/controller/build/node_config.rs index 8a6805dc..b49e0836 100644 --- a/rust/operator-binary/src/controller/build/node_config.rs +++ b/rust/operator-binary/src/controller/build/node_config.rs @@ -1,5 +1,7 @@ //! Configuration of an OpenSearch node +use std::iter; + use serde_json::json; use stackable_operator::{ builder::pod::container::FieldPathEnvVar, commons::networking::DomainName, @@ -17,7 +19,7 @@ use crate::{ builder::pod::container::{EnvVarName, EnvVarSet}, config_overrides::JsonConfigOverrides, product_logging::framework::STACKABLE_LOG_DIR, - role_group_utils, + role_group_utils::{self, ResourceNames}, types::{kubernetes::ServiceName, operator::RoleGroupName}, }, }; @@ -203,10 +205,7 @@ impl NodeConfig { // Bind to all interfaces because the IP address is not known in advance. CONFIG_OPTION_NETWORK_HOST: "0.0.0.0", CONFIG_OPTION_DISCOVERY_TYPE: self.discovery_type(), - // Accept certificates generated by the secret-operator - CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: [ - "CN=generated certificate for pod" - ], + CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: json!(self.nodes_dn()), CONFIG_OPTION_NODE_ATTR_ROLE_GROUP: self.role_group_name, CONFIG_OPTION_PATH_LOGS: format!( "{STACKABLE_LOG_DIR}/{container}", @@ -236,6 +235,50 @@ impl NodeConfig { config } + /// Returns the list of distinguished names (DNs) that denote the other nodes in the cluster. + /// + /// The list looks similar to: + /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* + /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* + /// - CN=generated certificate for pod + /// + /// The entry "CN=generated certificate for pod" is still added to make the transition from + /// SDP 26.3 to 26.7 possible. + fn nodes_dn(&self) -> Vec { + self.cluster + .role_group_configs + .keys() + .map(|role_group_name| { + let resource_names = ResourceNames { + cluster_name: self.cluster.name.clone(), + role_name: ValidatedCluster::role_name(), + role_group_name: role_group_name.clone(), + }; + + self.cluster_domain_name + .split('.') + .rev() + .chain([ + "svc", + self.cluster.namespace.as_ref(), + resource_names.headless_service_name().as_ref(), + &format!( + "{stateful_set_name}-*", + stateful_set_name = resource_names.stateful_set_name() + ), + ]) + .map(|component| format!("DC={component}")) + .collect::>() + .join(",") + }) + // TODO Remove "CN=generated certificate for pod" after the release of SDP 26.7 and + // adapt the comment of the function and the tests. + // + // tracked in https://github.com/stackabletech/opensearch-operator/issues/145 + .chain(iter::once("CN=generated certificate for pod".to_owned())) + .collect() + } + /// Distinguished name (DN) of the super admin certificate pub fn super_admin_dn(&self) -> String { // The common name field is limited to 64 characters, see RFC 5280. @@ -658,6 +701,7 @@ mod tests { "path.logs: /stackable/log/opensearch\n", "plugins.security.authcz.admin_dn: CN=update-security-config.0b1e30e6-326e-4c1a-868d-ad6598b49e8b\n", "plugins.security.nodes_dn:\n", + "- DC=local,DC=cluster,DC=svc,DC=default,DC=my-opensearch-cluster-nodes-default-headless,DC=my-opensearch-cluster-nodes-default-*\n", "- CN=generated certificate for pod\n", "plugins.security.ssl.http.enabled: true\n", "plugins.security.ssl.http.pemcert_filepath: /stackable/opensearch/config/tls/server/tls.crt\n", diff --git a/rust/operator-binary/src/controller/build/role_group_builder.rs b/rust/operator-binary/src/controller/build/role_group_builder.rs index 9273ecc4..728eb289 100644 --- a/rust/operator-binary/src/controller/build/role_group_builder.rs +++ b/rust/operator-binary/src/controller/build/role_group_builder.rs @@ -1082,7 +1082,8 @@ impl<'a> RoleGroupBuilder<'a> { .with_pod_scope() .with_listener_volume_scope(ROLE_GROUP_LISTENER_VOLUME_NAME.to_string()) .with_format(SecretFormat::TlsPem) - .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime); + .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true); if self .role_group_config @@ -1121,7 +1122,8 @@ impl<'a> RoleGroupBuilder<'a> { .with_pod_scope() .with_listener_volume_scope(ROLE_GROUP_LISTENER_VOLUME_NAME.to_string()) .with_format(SecretFormat::TlsPem) - .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime); + .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true); if self.role_group_config.config.discovery_service_exposed { volume_source_builder @@ -2548,6 +2550,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2575,6 +2578,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2760,6 +2764,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2787,6 +2792,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2984,6 +2990,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -3011,6 +3018,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", diff --git a/tests/release.yaml b/tests/release.yaml index c877cd40..ba3bc675 100644 --- a/tests/release.yaml +++ b/tests/release.yaml @@ -9,8 +9,8 @@ releases: commons: operatorVersion: 0.0.0-dev secret: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr708 listener: operatorVersion: 0.0.0-dev opensearch: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr144 diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2 index 74bbb0d3..fe2dc73e 100644 --- a/tests/templates/kuttl/smoke/10-assert.yaml.j2 +++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2 @@ -1048,29 +1048,36 @@ metadata: kind: OpenSearchCluster name: opensearch data: - opensearch.yml: | - cluster.name: opensearch - cluster.routing.allocation.disk.threshold_enabled: false - discovery.type: zen - network.host: 0.0.0.0 - node.attr.role-group: cluster-manager - node.store.allow_mmap: false - path.logs: /stackable/log/opensearch - plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: - - CN=generated certificate for pod -{% if test_scenario['values']['server-use-tls'] == 'true' %} - plugins.security.ssl.http.enabled: true - plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt - plugins.security.ssl.http.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.key - plugins.security.ssl.http.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/ca.crt -{% else %} - plugins.security.ssl.http.enabled: false -{% endif %} - plugins.security.ssl.transport.enabled: true - plugins.security.ssl.transport.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.crt - plugins.security.ssl.transport.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.key - plugins.security.ssl.transport.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/ca.crt + log4j2.properties: | +{% raw %} + rootLogger.level = INFO + rootLogger.appenderRef.CONSOLE.ref = CONSOLE + rootLogger.appenderRef.FILE.ref = FILE + appender.CONSOLE.type = Console + appender.CONSOLE.name = CONSOLE + appender.CONSOLE.target = SYSTEM_ERR + appender.CONSOLE.layout.type = PatternLayout + appender.CONSOLE.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + appender.CONSOLE.filter.threshold.type = ThresholdFilter + appender.CONSOLE.filter.threshold.level = INFO + appender.FILE.type = RollingFile + appender.FILE.name = FILE + appender.FILE.fileName = /stackable/log/opensearch/opensearch_server.json + appender.FILE.filePattern = /stackable/log/opensearch/opensearch_server.json.%i + appender.FILE.layout.type = OpenSearchJsonLayout + appender.FILE.layout.type_name = server + appender.FILE.policies.type = Policies + appender.FILE.policies.size.type = SizeBasedTriggeringPolicy + appender.FILE.policies.size.size = 5MB + appender.FILE.strategy.type = DefaultRolloverStrategy + appender.FILE.strategy.max = 1 + appender.FILE.filter.threshold.type = ThresholdFilter + appender.FILE.filter.threshold.level = INFO +{% endraw %} + # opensearch.yml: | + # The property "plugins.security.nodes_dn" in opensearch.yml contains the namespace and cluster + # domain. Since these cannot be substituted here, opensearch.yml is omitted in this assertion. + # This is okay, because the configuration file is already covered by the unit tests. --- apiVersion: v1 kind: ConfigMap @@ -1090,29 +1097,36 @@ metadata: kind: OpenSearchCluster name: opensearch data: - opensearch.yml: | - cluster.name: opensearch - cluster.routing.allocation.disk.threshold_enabled: false - discovery.type: zen - network.host: 0.0.0.0 - node.attr.role-group: data - node.store.allow_mmap: false - path.logs: /stackable/log/opensearch - plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: - - CN=generated certificate for pod -{% if test_scenario['values']['server-use-tls'] == 'true' %} - plugins.security.ssl.http.enabled: true - plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt - plugins.security.ssl.http.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.key - plugins.security.ssl.http.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/ca.crt -{% else %} - plugins.security.ssl.http.enabled: false -{% endif %} - plugins.security.ssl.transport.enabled: true - plugins.security.ssl.transport.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.crt - plugins.security.ssl.transport.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.key - plugins.security.ssl.transport.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/ca.crt + log4j2.properties: | +{% raw %} + rootLogger.level = INFO + rootLogger.appenderRef.CONSOLE.ref = CONSOLE + rootLogger.appenderRef.FILE.ref = FILE + appender.CONSOLE.type = Console + appender.CONSOLE.name = CONSOLE + appender.CONSOLE.target = SYSTEM_ERR + appender.CONSOLE.layout.type = PatternLayout + appender.CONSOLE.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + appender.CONSOLE.filter.threshold.type = ThresholdFilter + appender.CONSOLE.filter.threshold.level = INFO + appender.FILE.type = RollingFile + appender.FILE.name = FILE + appender.FILE.fileName = /stackable/log/opensearch/opensearch_server.json + appender.FILE.filePattern = /stackable/log/opensearch/opensearch_server.json.%i + appender.FILE.layout.type = OpenSearchJsonLayout + appender.FILE.layout.type_name = server + appender.FILE.policies.type = Policies + appender.FILE.policies.size.type = SizeBasedTriggeringPolicy + appender.FILE.policies.size.size = 5MB + appender.FILE.strategy.type = DefaultRolloverStrategy + appender.FILE.strategy.max = 1 + appender.FILE.filter.threshold.type = ThresholdFilter + appender.FILE.filter.threshold.level = INFO +{% endraw %} + # opensearch.yml: | + # The property "plugins.security.nodes_dn" in opensearch.yml contains the namespace and cluster + # domain. Since these cannot be substituted here, opensearch.yml is omitted in this assertion. + # This is okay, because the configuration file is already covered by the unit tests. --- apiVersion: v1 kind: Service