-
-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Romain Tartière edited this page Aug 8, 2023
·
2 revisions
The following manifest will setup a single node cluster that use the default TLS certificates (not suitable for production) and listen on the network:
class { 'opensearch':
settings => {
'network.host' => '0.0.0.0',
},
}
class { 'opensearch_dashboards':
settings => {
'server.host' => '0.0.0.0',
'opensearch.hosts' => [
'https://localhost:9200',
],
'opensearch.ssl.verificationMode' => 'none',
'opensearch.username' => 'kibanaserver',
'opensearch.password' => 'kibanaserver',
},
}Warning
- You should rather change all passwords, not just the admin one 😉
- This change only has effect on bootstrap of OpenSearch, once OpenSearch has started a first time, changing passwords will be no-op.
class { 'opensearch':
security_internal_users => {
admin => {
# To generate a password hash, run:
# OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh
hash => '$2y$12$R4uAHHD75XGzoLHQYZgnYO1wAJ8XPCVAzgfpiD18tMiMasMEJrwcO',
},
}
}Setup the example cluster form the Creating a cluster page of the OpenSearch documentation. This setup require you to provide certificates and keys for each node. This example assume they are provided by an osdata module as file resources. You can refer to the Generating self-signed certificates page to generate these files.
Note
This can be cleaned a bit, I (@smortex) dump this here in order to have this at hand as a starter, but feel free to edit this page to improve this 😉 !
host { 'opensearch-cluster-manager':
ip => '10.20.1.2'
}
host { 'opensearch-d1':
ip => '10.20.1.3'
}
host { 'opensearch-d2':
ip => '10.20.1.4'
}
host { 'opensearch-c1':
ip => '10.20.1.5'
}
host { 'opensearch-dashboards':
ip => '10.20.1.10'
}
class os {
file { '/etc/opensearch/root-ca.pem':
source => 'puppet:///modules/osdata/ca.pem',
require => Package['opensearch'],
notify => Service['opensearch'],
}
file { '/etc/opensearch/root-ca-key.pem':
source => 'puppet:///modules/osdata/ca-key.pem',
require => Package['opensearch'],
notify => Service['opensearch'],
}
file { "/etc/opensearch/${facts['networking']['hostname']}.pem":
source => "puppet:///modules/osdata/opensearch-${facts['networking']['hostname']}.pem",
require => Package['opensearch'],
notify => Service['opensearch'],
}
file { "/etc/opensearch/${facts['networking']['hostname']}-key.pem":
source => "puppet:///modules/osdata/opensearch-${facts['networking']['hostname']}-key.pkcs8.pem",
require => Package['opensearch'],
notify => Service['opensearch'],
}
$config = {
'cluster.name' => 'opensearch-cluster',
'plugins.security.ssl.transport.pemcert_filepath' => "${facts['networking']['hostname']}.pem",
'plugins.security.ssl.transport.pemkey_filepath' => "${facts['networking']['hostname']}-key.pem",
'plugins.security.ssl.transport.pemtrustedcas_filepath' => 'root-ca.pem',
'plugins.security.ssl.transport.enforce_hostname_verification' => false,
'plugins.security.ssl.http.enabled' => true,
'plugins.security.ssl.http.pemcert_filepath' => "${facts['networking']['hostname']}.pem",
'plugins.security.ssl.http.pemkey_filepath' => "${facts['networking']['hostname']}-key.pem",
'plugins.security.ssl.http.pemtrustedcas_filepath' => 'root-ca.pem',
'plugins.security.allow_default_init_securityindex' => true,
'plugins.security.authcz.admin_dn' => [
'CN=romain',
],
'plugins.security.nodes_dn' => [
'CN=opensearch-cluster-manager',
'CN=opensearch-d1',
'CN=opensearch-d2',
'CN=opensearch-c1',
],
'plugins.security.audit.type' => 'internal_opensearch',
'plugins.security.enable_snapshot_restore_privilege' => 'true',
'plugins.security.restapi.roles_enabled' => [
'all_access',
'security_rest_api_access',
],
'cluster.routing.allocation.disk.threshold_enabled' => false,
'opendistro_security.audit.config.disabled_rest_categories' => 'NONE',
'opendistro_security.audit.config.disabled_transport_categories' => 'NONE',
}
}
node 'cluster-manager' {
include os
class { 'opensearch':
settings => {
'cluster.initial_cluster_manager_nodes' => 'opensearch-cluster-manager',
'network.host' => '10.20.1.2',
'node.name' => 'opensearch-cluster-manager',
'node.roles' => [
'cluster_manager',
],
'discovery.seed_hosts' => [
'opensearch-d1',
'opensearch-d2',
'opensearch-c1',
],
} + $os::config,
}
}
node 'd1' {
include os
class { 'opensearch':
settings => {
'network.host' => '10.20.1.3',
'node.name' => 'opensearch-d1',
'node.roles' => [
'data',
'ingest',
],
'discovery.seed_hosts' => [
'opensearch-cluster-manager',
'opensearch-d2',
'opensearch-c1',
],
} + $os::config,
}
}
node 'd2' {
include os
class { 'opensearch':
settings => {
'network.host' => '10.20.1.4',
'node.name' => 'opensearch-d2',
'node.roles' => [
'data',
'ingest',
],
'discovery.seed_hosts' => [
'opensearch-cluster-manager',
'opensearch-d1',
'opensearch-c1',
],
} + $os::config,
}
}
node 'c1' {
include os
class { 'opensearch':
settings => {
'network.host' => '10.20.1.5',
'node.name' => 'opensearch-c1',
'node.roles' => [
],
'discovery.seed_hosts' => [
'opensearch-cluster-manager',
'opensearch-d1',
'opensearch-d2',
],
} + $os::config,
}
}
node 'dashboard' {
class { 'opensearch_dashboards':
settings => {
'server.host' => '0.0.0.0',
'opensearch.hosts' => [
'https://opensearch-cluster-manager:9200',
],
'opensearch.ssl.verificationMode' => 'none',
'opensearch.username' => 'kibanaserver',
'opensearch.password' => 'kibanaserver',
},
}
}