feat: unify ElasticSearch and OpenSearch configuration

Changes:
- set the same cluster and service name
- unify tutor plugin configuration variables

README.md

@@ -208,7 +208,7 @@ To enable set `elasticsearch.enabled=true` in your `values.yaml` and deploy the
 For each instance you would like to enable this on, set the configuration values in the respective `config.yml`:
 
 ```yaml
-K8S_HARMONY_ENABLE_SHARED_ELASTICSEARCH: true
+K8S_HARMONY_ENABLE_SHARED_HARMONY_SEARCH: true
 RUN_ELASTICSEARCH: false
 ```
 

harmony-chart/templates/elasticsearch/secrets.yaml

@@ -1,6 +1,6 @@
 ---
 {{- $ca := genCA "elasticca" 1825 }}
-{{- $cert := genSignedCert "elasticsearch-master.{{ Release.Namespace }}.local" nil (list "elasticsearch-master.{{ Release.Namespace }}.local") 1825 $ca }}
+{{- $cert := genSignedCert "harmony-search-cluster-master.{{ Release.Namespace }}.local" nil (list "harmony-search-cluster-master.{{ Release.Namespace }}.local") 1825 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:

harmony-chart/templates/opensearch/secrets.yaml

@@ -1,6 +1,6 @@
 ---
 {{- $ca := genCA "opensearchca" 1825 }}
-{{- $cert := genSignedCert "opensearch-master.{{ Release.Namespace }}.local" nil (list "opensearch-master.{{ Release.Namespace }}.local") 1825 $ca }}
+{{- $cert := genSignedCert "opensearch-master.harmony.local" nil (list "opensearch-master.harmony.local") 1825 $ca }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,3 +10,14 @@ data:
   "ca.crt": {{ $ca.Cert | b64enc | toYaml | indent 4}}
   "tls.key": {{ $cert.Key | b64enc | toYaml | indent 4}}
   "tls.crt": {{ print $cert.Cert $ca.Cert | b64enc | toYaml | indent 4}}
+---
+{{- $password := randAlphaNum 32 }}
+{{- $password_bcrypt := $password | bcrypt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: opensearch-credentials
+type: Opaque
+data:
+  harmony_password: {{ $password | b64enc | quote }}
+  internal_users.yml: {{ printf "---\n_meta:\n  type: \"internalusers\"\n  config_version: 2\n\nharmony:\n  hash: \"%s\"\n  reserved: true\n  backend_roles:\n    - \"admin\"\n  description: \"Harmony admin user\"\n" $password_bcrypt | b64enc | quote }}

harmony-chart/values.yaml

@@ -18,16 +18,18 @@ cert-manager:
 elasticsearch:
   enabled: false
 
+  clusterName: "harmony-search-cluster"
+
   # Operators will need to add/update the following setting in each
   # of their instances by running the commands:
   # ```
-  # tutor config save --set K8S_HARMONY_ENABLE_SHARED_ELASTICSEARCH=true --set RUN_ELASTICSEARCH=false
+  # tutor config save --set K8S_HARMONY_ENABLE_SHARED_HARMONY_SEARCH=true --set RUN_ELASTICSEARCH=false
   # tutor harmony create-elasticsearch-user
   # ```
   # RUN_ELASTICSEARCH: false
-  # ELASTICSEARCH_PREFIX_INDEX: "username-"
-  # K8S_HARMONY_USE_SHARED_ELASTICSEARCH: true
-  # ELASTICSEARCH_AUTH: "username:actual_password"
+  # HARMONY_SEARCH_INDEX_PREFIX: "username-"
+  # K8S_HARMONY_ENABLE_SHARED_HARMONY_SEARCH: true
+  # HARMONY_SEARCH_HTTP_AUTH: "username:actual_password"
 
   # We will create the relevant certs, because they need to shared
   # with pods in other namespaces.
@@ -52,6 +54,7 @@ elasticsearch:
 
   esConfig:
     "elasticsearch.yml": |
+      cluster.name: harmony-search-cluster
       xpack.security.enabled: true
       xpack.security.http.ssl.enabled: true
       xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
@@ -82,75 +85,100 @@ vpa:
 # Multi-tenant OpenSearch
 opensearch:
   enabled: false
+  clusterName: "harmony-search-cluster"
+  masterService: "harmony-search-cluster"
 
   # Operators will need to add/update the following setting in each
   # of their instances by running the commands:
   # ```
-  # tutor config save --set K8S_HARMONY_ENABLE_SHARED_OPENSEARCH=true --set RUN_ELASTICSEARCH=false
+  # tutor config save --set K8S_HARMONY_ENABLE_SHARED_HARMONY_SEARCH=true --set RUN_ELASTICSEARCH=false
   # tutor harmony create-opensearch-user
   # ```
   # RUN_ELASTICSEARCH: false
-  # ELASTICSEARCH_PREFIX_INDEX: "username-"
+  # HARMONY_SEARCH_INDEX_PREFIX: "username-"
   # K8S_HARMONY_USE_SHARED_OPENSEARCH: true
-  # ELASTICSEARCH_AUTH: "username:actual_password"
-
-# Allows you to add any config files in {{ .Values.opensearchHome }}/config
-opensearchHome: /usr/share/opensearch
-# such as opensearch.yml and log4j2.properties
-config:
-  opensearch.yml: |
-    cluster.name: opensearch-cluster
-    network.host: 0.0.0.0
-    plugins:
-      security:
-        ssl:
-          transport:
-            pemcert_filepath: certs/tls.crt
-            pemkey_filepath: certs/tls.key
-            pemtrustedcas_filepath: certs/ca.crt
-            enforce_hostname_verification: false
-          http:
-            enabled: true
-            pemcert_filepath: certs/tls.crt
-            pemkey_filepath: certs/tls.key
-            pemtrustedcas_filepath: certs/ca.crt
-        allow_unsafe_democertificates: false
-        allow_default_init_securityindex: true
-        audit.type: internal_opensearch
-        enable_snapshot_restore_privilege: true
-        check_snapshot_restore_write_privileges: true
-        restapi:
-          roles_enabled: ["all_access", "security_rest_api_access"]
-        system_indices:
-          enabled: true
-          indices:
-            [
-              ".opendistro-alerting-config",
-              ".opendistro-alerting-alert*",
-              ".opendistro-anomaly-results*",
-              ".opendistro-anomaly-detector*",
-              ".opendistro-anomaly-checkpoints",
-              ".opendistro-anomaly-detection-state",
-              ".opendistro-reports-*",
-              ".opendistro-notifications-*",
-              ".opendistro-notebooks",
-              ".opendistro-asynchronous-search-response*",
-            ]
+  # HARMONY_SEARCH_HTTP_AUTH: "username:actual_password"
+
 
   # # This secret will contain the ssl certificates.
   secretMounts:
-    - name: openseach-certificates
-      secretName: openseach-certificates
+    - name: opensearch-certificates
+      secretName: opensearch-certificates
       path: /usr/share/opensearch/config/certs
       defaultMode: 0777
 
   resources:
     requests:
-      cpu: "100m"
-      memory: "512Mi"
-    limits:
-      cpu: "500m"
-      memory: "700Mi"
+      cpu: "1000m"
+      memory: "100Mi"
 
   persistence:
     size: 30Gi
+
+  # Set vm.max_map_count
+  # Default value is 262144
+  sysctlInit:
+    enabled: true
+
+  extraEnvs:
+    - name: DISABLE_INSTALL_DEMO_CONFIG
+      value: "true"
+    - name: HARMONY_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: opensearch-credentials
+          key: harmony_password
+
+  # Allows you to add any config files in {{ .Values.opensearchHome }}/config
+  opensearchHome: /usr/share/opensearch
+  # such as opensearch.yml and log4j2.properties
+
+  securityConfig:
+    enabled: true
+    internalUsersSecret: opensearch-credentials
+
+  config:
+    opensearch.yml: |
+      cluster.name: harmony-search-cluster
+      network.host: 0.0.0.0
+      plugins:
+        security:
+          ssl:
+            transport:
+              enabled: true
+              pemcert_filepath: certs/tls.crt
+              pemkey_filepath: certs/tls.key
+              pemtrustedcas_filepath: certs/ca.crt
+              enforce_hostname_verification: false
+            http:
+              enabled: true
+              pemcert_filepath: certs/tls.crt
+              pemkey_filepath: certs/tls.key
+              pemtrustedcas_filepath: certs/ca.crt
+          authcz:
+            admin_dn:
+              - CN=opensearch-master.harmony.local
+          nodes_dn:
+            - CN=opensearch-master.harmony.local
+          allow_unsafe_democertificates: false
+          allow_default_init_securityindex: true
+          audit.type: internal_opensearch
+          enable_snapshot_restore_privilege: true
+          check_snapshot_restore_write_privileges: true
+          restapi:
+            roles_enabled: ["all_access", "security_rest_api_access"]
+          system_indices:
+            enabled: true
+            indices:
+              [
+                ".opendistro-alerting-config",
+                ".opendistro-alerting-alert*",
+                ".opendistro-anomaly-results*",
+                ".opendistro-anomaly-detector*",
+                ".opendistro-anomaly-checkpoints",
+                ".opendistro-anomaly-detection-state",
+                ".opendistro-reports-*",
+                ".opendistro-notifications-*",
+                ".opendistro-notebooks",
+                ".opendistro-asynchronous-search-response*",
+              ]

tutor-contrib-harmony-plugin/tutor_k8s_harmony_plugin/commands.py

@@ -4,8 +4,8 @@
 from tutor import config as tutor_config
 from tutor import env as tutor_env
 from tutor.commands.k8s import K8sContext, kubectl_exec
-from .elasticsearch import ElasticSearchAPI
-from .opensearch import OpenSearchAPI
+from .harmony_search.elasticsearch import ElasticSearchAPI
+from .harmony_search.opensearch import OpenSearchAPI
 
 @click.group(help="Commands and subcommands of the openedx-k8s-harmony.")
 @click.pass_context
@@ -22,10 +22,10 @@ def create_elasticsearch_user(context: click.Context):
     config = tutor_config.load(context.root)
     namespace = config["K8S_HARMONY_NAMESPACE"]
     api = ElasticSearchAPI(namespace)
-    username, password = config["ELASTICSEARCH_HTTP_AUTH"].split(":", 1)
+    username, password = config["HARMONY_SEARCH_HTTP_AUTH"].split(":", 1)
     role_name = f"{username}_role"
 
-    prefix = config["ELASTICSEARCH_INDEX_PREFIX"]
+    prefix = config["HARMONY_SEARCH_INDEX_PREFIX"]
     api.post(
         f"_security/role/{role_name}",
         {"indices": [{"names": [f"{prefix}*"], "privileges": ["all"]}]},
@@ -50,10 +50,10 @@ def create_opensearch_user(context: click.Context):
     config = tutor_config.load(context.root)
     namespace = config["K8S_HARMONY_NAMESPACE"]
     api = OpenSearchAPI(namespace)
-    username, password = config["OPENSEARCH_HTTP_AUTH"].split(":", 1)
+    username, password = config["HARMONY_SEARCH_HTTP_AUTH"].split(":", 1)
     role_name = f"{username}_role"
 
-    prefix = config["OPENSEARCH_INDEX_PREFIX"]
+    prefix = config["HARMONY_SEARCH_INDEX_PREFIX"]
     api.put(
         f"_plugins/_security/api/roles/{role_name}",
         {"index_permissions": [{

tutor-contrib-harmony-plugin/tutor_k8s_harmony_plugin/elasticsearch.py → tutor-contrib-harmony-plugin/tutor_k8s_harmony_plugin/harmony_search/base.py

@@ -4,9 +4,9 @@
 from tutor import utils
 
 
-class ElasticSearchAPI:
+class BaseSearchAPI:
     """
-    Helper class to interact with the ElasticSearch
+    Helper class to interact with the HarmonySearch
     API on the deployed cluster.
     """
 
@@ -18,18 +18,19 @@ def __init__(self, namespace):
             "--tty",
             "--namespace",
             namespace,
-            "elasticsearch-master-0",
+            "harmony-search-cluster-master-0",
             "--",
             "bash",
             "-c",
         ]
-        self._curl_base = ["curl", "--insecure", "-u", "elastic:${ELASTIC_PASSWORD}"]
+        # Must be specified by subclasses
+        self._curl_base = None
 
     def run_command(self, curl_options) -> typing.Union[dict, bytes]:
         """
-        Invokes a curl command on the first Elasticsearch pod.
+        Invokes a curl command on the first HarmonySearch pod.
 
-        If possible returns the parsed json from the Elasticsearch response.
+        If possible returns the parsed json from the HarmonySearch response.
         Otherwise, the raw bytes from the curl command are returned.
         """
         response = utils.check_output(
@@ -42,20 +43,20 @@ def run_command(self, curl_options) -> typing.Union[dict, bytes]:
 
     def get(self, endpoint):
         """
-        Runs a GET request on the Elasticsearch cluster with the specified
+        Runs a GET request on the HarmonySearch cluster with the specified
         endpoint.
 
-        If possible returns the parsed json from the Elasticsearch response.
+        If possible returns the parsed json from the HarmonySearch response.
         Otherwise, the raw bytes from the curl command are returned.
         """
         return self.run_command(["-XGET", f"https://localhost:9200/{endpoint}"])
 
     def post(self, endpoint: str, data: dict) -> typing.Union[dict, bytes]:
         """
-        Runs a POST request on the Elasticsearch cluster with the specified
+        Runs a POST request on the HarmonySearch cluster with the specified
         endpoint.
 
-        If possible returns the parsed json from the Elasticsearch response.
+        If possible returns the parsed json from the HarmonySearch response.
         Otherwise, the raw bytes from the curl command are returned.
         """
         return self.run_command(
@@ -68,3 +69,22 @@ def post(self, endpoint: str, data: dict) -> typing.Union[dict, bytes]:
                 '"Content-Type: application/json"',
             ]
         )
+
+    def put(self, endpoint: str, data: dict) -> typing.Union[dict, bytes]:
+        """
+        Runs a PUT request on the HarmonySearch cluster with the specified
+        endpoint.
+
+        If possible returns the parsed json from the HarmonySearch response.
+        Otherwise, the raw bytes from the curl command are returned.
+        """
+        return self.run_command(
+            [
+                "-XPUT",
+                f"https://localhost:9200/{endpoint}",
+                "-d",
+                f"'{json.dumps(data)}'",
+                "-H",
+                '"Content-Type: application/json"',
+            ]
+        )

tutor-contrib-harmony-plugin/tutor_k8s_harmony_plugin/harmony_search/elasticsearch.py

@@ -0,0 +1,12 @@
+from .base import BaseSearchAPI
+
+
+class ElasticSearchAPI(BaseSearchAPI):
+    """
+    Helper class to interact with the ElasticSearch
+    API on the deployed cluster.
+    """
+
+    def __init__(self, namespace):
+        super().__init__(namespace)
+        self._curl_base = ["curl", "--insecure", "-u", "elastic:${ELASTIC_PASSWORD}"]

tutor-contrib-harmony-plugin/tutor_k8s_harmony_plugin/harmony_search/opensearch.py

@@ -0,0 +1,13 @@
+from .base import BaseSearchAPI
+
+
+class OpenSearchAPI(BaseSearchAPI):
+    """
+    Helper class to interact with the OpenSearch
+    API on the deployed cluster.
+    """
+
+    def __init__(self, namespace):
+        super().__init__(namespace)
+        # TODO: Make this configurable
+        self._curl_base = ["curl", "--insecure", "-u", "harmony:${HARMONY_PASSWORD}"]