feat: add OpenSearch

TODO: - add tutor create_elasticsearch_user command - add tls - mount secrets - tune resources
openedx · Apr 11, 2023 · 60af23d · 60af23d
1 parent 3552df6
commit 60af23d
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -77,14 +77,15 @@ HTTPS and is more complicated due to the need to use tunnelling.*
 
 1. First, [install `minikube`](https://minikube.sigs.k8s.io/docs/start/) if you don't have it already.
 2. Run `minikube start` (you can also use `minikube dashboard` to access the Kubernetes dashboard).
-3. Run\
+3. Run `helm dependency update ./harmony-chart` to build helm dependencies locally.
+4. Run\
    `helm install --namespace harmony --create-namespace -f values-minikube.yaml harmony ./harmony-chart`
-4. Run `minikube tunnel` (you may need to enter a password), and then you should be able to access the cluster (see
+5. Run `minikube tunnel` (you may need to enter a password), and then you should be able to access the cluster (see
    "External IP" below). If this approach is not working, an alternative is to run\
    `minikube service harmony-ingress-nginx-controller -n harmony`\
    and then go to the URL it says, e.g. `http://127.0.0.1:52806` plus `/cluster-echo-test`
    (e.g. `http://127.0.0.1:52806/cluster-echo-test`)
-5. In this case, skip step 2 ("Get the external IP") and use `127.0.0.1` as the external IP. You will need to remember
+6. In this case, skip step 2 ("Get the external IP") and use `127.0.0.1` as the external IP. You will need to remember
    to include the port numbers shown above when accessing the instances.
 
 

diff --git a/harmony-chart/Chart.lock b/harmony-chart/Chart.lock
@@ -8,5 +8,8 @@ dependencies:
 - name: elasticsearch
   repository: https://helm.elastic.co
   version: 7.17.3
-digest: sha256:833041ca860a77cc220bdc97f7b6af8ff8b6da0c0a021615dc2858138a29bbbd
-generated: "2023-02-26T12:17:23.507774503+02:00"
+- name: opensearch
+  repository: https://opensearch-project.github.io/helm-charts
+  version: 2.11.3
+digest: sha256:b52bd44ca3f18961850f1436a98afc48832726b5edd663e89b2bb4a5f7953ca9
+generated: "2023-04-11T15:13:06.870684+03:00"
diff --git a/harmony-chart/Chart.yaml b/harmony-chart/Chart.yaml
@@ -30,3 +30,8 @@ dependencies:
   version: "7.17.3"
   condition: elasticsearch.enabled
   repository: https://helm.elastic.co
+
+- name: opensearch
+  version: "2.11.3"
+  condition: opensearch.enabled
+  repository: https://opensearch-project.github.io/helm-charts
diff --git a/harmony-chart/templates/opensearch/secrets.yaml b/harmony-chart/templates/opensearch/secrets.yaml
@@ -0,0 +1,20 @@
+---
+{{- $ca := genCA "opensearchca" 1825 }}
+{{- $cert := genSignedCert "opensearch-master.{{ Release.Namespace }}.local" nil (list "opensearch-master.{{ Release.Namespace }}.local") 1825 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: opensearch-certificates
+type: Opaque
+data:
+  "ca.crt": {{ $ca.Cert | b64enc | toYaml | indent 4}}
+  "tls.key": {{ $cert.Key | b64enc | toYaml | indent 4}}
+  "tls.crt": {{ print $cert.Cert $ca.Cert | b64enc | toYaml | indent 4}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: opensearch-credentials
+type: Opaque
+data:
+  "password": {{ randAlphaNum 32 | b64enc | quote }}
diff --git a/harmony-chart/values.yaml b/harmony-chart/values.yaml
@@ -50,6 +50,14 @@ elasticsearch:
           name: elasticsearch-credentials
           key: password
 
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      cpu: "500m"
+      memory: "700Mi"
+
   esConfig:
     "elasticsearch.yml": |
       xpack.security.enabled: true
@@ -61,3 +69,40 @@ elasticsearch:
       xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
       xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certs/ca.crt
       xpack.security.transport.ssl.verification_mode: certificate
+
+
+# Multi-tenant OpenSearch
+opensearch:
+  enabled: false
+
+  protocol: https
+
+  # Authentication is only available in https
+  # protocol: https
+
+  # This secret will contain the http certificates.
+  # secretMounts:
+  #   - name: openseach-certificates
+  #     secretName: openseach-certificates
+  #     path: /usr/share/openseach/config/certs
+  #     defaultMode: 0777
+
+  # # The password for the opensearch user is stored in this secret
+  # extraEnvs:
+  #   - name: OPENSEARCH_PASSWORD
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: openseach-credentials
+  #         key: password
+
+  # TODO: adjust it later
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      cpu: "500m"
+      memory: "700Mi"
+
+  persistence:
+    size: 30Gi
diff --git a/values-example.yaml b/values-example.yaml
@@ -8,3 +8,6 @@ cert-manager:
 
 elasticsearch:
   enabled: false
+
+opensearch:
+  enabled: false
diff --git a/values-minikube.yaml b/values-minikube.yaml
@@ -1,3 +1,25 @@
 # Disable HTTPS cert provisioning for testing with minikube
 cert-manager:
    enabled: false
+
+elasticsearch:
+   enabled: false
+
+   # TODO: move this to a separate PR
+   # Permit co-located instances for solitary minikube virtual machines.
+   antiAffinity: "soft"
+
+   volumeClaimTemplate:
+     resources:
+       requests:
+         storage: 10Gi
+
+opensearch:
+   enabled: true
+
+   # Permit co-located instances for solitary minikube virtual machines.
+   antiAffinity: "soft"
+
+   persistence:
+      enabled: true
+      size: 10Gi