Configure OpenSearch in docker-compose deployment

wireapp · Oct 1, 2024 · 474f942 · 474f942
1 parent da83c3f
commit 474f942
Show file tree

Hide file tree

Showing 10 changed files with 146 additions and 11 deletions.
diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml
@@ -206,13 +206,15 @@ services:
 
   elasticsearch:
     container_name: demo_wire_elasticsearch
+    image: bitnami/opensearch:latest
     build:
       context: .
-      dockerfile_inline: |
-        FROM quay.io/wire/elasticsearch:0.0.9-amd64
-        RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack -b
-        # this seems to be necessary to run X-Pack on Alpine (https://discuss.elastic.co/t/elasticsearch-failing-to-start-due-to-x-pack/85125/7)
-        RUN rm -rf /usr/share/elasticsearch/plugins/x-pack/platform/linux-x86_64
+#      dockerfile_inline: |
+#        FROM opensearchproject/opensearch:latest
+
+#    RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack -b
+#    # this seems to be necessary to run X-Pack on Alpine (https://discuss.elastic.co/t/elasticsearch-failing-to-start-due-to-x-pack/85125/7)
+#    RUN rm -rf /usr/share/elasticsearch/plugins/x-pack/platform/linux-x86_64
     ulimits:
       nofile:
         soft: 65536
@@ -222,16 +224,27 @@ services:
       - "127.0.0.1:9300:9300"
     environment:
       - "xpack.ml.enabled=false"
-      - "xpack.security.enabled=true"
-      - "xpack.security.http.ssl.enabled=true"
-      - "xpack.ssl.certificate=certs/elasticsearch-cert.pem"
-      - "xpack.ssl.key=certs/elasticsearch-key.pem"
       - "bootstrap.system_call_filter=false"
       - "JVM_OPTIONS_ES=-Xmx512m -Xms512m"
       - "discovery.type=single-node"
+
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=Ch4ng3m3Secr3t!"
+      - "OPENSEARCH_USERNAME=elastic"
+      - "OPENSEARCH_PASSWORD=changeme"
     volumes:
-      - ./docker/elasticsearch-cert.pem:/usr/share/elasticsearch/config/certs/elasticsearch-cert.pem
-      - ./docker/elasticsearch-key.pem:/usr/share/elasticsearch/config/certs/elasticsearch-key.pem
+      - ./docker/elasticsearch-cert.pem:/opt/bitnami/opensearch/config/certs/tls.crt
+      - ./docker/elasticsearch-key.pem:/opt/bitnami/opensearch/config/certs/tls.key
+      - ./docker/elasticsearch-ca.pem:/opt/bitnami/opensearch/config/certs/ca.crt
+      - ./docker/opensearch.yml:/opt/bitnami/opensearch/config/opensearch.yml
+      - ./docker/opensearch-security-config.yml:/opt/bitnami/opensearch/config/opensearch-security/config.yml
+      - ./docker/opensearch-security-internal_users.yml:/opt/bitnami/opensearch/config/opensearch-security/internal_users.yml
+      - ./docker/opensearch-security-roles_mapping.yml:/opt/bitnami/opensearch/config/opensearch-security/roles_mapping.yml
+      - ./docker/opensearch-security-allowlist.yml:/opt/bitnami/opensearch/config/opensearch-security/allowlist.yml
+      - ./docker/opensearch-security-roles.yml:/opt/bitnami/opensearch/config/opensearch-security/roles.yml
+      - ./docker/opensearch-security-nodes_dn.yml:/opt/bitnami/opensearch/config/opensearch-security/nodes_dn.yml
+      - ./docker/opensearch-security-action_groups.yml:/opt/bitnami/opensearch/config/opensearch-security/action_groups.yml
+      - ./docker/opensearch-security-tenants.yml:/opt/bitnami/opensearch/config/opensearch-security/tenants.yml
     networks:
       - demo_wire
 

diff --git a/deploy/dockerephemeral/docker/opensearch-security-action_groups.yml b/deploy/dockerephemeral/docker/opensearch-security-action_groups.yml
@@ -0,0 +1,3 @@
+_meta:
+  type: "actiongroups"
+  config_version: 2
diff --git a/deploy/dockerephemeral/docker/opensearch-security-allowlist.yml b/deploy/dockerephemeral/docker/opensearch-security-allowlist.yml
@@ -0,0 +1,6 @@
+_meta:
+  type: "allowlist"
+  config_version: 2
+
+config:
+  enabled: false
diff --git a/deploy/dockerephemeral/docker/opensearch-security-config.yml b/deploy/dockerephemeral/docker/opensearch-security-config.yml
@@ -0,0 +1,17 @@
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    authc:
+      basic_internal_auth_domain:
+        description: "Authenticate using HTTP basic against the internal users database"
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: basic
+          challenge: true
+        authentication_backend:
+          type: internal
diff --git a/deploy/dockerephemeral/docker/opensearch-security-internal_users.yml b/deploy/dockerephemeral/docker/opensearch-security-internal_users.yml
@@ -0,0 +1,10 @@
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+elastic:
+  hash: "$2y$12$GRc68jkEX1m4uQpTVbwURu79xHxZ7vsbyEctOAADQwPjlhYS4LJVa"
+  reserved: true
+  description: "Wire User"
+  backend_roles:
+    - index_manager
diff --git a/deploy/dockerephemeral/docker/opensearch-security-nodes_dn.yml b/deploy/dockerephemeral/docker/opensearch-security-nodes_dn.yml
@@ -0,0 +1,3 @@
+_meta:
+  type: "nodesdn"
+  config_version: 2
diff --git a/deploy/dockerephemeral/docker/opensearch-security-roles.yml b/deploy/dockerephemeral/docker/opensearch-security-roles.yml
@@ -0,0 +1,16 @@
+_meta:
+  type: "roles"
+  config_version: 2
+
+wire-backend-role:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+    - "indices:admin/template/get"
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - "indices:admin/create"
+        - "indices:admin/get"
+        - "indices:admin/template/get"
diff --git a/deploy/dockerephemeral/docker/opensearch-security-roles_mapping.yml b/deploy/dockerephemeral/docker/opensearch-security-roles_mapping.yml
@@ -0,0 +1,9 @@
+_meta:
+  type: "rolesmapping"
+  config_version: 2
+
+all_access:
+  reserved: false
+  backend_roles:
+    - index_manager
+  description: "Map index_manager to full_access"
diff --git a/deploy/dockerephemeral/docker/opensearch-security-tenants.yml b/deploy/dockerephemeral/docker/opensearch-security-tenants.yml
@@ -0,0 +1,3 @@
+_meta:
+  type: "tenants"
+  config_version: 2
diff --git a/deploy/dockerephemeral/docker/opensearch.yml b/deploy/dockerephemeral/docker/opensearch.yml
@@ -0,0 +1,55 @@
+cluster.name: opensearch-cluster
+
+# Bind to all interfaces because we don't know what IP address Docker will assign to us.
+network.host: 0.0.0.0
+
+# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
+# Implicitly done if ".singleNode" is set to "true".
+discovery.type: single-node
+
+action.auto_create_index: true
+
+path.data: /bitnami/opensearch
+
+# Start OpenSearch Security Demo Configuration
+# WARNING: revise all the lines below before you go into production
+plugins:
+  security:
+#    nodes_dn:
+#      - '/CN=opensearch-cluster-master.*/'
+    ssl:
+      transport:
+        pemcert_filepath: certs/tls.crt
+        pemkey_filepath: certs/tls.key
+        pemtrustedcas_filepath: certs/ca.crt
+        enforce_hostname_verification: false
+      http:
+        enabled: true
+        pemcert_filepath: certs/tls.crt
+        pemkey_filepath: certs/tls.key
+        pemtrustedcas_filepath: certs/ca.crt
+    allow_unsafe_democertificates: true
+    allow_default_init_securityindex: true
+    # authcz:
+    #   admin_dn:
+    #     - CN=kirk,OU=client,O=client,L=test,C=de
+    audit.type: internal_opensearch
+    enable_snapshot_restore_privilege: true
+    check_snapshot_restore_write_privileges: true
+    restapi:
+      roles_enabled: ["all_access", "security_rest_api_access"]
+    system_indices:
+      enabled: true
+      indices:
+        [
+          ".opendistro-alerting-config",
+          ".opendistro-alerting-alert*",
+          ".opendistro-anomaly-results*",
+          ".opendistro-anomaly-detector*",
+          ".opendistro-anomaly-checkpoints",
+          ".opendistro-anomaly-detection-state",
+          ".opendistro-reports-*",
+          ".opendistro-notifications-*",
+          ".opendistro-notebooks",
+          ".opendistro-asynchronous-search-response*",
+        ]