Kubernetes

[쿠버네티스 DevOps 구축] - OpenSearch 설치하기

목차

참고

✅ OpenSearch 설치

# Helm Repo 추가
helm repo add opensearch https://opensearch-project.github.io/helm-charts/
# OpenSearch 설치
helm upgrade --install opensearch \
  -f ./values-opensearch.yaml opensearch/opensearch \
  -n logging --create-namespace
Release "opensearch" has been upgraded. Happy Helming!
NAME: opensearch
LAST DEPLOYED: Thu Jan 18 15:55:28 2024
NAMESPACE: logging
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
Watch all cluster members come up.
  $ kubectl get pods --namespace=logging -l app.kubernetes.io/component=opensearch-cluster-master -w

✅ OpenSearch Dashboard 설치

helm upgrade --install opensearch-dashboard \
  -f ./values-opensearch-dashboards.yaml opensearch/opensearch-dashboards \
  -n logging --create-namespace
Release "opensearch" has been upgraded. Happy Helming!
NAME: opensearch
LAST DEPLOYED: Thu Feb  6 23:13:09 2025
NAMESPACE: logging
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace logging -l "app.kubernetes.io/name=opensearch-dashboards,app.kubernetes.io/instance=opensearch" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace logging $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace logging port-forward $POD_NAME 8080:$CONTAINER_PORT

OpenSearch Demo User

Admin 비밀번호 변경

필요한 명령어 및 파일 위치

/usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh
/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh
securityConfig:
  enabled: true
  config:
    securityConfigSecret: ""
    dataComplete: true
    data:
      internal_users.yml: |-
        _meta:
          type: "internalusers"
          config_version: 2
        admin:
          hash: "YWtxanF0azFxMnczZTRyIUA="
          reserved: true
        backend_roles:
        - "admin"
        description: "Demo admin user"

문제 - Not yet initialized (you may need to run securityadmin)

[2023-12-30T15:22:45,111][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:45,115][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:45,118][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:45,120][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:47,614][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:47,617][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:47,620][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2023-12-30T15:22:47,623][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
kubectl -n logging exec -it opensearch-cluster-master-0 -- /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh
  • pod 내에서
/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
  -cd /usr/share/opensearch/config/opensearch-security/ \
  -icl \
  -nhnv \
  -cacert /usr/share/opensearch/config/root-ca.pem \
  -cert /usr/share/opensearch/config/kirk.pem \
  -key /usr/share/opensearch/config/kirk-key.pem
  • 쿠버네티스 명령어로 실행
kubectl exec \
    -n logging \
    -it opensearch-cluster-master-0 \
    -- /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
    -cd /usr/share/opensearch/config/opensearch-security/ \
    -icl \
    -nhnv \
    -cacert /usr/share/opensearch/config/root-ca.pem \
    -cert /usr/share/opensearch/config/kirk.pem \
    -key /usr/share/opensearch/config/kirk-key.pem

securityConfig.internalUsersSecret 을 이용한 Admin 비밀번호 변경

비밀번호 Hash 값 생성

kubectl -n logging exec -it opensearch-cluster-master-0 -- /usr/share/opensearch/plugins/opensearch-security/tools/hash.sh

Secret 파일 생성

apiVersion: v1
kind: Secret
metadata:
  name: opensearch-internal-users
  namespace: logging
type: Opaque
stringData:
  internal_users.yml: |
    ---
    # This is the internal user database
    # The hash value is a bcrypt hash and can be generated using:
    # $ plugins/opensearch-security/tools/hash.sh -p <new-password>
    
    _meta:
      type: "internalusers"
      config_version: 2
    
    # Define your internal users here
    
    ## internal users
    admin:
      hash: "$2y$12$yGwPWlea1ghTu9NFl00h6.SqRJY1G.MuFyX8PTQnwUnYaGgUsFKBu"
      reserved: true
      backend_roles:
      - "admin"
      description: "admin user"

securityConfig.internalUsersSecret 에 Secret 이름 설정

securityConfig:
  enabled: true
  path: "/usr/share/opensearch/config/opensearch-security"
  actionGroupsSecret:
  configSecret:
  internalUsersSecret: opensearch-internal-users

✅ OpenSearch Dashboards basePath 및 Ingress 설정

config:
  opensearch_dashboards.yml: |
    server:
      host: '0.0.0.0'
      basePath: "/logging"
      rewriteBasePath: true
    opensearch:
      hosts: [https://localhost:9200]
      ssl.verificationMode: none
      username: kibanaserver
      password: kibanaserver
      requestHeadersWhitelist: [authorization, securitytenant]

    opensearch_security.multitenancy:
      enabled: true
    opensearch_security.multitenancy.tenants:
      preferred: [Private, Global]
    opensearch_security:
      readonly_mode.roles: [kibana_read_only]
      cookie.secure: false

Ingress 설정

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logging
  namespace: logging
  annotations:
      kubernetes.io/ingress.class: nginx
spec:
  rules:
    - http:
        paths:
        - path: /logging
          pathType: Prefix
          backend:
            service:
              name: opensearch-dashboards
              port:
                number: 5601

✅ KeyCloak OpenSearch 연동

1. OpenSearch Client 생성

2. KeyCloak OpenSearch User Client Role 생성

3. OpenSearch 연동 및 설정파일 생성

3.1 KeyClock Connect URL 확인

connect_url

3.2 OpenSearch Client Credential 확인

client 의 credential 확인

3.3 config.yml 생성

apiVersion: v1
kind: Secret
metadata:
  name: opensearch-openid-keycloak
  namespace: logging
type: Opaque
stringData:
  config.yml: |-
    _meta:
      type: "config"
      config_version: 2
    config:
      dynamic:
        authz: {}
        authc:
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: http://auth.crunchychoco.com/realms/ddanzit/.well-known/openid-configuration
                skip_users:
                  - kibanaserver
                  - admin
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal

config.yml 을 통해 인증 방식과 순서를 설정하면 dashboard 에서 설정된 인증 방식을 확인할 수 있습니다.

3.4 Opensearch values.yaml 수정

securityConfig:
  enabled: true
  configSecret: opensearch-openid-keycloak

3.5 opensearch_dashboards.yml 수정

server:
    host: '0.0.0.0'
opensearch:
    hosts: [https://opensearch-cluster-master:9200]
    ssl.verificationMode: none
    username: kibanaserver
    password: kibanaserver
    requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy:
    enabled: true
opensearch_security.multitenancy.tenants:
    preferred: [Private, Global]
opensearch_security:
    readonly_mode.roles: [kibana_read_only]
    cookie.secure: false

opensearch_security.auth.type: ["openid"]
opensearch_security.openid.connect_url: "http://auth.crunchychoco.com/realms/ddanzit/.well-known/openid-configuration"
opensearch_security.openid.client_id: "opensearch"
opensearch_security.openid.client_secret: "9EH2nHCcpKk05F8l8TUsqnEslA26h2KU"
opensearch_security.openid.base_redirect_url: "http://logging.crunchychoco.com"

3.6 OpenSearch SSO 및 Basic Auth 사용 설정

opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true

3.7 skeycloak 인증 테스트

export CLIENT_ID=opensearch
export CLIENT_SECRET='9EH2nHCcpKk05F8l8TUsqnEslA26h2KU'
export PW='1q2w3e4r!@#'

RESULT=$(curl -k --noproxy '*' -d 'username=ddanzit' -d "password=$PW" -d 'grant_type=password' -d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" -d 'scope=openid' 'http://auth.crunchychoco.com/realms/ddanzit/protocol/openid-connect/token')

TOKEN=$(echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/')

curl -H "Authorization: Bearer $TOKEN" http://auth.crunchychoco.com/realms/ddanzit/protocol/openid-connect/userinfo
{
    "sub": "ce6f75ba-26fb-4cf4-9e7d-06f20d7d749f",
    "email_verified": true,
    "name": "동우 양",
    "preferred_username": "kwangill",
    "given_name": "동우",
    "family_name": "양",
    "email": "askain@hanmail.net"
}

3.8 keycloak Json Web Token(JWT) 내용 확인

{
  "exp": 1705381539,
  "iat": 1705381239,
  "jti": "e6cf69c7-f674-4a10-bfbc-444d3c19ad25",
  "iss": "http://auth.crunchychoco.com/realms/ddanzit",
  "aud": "account",
  "sub": "4eac345b-bfb9-4c4f-aba3-d52af277bbf0",
  "typ": "Bearer",
  "azp": "opensearch",
  "session_state": "c7c47cf3-34bf-40d5-891a-6d5ae52cc855",
  "acr": "1",
  "allowed-origins": [
    ""
  ],
  "realm_access": {
    "roles": [
      "default-roles-ddanzit",
      "offline_access",
      "admin",
      "uma_authorization",
      "Admin"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "sid": "c7c47cf3-34bf-40d5-891a-6d5ae52cc855",
  "email_verified": false,
  "name": "동우 양",
  "preferred_username": "ddanzit",
  "given_name": "동우",
  "family_name": "양",
  "email": "ckck803@naver.com"
}

No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

위와 같은 에러가 발생한다면 securityadmin.sh 를 이용하여 설정파일을 적용한다.

kubectl exec \
    -n logging \
    -it opensearch-cluster-master-0 \
    -- /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
    -cd /usr/share/opensearch/config/opensearch-security/ \
    -icl \
    -nhnv \
    -cacert /usr/share/opensearch/config/root-ca.pem \
    -cert /usr/share/opensearch/config/kirk.pem \
    -key /usr/share/opensearch/config/kirk-key.pem

FATAL Error: Multiple Authentication Mode is disabled. To enable this feature, please set up opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.auth.multiple_auth_enabled: true
Share