diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
new file mode 100644
index 00000000..7979d912
--- /dev/null
+++ b/.github/workflows/lint-test.yaml
@@ -0,0 +1,43 @@
+name: Lint and Test Charts
+
+on: pull_request
+
+jobs:
+ lint-test:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+
+ - name: Install Helm
+ uses: azure/setup-helm@v1.1
+ with:
+ version: v3.7.0
+
+ - uses: actions/setup-python@v2
+ with:
+ python-version: '3.8'
+
+ - name: Install chart-testing
+ uses: helm/chart-testing-action@v2.1.0
+
+ - name: Run chart-testing (list-changed)
+ id: list-changed
+ run: |
+ changed=$(ct list-changed --config ct.yaml)
+ if [[ -n "$changed" ]]; then
+ echo "::set-output name=changed::true"
+ fi
+
+ - name: Run chart-testing (lint)
+ run: ct lint --config ct.yaml
+
+ - name: Create kind cluster
+ uses: helm/kind-action@v1.2.0
+ if: steps.list-changed.outputs.changed == 'true'
+
+ # See https://github.com/helm/chart-testing/blob/main/doc/ct_install.md
+ - name: Run chart-testing (install)
+ run: ct install --config ct.yaml --debug
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 00000000..5d0b8fc9
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,32 @@
+name: Release Charts
+
+on:
+ push:
+ branches:
+ - main
+
+jobs:
+ release:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+
+ - name: Configure Git
+ run: |
+ git config user.name "$GITHUB_ACTOR"
+ git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+ - name: Install Helm
+ uses: azure/setup-helm@v1
+ with:
+ version: v3.7.0
+
+ # See https://github.com/helm/chart-releaser
+ # See https://github.com/helm/chart-releaser-action
+ - name: Run chart-releaser
+ uses: helm/chart-releaser-action@v1.2.1
+ env:
+ CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..48336707
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+# macOS
+.DS_Store
+
+# Windows
+Thumbs.db
diff --git a/README.md b/README.md
index 052ddb2b..19e71633 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,19 @@
A community repository for Helm Charts of OpenSearch Project.
+## Installation
+
+```shell
+helm repo add opensearch https://opensearch-project.github.io/helm-charts/
+helm repo update
+helm search repo opensearch
+```
+
+## Status
+
+
+
+
## Contributing
See [developer guide](DEVELOPER_GUIDE.md) and [how to contribute to this project](CONTRIBUTING.md).
diff --git a/charts/opensearch-dashboards/Chart.yaml b/charts/opensearch-dashboards/Chart.yaml
index 36040d86..5bcd459f 100644
--- a/charts/opensearch-dashboards/Chart.yaml
+++ b/charts/opensearch-dashboards/Chart.yaml
@@ -15,10 +15,17 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.0"
+
+maintainers:
+ - name: DandyDeveloper
+ - name: gaiksaya
+ - name: peternied
+ - name: peterzhuamazon
+ - name: TheAlgo
diff --git a/charts/opensearch-dashboards/values.yaml b/charts/opensearch-dashboards/values.yaml
index f421adab..1cabc792 100644
--- a/charts/opensearch-dashboards/values.yaml
+++ b/charts/opensearch-dashboards/values.yaml
@@ -59,13 +59,13 @@ securityContext:
runAsUser: 1000
config: {}
- ## Default OpenSearch Dashboards configuration from docker image of Dashboards
+ # Default OpenSearch Dashboards configuration from docker image of Dashboards
# opensearch_dashboards.yml:
# server:
# name: dashboards
# host: 0.0.0.0
- ## Dashboards TLS Config (Ensure the cert files are present before enabling SSL
+ # Dashboards TLS Config (Ensure the cert files are present before enabling SSL
# ssl:
# enabled: true
# key: /usr/share/opensearch-dashboards/certs/dashboards-key.pem
@@ -75,7 +75,7 @@ config: {}
# opensearch:
# ssl:
# certificateAuthorities: /usr/share/opensearch-dashboards/certs/dashboards-root-ca.pem
- # if utilizing custom CA certs for connection to opensearch, provide the CA here
+ # if utilizing custom CA certs for connection to opensearch, provide the CA here
priorityClassName: ""
@@ -87,10 +87,10 @@ opensearchAccount:
labels: {}
hostAliases: []
-#- ip: "127.0.0.1"
-# hostnames:
-# - "foo.local"
-# - "bar.local"
+# - ip: "127.0.0.1"
+# hostnames:
+# - "foo.local"
+# - "bar.local"
serverHost: "0.0.0.0"
diff --git a/charts/opensearch/Chart.yaml b/charts/opensearch/Chart.yaml
index 7c608ffd..74e5ee18 100644
--- a/charts/opensearch/Chart.yaml
+++ b/charts/opensearch/Chart.yaml
@@ -15,10 +15,17 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.0.0"
+
+maintainers:
+ - name: DandyDeveloper
+ - name: gaiksaya
+ - name: peternied
+ - name: peterzhuamazon
+ - name: TheAlgo
diff --git a/charts/opensearch/ci/ci-values.yaml b/charts/opensearch/ci/ci-values.yaml
new file mode 100755
index 00000000..040628bc
--- /dev/null
+++ b/charts/opensearch/ci/ci-values.yaml
@@ -0,0 +1,367 @@
+---
+clusterName: "opensearch-cluster"
+nodeGroup: "master"
+
+# The service that non master groups will try to connect to when joining the cluster
+# This should be set to clusterName + "-" + nodeGroup for your master group
+masterService: "opensearch-cluster-master"
+
+# OpenSearch roles that will be applied to this nodeGroup
+# These will be set as environment variables. E.g. node.master=true
+roles:
+ master: "true"
+ ingest: "true"
+ data: "true"
+ remote_cluster_client: "true"
+
+replicas: 1
+minimumMasterNodes: 1
+
+majorVersion: ""
+
+# Allows you to add any config files in {{ .Values.opensearchHome }}/config
+opensearchHome: /usr/share/opensearch
+# such as opensearch.yml and log4j2.properties
+config:
+ opensearch.yml:
+ cluster.name: opensearch-cluster
+
+ # Bind to all interfaces because we don't know what IP address Docker will assign to us.
+ network.host: 0.0.0.0
+
+ # # minimum_master_nodes need to be explicitly set when bound on a public IP
+ # # set to 1 to allow single node clusters
+ # discovery.zen.minimum_master_nodes: 1
+
+ # Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
+ # discovery.type: single-node
+
+ # Start OpenSearch Security Demo Configuration
+ # WARNING: revise all the lines below before you go into production
+ plugins:
+ security:
+ ssl:
+ transport:
+ pemcert_filepath: esnode.pem
+ pemkey_filepath: esnode-key.pem
+ pemtrustedcas_filepath: root-ca.pem
+ enforce_hostname_verification: false
+ http:
+ enabled: true
+ pemcert_filepath: esnode.pem
+ pemkey_filepath: esnode-key.pem
+ pemtrustedcas_filepath: root-ca.pem
+ allow_unsafe_democertificates: true
+ allow_default_init_securityindex: true
+ authcz:
+ admin_dn:
+ - CN=kirk,OU=client,O=client,L=test, C=de
+ audit.type: internal_opensearch
+ enable_snapshot_restore_privilege: true
+ check_snapshot_restore_write_privileges: true
+ restapi:
+ roles_enabled: ["all_access", "security_rest_api_access"]
+ system_indices:
+ enabled: true
+ indices:
+ [
+ ".opendistro-alerting-config",
+ ".opendistro-alerting-alert*",
+ ".opendistro-anomaly-results*",
+ ".opendistro-anomaly-detector*",
+ ".opendistro-anomaly-checkpoints",
+ ".opendistro-anomaly-detection-state",
+ ".opendistro-reports-*",
+ ".opendistro-notifications-*",
+ ".opendistro-notebooks",
+ ".opendistro-asynchronous-search-response*",
+ ]
+ ######## End OpenSearch Security Demo Configuration ########
+ # log4j2.properties:
+
+# Extra environment variables to append to this nodeGroup
+# This will be appended to the current 'env:' key. You can use any of the kubernetes env
+# syntax here
+extraEnvs: []
+# - name: MY_ENVIRONMENT_VAR
+# value: the_value_goes_here
+
+# Allows you to load environment variables from kubernextes secret or config map
+envFrom: []
+# - secretRef:
+# name: env-secret
+# - configMapRef:
+# name: config-map
+
+# A list of secrets and their paths to mount inside the pod
+# This is useful for mounting certificates for security and for mounting
+# the X-Pack license
+secretMounts: []
+
+hostAliases: []
+# - ip: "127.0.0.1"
+# hostnames:
+# - "foo.local"
+# - "bar.local"
+
+image: "opensearchproject/opensearch"
+# override image tag, which is .Chart.AppVersion by default
+imageTag: ""
+imagePullPolicy: "IfNotPresent"
+
+podAnnotations: {}
+ # iam.amazonaws.com/role: es-cluster
+
+# additionals labels
+labels: {}
+
+opensearchJavaOpts: "-Xmx512M -Xms512M"
+
+resources:
+ requests:
+ cpu: "1000m"
+ memory: "100Mi"
+
+initResources: {}
+ # limits:
+ # cpu: "25m"
+ # # memory: "128Mi"
+ # requests:
+ # cpu: "25m"
+ # memory: "128Mi"
+
+sidecarResources: {}
+ # limits:
+ # cpu: "25m"
+ # # memory: "128Mi"
+ # requests:
+ # cpu: "25m"
+ # memory: "128Mi"
+
+networkHost: "0.0.0.0"
+
+rbac:
+ create: false
+ serviceAccountAnnotations: {}
+ serviceAccountName: ""
+
+podSecurityPolicy:
+ create: false
+ name: ""
+ spec:
+ privileged: true
+ fsGroup:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ volumes:
+ - secret
+ - configMap
+ - persistentVolumeClaim
+ - emptyDir
+
+persistence:
+ enabled: true
+ labels:
+ # Add default labels for the volumeClaimTemplate of the StatefulSet
+ enabled: false
+ # OpenSearch Persistent Volume Storage Class
+ # If defined, storageClassName: <storageClass>
+ # If set to "-", storageClassName: "", which disables dynamic provisioning
+ # If undefined (the default) or set to null, no storageClassName spec is
+ # set, choosing the default provisioner. (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack)
+ #
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ annotations: {}
+
+extraVolumes: []
+ # - name: extras
+ # emptyDir: {}
+
+extraVolumeMounts: []
+ # - name: extras
+ # mountPath: /usr/share/extras
+ # readOnly: true
+
+extraContainers: []
+ # - name: do-something
+ # image: busybox
+ # command: ['do', 'something']
+
+extraInitContainers: []
+ # - name: do-somethings
+ # image: busybox
+ # command: ['do', 'something']
+
+# This is the PriorityClass settings as defined in
+# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+priorityClassName: ""
+
+# By default this will make sure two pods don't end up on the same node
+# Changing this to a region would allow you to spread pods across regions
+antiAffinityTopologyKey: "kubernetes.io/hostname"
+
+# Hard means that by default pods will only be scheduled if there are enough nodes for them
+# and that they will never end up on the same node. Setting this to soft will do this "best effort"
+antiAffinity: "soft"
+
+# This is the node affinity settings as defined in
+# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature
+nodeAffinity: {}
+
+# The default is to deploy all pods serially. By setting this to parallel all pods are started at
+# the same time when bootstrapping the cluster
+podManagementPolicy: "Parallel"
+
+# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when
+# there are many services in the current namespace.
+# If you experience slow pod startups you probably want to set this to `false`.
+enableServiceLinks: true
+
+protocol: http
+httpPort: 9200
+transportPort: 9300
+
+service:
+ labels: {}
+ labelsHeadless: {}
+ type: ClusterIP
+ nodePort: ""
+ annotations: {}
+ httpPortName: http
+ transportPortName: transport
+ loadBalancerIP: ""
+ loadBalancerSourceRanges: []
+ externalTrafficPolicy: ""
+
+updateStrategy: RollingUpdate
+
+# This is the max unavailable setting for the pod disruption budget
+# The default value of 1 will make sure that kubernetes won't allow more than 1
+# of your pods to be unavailable during maintenance
+maxUnavailable: 1
+
+podSecurityContext:
+ fsGroup: 1000
+ runAsUser: 1000
+
+securityContext:
+ capabilities:
+ drop:
+ - ALL
+ # readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+
+securityConfig:
+ enabled: true
+ path: "/usr/share/opensearch/plugins/opensearch-security/securityconfig"
+ actionGroupsSecret:
+ configSecret:
+ internalUsersSecret:
+ rolesSecret:
+ rolesMappingSecret:
+ tenantsSecret:
+ # The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
+ # Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
+ config:
+ securityConfigSecret:
+ data: {}
+ # config.yml: |-
+ # internal_users.yml: |-
+ # roles.yml: |-
+ # rolesMapping.yml: |-
+ # tenants.yml: |-
+
+# How long to wait for opensearch to stop gracefully
+terminationGracePeriod: 120
+
+sysctlVmMaxMapCount: 262144
+
+readinessProbe:
+ failureThreshold: 3
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ successThreshold: 3
+ timeoutSeconds: 2000
+
+## Use an alternate scheduler.
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+schedulerName: ""
+
+imagePullSecrets: []
+nodeSelector: {}
+tolerations: []
+
+# Enabling this will publically expose your OpenSearch instance.
+# Only enable this if you have security enabled on your cluster
+ingress:
+ enabled: false
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ path: /
+ hosts:
+ - chart-example.local
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+nameOverride: ""
+fullnameOverride: ""
+
+masterTerminationFix: false
+
+lifecycle: {}
+ # preStop:
+ # exec:
+ # command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
+ # postStart:
+ # exec:
+ # command:
+ # - bash
+ # - -c
+ # - |
+ # #!/bin/bash
+ # # Add a template to adjust number of shards/replicas1
+ # TEMPLATE_NAME=my_template
+ # INDEX_PATTERN="logstash-*"
+ # SHARD_COUNT=8
+ # REPLICA_COUNT=1
+ # ES_URL=http://localhost:9200
+ # while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done
+ # curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'
+
+keystore: []
+
+networkPolicy:
+ ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
+ ## In order for a Pod to access OpenSearch, it needs to have the following label:
+ ## {{ template "uname" . }}-client: "true"
+ ## Example for default configuration to access HTTP port:
+ ## opensearch-master-http-client: "true"
+ ## Example for default configuration to access transport port:
+ ## opensearch-master-transport-client: "true"
+
+ http:
+ enabled: false
+
+# Deprecated
+# please use the above podSecurityContext.fsGroup instead
+fsGroup: ""
+
+## Set optimal sysctl's. This requires privilege. Can be disabled if
+## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
+## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
+sysctl:
+ enabled: false
diff --git a/charts/opensearch/values.yaml b/charts/opensearch/values.yaml
index 1db8ea43..b62bb8ea 100755
--- a/charts/opensearch/values.yaml
+++ b/charts/opensearch/values.yaml
@@ -35,9 +35,9 @@ config:
# discovery.zen.minimum_master_nodes: 1
# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
- #discovery.type: single-node
+ # discovery.type: single-node
- ######## Start OpenSearch Security Demo Configuration ########
+ # Start OpenSearch Security Demo Configuration
# WARNING: revise all the lines below before you go into production
plugins:
security:
@@ -100,10 +100,10 @@ envFrom: []
secretMounts: []
hostAliases: []
-#- ip: "127.0.0.1"
-# hostnames:
-# - "foo.local"
-# - "bar.local"
+# - ip: "127.0.0.1"
+# hostnames:
+# - "foo.local"
+# - "bar.local"
image: "opensearchproject/opensearch"
# override image tag, which is .Chart.AppVersion by default
@@ -170,13 +170,13 @@ persistence:
labels:
# Add default labels for the volumeClaimTemplate of the StatefulSet
enabled: false
- ## OpenSearch Persistent Volume Storage Class
- ## If defined, storageClassName: <storageClass>
- ## If set to "-", storageClassName: "", which disables dynamic provisioning
- ## If undefined (the default) or set to null, no storageClassName spec is
- ## set, choosing the default provisioner. (gp2 on AWS, standard on
- ## GKE, AWS & OpenStack)
- ##
+ # OpenSearch Persistent Volume Storage Class
+ # If defined, storageClassName: <storageClass>
+ # If set to "-", storageClassName: "", which disables dynamic provisioning
+ # If undefined (the default) or set to null, no storageClassName spec is
+ # set, choosing the default provisioner. (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack)
+ #
# storageClass: "-"
accessModes:
- ReadWriteOnce
@@ -271,8 +271,8 @@ securityConfig:
rolesSecret:
rolesMappingSecret:
tenantsSecret:
- #The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
- #Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
+ # The following option simplifies securityConfig by using a single secret and specifying the respective secrets in the corresponding files instead of creating different secrets for config,internal users, roles, roles mapping and tenants
+ # Note that this is an alternative to the above secrets and shouldn't be used if the above secrets are used
config:
securityConfigSecret:
data: {}
diff --git a/ct.yaml b/ct.yaml
new file mode 100644
index 00000000..8554b40a
--- /dev/null
+++ b/ct.yaml
@@ -0,0 +1,4 @@
+# See https://github.com/helm/chart-testing-action
+# See https://github.com/helm/chart-testing#configuration
+target-branch: main
+helm-extra-args: --timeout 800s