/opensearch-ansible-playbook

🤖 A community repository for Ansible Playbook of OpenSearch Project.

Apache License 2.0Apache-2.0

OpenSearch Project Ansible-Playbook

A community repository for Ansible Playbook of OpenSearch Project.

Version and Branching

As of now, this ansible-playbook repository maintains 2 branches:

  • main (Version is 2.x.x for both os_version and os_dashboards_version in inventories/opensearch/group_vars/all/all.yml)
  • 1.x (Version is 1.x.x for both os_version and os_dashboards_version in inventories/opensearch/group_vars/all/all.yml)

Contributors should choose the corresponding branch(es) when commiting their change(s):

  • If you have a change for a specific version, only open PR to specific branch
  • If you have a change for all available versions, first open a PR on main, then open a backport PR with [backport 1.x] in the title, with label backport 1.x, etc.

OpenSearch Installation with Dashboards

This ansible playbook supports the following,

  • Can be deployed on baremetal and VMs(AWS EC2)
  • Supports most popular Linux distributions(Centos7, RHEL7, Amazon Linux2, Ubuntu 20.04)
  • Install and configure the Apache2.0 opensource OpenSearch
  • Configure TLS/SSL for OpenSearch transport layer(Nodes to Nodes communication) and REST API layer
  • Generate self-signed certificates to configure TLS/SSL for opensearch
  • Configure the Internal Users Database with limited users and user-defined passwords
  • Configuration of authentication and authorization via OpenID
  • Overriding default settings with your own
  • Install and configure the Apache2.0 opensource OpenSearch Dashboards

Prerequisite

  • Ansible 2.9+
  • Java 8

Configure

Refer the file inventories/opensearch/group_vars/all/all.yml to change the default values.

For example if we need to increase the java memory heap size for opensearch,

xms_value: 8
xmx_value: 8

In inventories/opensearch/hosts file, you can configure the node details. ansible_host is used for ansible to connect the nodes to run this playbook. ip is used in OpenSearch and Dashboards configuration.

In AWS EC2,

os1 ansible_host=<Elastic/Public IP> address ansible_user=root ip=<Private IP address>

Multi-node Installation

By default, this playbook will install five nodes opensearch cluster with respective roles (3 master, 5 data and 2 ingest nodes).

os1 ansible_host=10.0.1.1 ip=10.0.1.1 roles=data,master
os2 ansible_host=10.0.1.2 ip=10.0.1.2 roles=data,master
os3 ansible_host=10.0.1.3 ip=10.0.1.3 roles=data,master
os4 ansible_host=10.0.1.4 ip=10.0.1.4 roles=data,ingest
os5 ansible_host=10.0.1.5 ip=10.0.1.5 roles=data,ingest

Note: You need to add additional nodes details in inventories/opensearch/hosts file for creating opensearch cluster with different node sizes.

For example, if you want to create seven nodes cluster with two additional data nodes (os6 and os7) then you need to include the below entries.

os6 ansible_host=10.0.1.6 ip=10.0.1.6 roles=data
os7 ansible_host=10.0.1.7 ip=10.0.1.5 roles=data

You have to mention the opensearch node roles details in roles variable.

Single Node Installation

For single node installation, you need to change the cluster_type variable in inventory file inventories/opensearch/group_vars/all/all.yml

cluster_type: single-node

Install

# Deploy with ansible playbook - run the playbook as root
ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789 logstash_password=Test@456"

You should set the reserved users(admin, kibanaserver, and logstash) password using admin_password, kibanaserver_password, and logstash_password variables.

If you define your own internal users (in addition to the reserved admin, kibanaserver, and logstash) in custom configuration files, then passwords to them should be set via variables on the principle of <username>_password

It will install and configure the opensearch. Once the deployment completed, you can access the opensearch Dashboards with user admin and password which you provided for variable admin_password.

# Deploy with ansible playbook - run the playbook as non-root user which have sudo privileges,
ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789 logstash_password=Test@456" --become

Note: Change the user details in ansible_user parameter in inventories/opensearch/hosts inventory file.

OpenID authentification

To enable authentication via OpenID, you need to change the auth_type variable in the inventory file inventories/opensearch/group_vars/all/all.yml by setting the value oidc and prescribe the necessary settings in the oidc: block.

Custom configuration files

To override the default settings files, you need to put your settings in the files directory. The files should be named exactly the same as the original ones (internal_users.yml, roles.yml, tenants.yml, etc.)

Especially note the file files/internal_users.yml. If it exists and the copy_custom_security_configs: true setting is enabled, then only in this case the task of setting passwords for internal users from variables is started. If the file internal_users.yml is not located in the files directory, but, for example, in one of its subdirectories, then playbook will not work correctly

IaC (Infrastructure-as-Code)

If you want to use the role not only for the initial deployment of the cluster, but also for further management of it, then set the iac_enable parameter to true.

By default, if the /tmp/opensearch-nodecerts directory with certificates exists on the server from which the playbook is launched, it is assumed that the configuration has not changed and some settings are not copied to the target servers.

Conversely, if the /tmp/opensearch-nodecerts directory does not exist on the server from which the playbook is launched, then new certificates and settings are generated and they are copied to the target servers.

If you use this repository not only for the initial deployment of the cluster, but also for its automatic configuration via CI/CD, then new certificates will be generated every time the pipeline is launched, overwriting existing ones, which is not always necessary if the cluster is already in production.

When iac_enable enabling, and all the cluster servers have all the necessary certificates, they will not be copied again. If at least on one server (for example, when adding a new server to the cluster) if there is not at least one certificate from the list, then all certificates on all cluster servers will be updated

Also, if the option is enabled, the settings files will be updated with each execution (previously, the settings were updated only if the /tmp/opensearch-nodecerts directory was missing on the server from which the playbook was launched and new certificates were generated)

Contributing

See developer guide and how to contribute to this project.

Getting Help

If you find a bug, or have a feature request, please don't hesitate to open an issue in this repository.

For more information, see project website and documentation. If you need help and are unsure where to open an issue, try forums.

Code of Conduct

This project has adopted the Amazon Open Source Code of Conduct. For more information see the Code of Conduct FAQ, or contact opensource-codeofconduct@amazon.com with any additional questions or comments.

Security

If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page. Please do not create a public GitHub issue.

License

This project is licensed under the Apache v2.0 License.

Copyright

Copyright OpenSearch Contributors. See NOTICE for details.