Installing OpenSearch on an Red Hat OpenShift Container Platform

Using Helm you can easily install and manage OpenSearch in a Red Hat® OpenShift® Container Platform. Helm is the best way to find, share, and use software built for OpenShift.

Before you begin

You need to have the following installed:

Helm
vCPU - 3
Memory - 900 Mi RAM

Procedure

Log in to your Red Hat OpenShift cluster an instances a administrator by using the following command.
```
oc login OpenShift_URL:port
```
Change to the project (namespace) where IBM Product Master is installed.
Assign required privileges for this service by using the following command.
```
oc adm policy add-scc-to-user privileged -z default
```

Create PersistentVolume YAML files by using the following command.

Note: Update the value of <Namespace> and <Storage class> as applicable.

cat <<EOF| oc apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: opensearch-cluster-master-opensearch-cluster-master-0
  namespace: <Namespace>
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
  storageClassName: <Any supported storage class>
  volumeMode: Filesystem
EOF

cat <<EOF| oc apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: opensearch-cluster-master-opensearch-cluster-master-1
  namespace: <Namespace>
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
  storageClassName: <Any supported storage class>
  volumeMode: Filesystem
EOF

cat <<EOF| oc apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: opensearch-cluster-master-opensearch-cluster-master-2
  namespace: <Namespace>
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
  storageClassName: <Storage class>
  volumeMode: Filesystem
EOF

Add opensearch helm-charts repository to Helm by using the following command.
```
helm repo add opensearch https://opensearch-project.github.io/helm-charts/
```
Update the available charts locally from charts repositories by using the following command.
```
helm repo update
```

List all the releases for the namespace by using the following command.

helm repo list

Output

NAME URL
opensearch https://opensearch-project.github.io/helm-charts/

Install OpenSearch Version 2.6.0 by using the following command.

helm install my-deployment opensearch/opensearch --version 2.11.4

Example output

NAME: my-deployment
LAST DEPLOYED: Wed Jan  4 14:36:04 2023
NAMESPACE: <namespace>
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Watch all cluster members come up.
  $ kubectl get pods --namespace=<namespace> -l app.kubernetes.io/component=opensearch-cluster-master -w

View pods by using the following commands.

oc get pods

Example output

NAME                          READY   STATUS            RESTARTS   AGE
opensearch-cluster-master-0   1/1     Running           0          68s
opensearch-cluster-master-1   0/1     PodInitializing   0          68s
opensearch-cluster-master-2   1/1     Running           0          68s

The OpenSearch pods use the following image.

docker.io/opensearchproject/opensearch:2.6.0

View service details by using the following command.

oc get svc | grep open

Example output

opensearch-cluster-master    ClusterIP      <IP address>   <none>    9200/TCP,9300/TCP   67m

Generate your OpenSSL certificate.

Generate an RSA private key by using the following command.
```
openssl genrsa -out root-ca-key.pem 2048
```

Generate a certificate authority (CA) certificate by using the following command.

openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730

Output

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: XXXXX
State or Province Name (full name) []:XXXXX
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]: XXXXX
Organizational Unit Name (eg, section) []:XXXXX
Common Name (eg, your name or your server's hostname) []:https://opensearch-cluster-master            
Email Address []:

Generate an admin key by using the following command.
```
openssl genrsa -out admin-key-temp.pem 2048
```

Combine your key and certificate in a PKCS#8 (P8) bundle by using the following command.

openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

Generate a certificate signing request (CSR) by using the following command.
```
openssl req -new -key admin-key.pem -out admin.csr
```

Specify https://opensearch-cluster-master as the common name.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: XXXXX
State or Province Name (full name) []:XXXXX
Locality Name (eg, city) [Default City]: XXXXX
Organization Name (eg, company) [Default Company Ltd]: XXXXX
Organizational Unit Name (eg, section) []:XXXXX
Common Name (eg, your name or your server's hostname) []:https://opensearch-cluster-master
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Create a v3.ext file by using the following command.
```
vi v3.ext
```

Copy the following content to the v3.ext file by using the following command.

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:TRUE
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName         = DNS:opensearch-cluster-master.opensearch.svc.cluster.local, DNS:opensearch-cluster-master, DNS:opensearch-cluster-master.opensearch, DNS:opensearch-cluster-master.opensearch.svc
issuerAltName          = issuer:copy

Generate an Admin CSR certificate by using CA certificate and v3.ext files by using the following command.

openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730 -extfile v3.ext

Signature ok
subject=C=xx ST=xx L=xx O=xx OU=xx CN= opensearch-cluster-master
Getting CA Private Key

Upload SSL certificate on the pod.

Go to each pod by using the following command.

oc rsh opensearch-cluster-master-0

oc rsh opensearch-cluster-master-1

oc rsh opensearch-cluster-master-2

Create a folder on each pod by using the following command.
```
sh-4.2$ mkdir /usr/share/opensearch/data/ssl
sh-4.2$ exit
```

Copy the admin key, admin CSR certificate, CA certificate to the /usr/share/opensearch/data/ssl folder on each pod by using the following command.

oc cp  admin.pem opensearch-cluster-master-0:/usr/share/opensearch/data/ssl
oc cp  admin-key.pem opensearch-cluster-master-0:/usr/share/opensearch/data/ssl
oc cp  root-ca.pem opensearch-cluster-master-0:/usr/share/opensearch/data/ssl

oc cp  admin.pem opensearch-cluster-master-1:/usr/share/opensearch/data/ssl
oc cp  admin-key.pem opensearch-cluster-master-1:/usr/share/opensearch/data/ssl
oc cp  root-ca.pem opensearch-cluster-master-1:/usr/share/opensearch/data/ssl

oc cp  admin.pem opensearch-cluster-master-2:/usr/share/opensearch/data/ssl
oc cp  admin-key.pem opensearch-cluster-master-2:/usr/share/opensearch/data/ssl
oc cp  root-ca.pem opensearch-cluster-master-2:/usr/share/opensearch/data/ssl

Edit the opensearch-cluster-master-config ConfigMap to load this SSL configuration by using the following command.
```
oc edit configmap opensearch-cluster-master-config
```
Update the indices.query.bool.max_clause_count property value to 1000 in the data section of the opensearch-cluster-master-config ConfigMap.
```
apiVersion: v1
data:
  opensearch.yml: |
    cluster.name: opensearch-cluster
    indices.query.bool.max_clause_count: 10000
```

Add the following details to the http section of the opensearch-cluster-master-config ConfigMap.

http:
            enabled: true
            pemcert_filepath: /usr/share/opensearch/data/ssl/admin.pem
            pemkey_filepath: /usr/share/opensearch/data/ssl/admin-key.pem
            pemtrustedcas_filepath: /usr/share/opensearch/data/ssl/root-ca.pem
        allow_unsafe_democertificates: true
        allow_default_init_securityindex: true
        authcz:
          admin_dn:
            - CN= opensearch-cluster-master,OU=xx,O=xx,L=xx,C=xx

Edit the StatefulSet and make replica count 0 by using the following command.
```
oc edit sts opensearch-cluster-master
```

View pods by using the following command.

oc get pods

Output

NAME                          READY   STATUS        RESTARTS   AGE
opensearch-cluster-master-0   1/1     Terminating   0          22m
opensearch-cluster-master-1   1/1     Terminating   0          22m
opensearch-cluster-master-2   1/1     Terminating   0          22m

Create pods again with SSL by using the following command.

oc scale sts opensearch-cluster-master --replicas=3

Output

NAME                          READY   STATUS    RESTARTS   AGE
opensearch-cluster-master-0   1/1     Running   0          10m
opensearch-cluster-master-1   1/1     Running   0          10m
opensearch-cluster-master-2   1/1     Running   0          10m

Optional: If you configured LDAP over SSL, then you must ensure that in the Admin UI, the Keystore column of the LDAP Properties Lookup table specifies path of the cacerts truststore.
Example
So if the following is the cacerts path,
```
/opt/ibm/java/jre/lib/security/cacerts 
```
Then the value of the Keystore column of the LDAP Properties Lookup table is,
```
 /opt/ibm/java/jre/lib/security/cacerts
```

What to do next

Specify the following in the app_secrets.yaml file during the IBM® Product Master installation.

Property	Value
opensearch_host	https://opensearch-cluster-master
opensearch_port	`9200`
opensearch_user	admin
opensearch_pass	admin
opensearch_ssl_crt	`<your admin.pem certificate>`