Allow SSL

whatnick · whatnick · commit 98268d9873b0 · 2025-10-09T14:04:11.000+10:30
diff --git a/helm-chart/stac-fastapi/templates/opensearch-admin-secret.yaml b/helm-chart/stac-fastapi/templates/opensearch-admin-secret.yaml
@@ -0,0 +1,30 @@
+{{- if and (eq .Values.backend "opensearch") (.Values.opensearchSecurity.generateAdminPassword | default false) }}
+{{- include "stac-fastapi.configureOpensearchSecurity" . -}}
+{{- $secretName := include "stac-fastapi.opensearchAdminSecretName" . -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- $usernameKey := default "username" .Values.opensearchSecurity.usernameKey -}}
+{{- $passwordKey := default "password" .Values.opensearchSecurity.passwordKey -}}
+{{- $username := default "admin" .Values.opensearchSecurity.username -}}
+{{- $passwordLength := int (default 32 .Values.opensearchSecurity.passwordLength) -}}
+{{- $passwordB64 := "" -}}
+{{- if and $existing (hasKey $existing.data $passwordKey) }}
+  {{- $passwordB64 = index $existing.data $passwordKey -}}
+{{- else }}
+  {{- $passwordB64 = randAlphaNum $passwordLength | b64enc -}}
+{{- end }}
+{{- $usernameB64 := b64enc $username -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "stac-fastapi.labels" . | nindent 4 }}
+  {{- with .Values.opensearchSecurity.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{ $usernameKey }}: {{ $usernameB64 }}
+  {{ $passwordKey }}: {{ $passwordB64 }}
+{{- end }}
diff --git a/helm-chart/stac-fastapi/templates/opensearch-security-config.yaml b/helm-chart/stac-fastapi/templates/opensearch-security-config.yaml
@@ -0,0 +1,11 @@
+{{- /*
+     This template doesn't create resources; it mutates values so the
+     OpenSearch subchart receives the generated admin credentials.
+*/ -}}
+{{- include "stac-fastapi.configureOpensearchSecurity" . -}}
+{{- if (and (eq .Values.backend "opensearch") (.Values.opensearch.enabled) (.Values.opensearchSecurity.generateAdminPassword | default false)) }}
+# debug-extraEnvs-count: {{ len (default (list) .Values.opensearch.extraEnvs) }}
+{{- range $env := (default (list) .Values.opensearch.extraEnvs) }}
+# debug-extraEnv: {{ toYaml $env | replace "\n" " " | trim }}
+{{- end }}
+{{- end }}
diff --git a/helm-chart/stac-fastapi/values-opensearch.yaml b/helm-chart/stac-fastapi/values-opensearch.yaml
@@ -69,6 +69,8 @@ app:
     ENABLE_DATETIME_INDEX_FILTERING: "true"  # Enable for large datasets
     DATETIME_INDEX_MAX_SIZE_GB: "50"
     STAC_FASTAPI_RATE_LIMIT: "1000/minute"
+    ES_USE_SSL: "true"
+    ES_VERIFY_CERTS: "false"
 
   # Optional: pull connection credentials from a secret managed by the
   # OpenSearch chart (or provide plain values via username/password).
