diff --git a/tests/templates/kuttl/snapshot-s3/00-patch-ns.yaml b/tests/templates/kuttl/backup-restore/00-patch-ns.yaml similarity index 100% rename from tests/templates/kuttl/snapshot-s3/00-patch-ns.yaml rename to tests/templates/kuttl/backup-restore/00-patch-ns.yaml diff --git a/tests/templates/kuttl/snapshot-s3/01-rbac.yaml b/tests/templates/kuttl/backup-restore/01-rbac.yaml similarity index 75% rename from tests/templates/kuttl/snapshot-s3/01-rbac.yaml rename to tests/templates/kuttl/backup-restore/01-rbac.yaml index 64eced8..655d227 100644 --- a/tests/templates/kuttl/snapshot-s3/01-rbac.yaml +++ b/tests/templates/kuttl/backup-restore/01-rbac.yaml @@ -17,6 +17,13 @@ rules: - privileged verbs: - use + - apiGroups: + - "" + resources: + - secrets + verbs: + # The jobs creating the admin certificates need the permission to insert them into Secrets. + - create --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/tests/templates/kuttl/snapshot-s3/02-assert.yaml.j2 b/tests/templates/kuttl/backup-restore/02-assert.yaml.j2 similarity index 100% rename from tests/templates/kuttl/snapshot-s3/02-assert.yaml.j2 rename to tests/templates/kuttl/backup-restore/02-assert.yaml.j2 diff --git a/tests/templates/kuttl/snapshot-s3/02-install-vector-aggregator-discovery-config-map.yaml.j2 b/tests/templates/kuttl/backup-restore/02-install-vector-aggregator-discovery-config-map.yaml.j2 similarity index 100% rename from tests/templates/kuttl/snapshot-s3/02-install-vector-aggregator-discovery-config-map.yaml.j2 rename to tests/templates/kuttl/backup-restore/02-install-vector-aggregator-discovery-config-map.yaml.j2 diff --git a/tests/templates/kuttl/backup-restore/03-create-truststore.yaml b/tests/templates/kuttl/backup-restore/03-create-truststore.yaml new file mode 100644 index 0000000..2d55c6d --- /dev/null +++ b/tests/templates/kuttl/backup-restore/03-create-truststore.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: secrets.stackable.tech/v1alpha1 +kind: TrustStore +metadata: + name: truststore-pem +spec: + secretClassName: tls + format: tls-pem + targetKind: ConfigMap diff --git a/tests/templates/kuttl/snapshot-s3/10-assert.yaml b/tests/templates/kuttl/backup-restore/10-assert.yaml similarity index 100% rename from tests/templates/kuttl/snapshot-s3/10-assert.yaml rename to tests/templates/kuttl/backup-restore/10-assert.yaml diff --git a/tests/templates/kuttl/backup-restore/10-install-s3-credentials-secret.yaml b/tests/templates/kuttl/backup-restore/10-install-s3-credentials-secret.yaml new file mode 100644 index 0000000..ee58ffb --- /dev/null +++ b/tests/templates/kuttl/backup-restore/10-install-s3-credentials-secret.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: s3-credentials +stringData: + s3.client.default.access_key: openSearchAccessKey + s3.client.default.secret_key: openSearchSecretKey diff --git a/tests/templates/kuttl/snapshot-s3/11-assert.yaml b/tests/templates/kuttl/backup-restore/11-assert.yaml similarity index 100% rename from tests/templates/kuttl/snapshot-s3/11-assert.yaml rename to tests/templates/kuttl/backup-restore/11-assert.yaml diff --git a/tests/templates/kuttl/snapshot-s3/11-install-minio.yaml.j2 b/tests/templates/kuttl/backup-restore/11-install-minio.yaml similarity index 100% rename from tests/templates/kuttl/snapshot-s3/11-install-minio.yaml.j2 rename to tests/templates/kuttl/backup-restore/11-install-minio.yaml diff --git a/tests/templates/kuttl/snapshot-s3/11_minio-values.yaml.j2 b/tests/templates/kuttl/backup-restore/11_minio-values.yaml similarity index 97% rename from tests/templates/kuttl/snapshot-s3/11_minio-values.yaml.j2 rename to tests/templates/kuttl/backup-restore/11_minio-values.yaml index 1d71b00..da257f2 100644 --- a/tests/templates/kuttl/snapshot-s3/11_minio-values.yaml.j2 +++ b/tests/templates/kuttl/backup-restore/11_minio-values.yaml @@ -25,7 +25,7 @@ persistence: provisioning: enabled: true buckets: - - name: opensearch + - name: opensearch-data users: - username: integrationtest password: integrationtest diff --git a/tests/templates/kuttl/backup-restore/20-assert.yaml b/tests/templates/kuttl/backup-restore/20-assert.yaml new file mode 100644 index 0000000..516680f --- /dev/null +++ b/tests/templates/kuttl/backup-restore/20-assert.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-opensearch-1-admin-certificate +status: + succeeded: 1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: opensearch-1-admin-certificate diff --git a/tests/templates/kuttl/backup-restore/20-create-opensearch-1-admin-certificate.yaml b/tests/templates/kuttl/backup-restore/20-create-opensearch-1-admin-certificate.yaml new file mode 100644 index 0000000..179401a --- /dev/null +++ b/tests/templates/kuttl/backup-restore/20-create-opensearch-1-admin-certificate.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-opensearch-1-admin-certificate +spec: + template: + spec: + containers: + - name: create-opensearch-1-admin-certificate + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /stackable/scripts/create-opensearch-1-admin-certificate.sh + volumeMounts: + - name: script + mountPath: /stackable/scripts + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: create-opensearch-1-admin-certificate-script + defaultMode: 0o770 + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-opensearch-1-admin-certificate-script +data: + create-opensearch-1-admin-certificate.sh: | + #!/usr/bin/env sh + + openssl req \ + -x509 \ + -nodes \ + -subj=/CN=opensearch-1-admin-certificate \ + -out=tls.crt \ + -keyout=tls.key + + kubectl create secret generic opensearch-1-admin-certificate \ + --from-file=tls.crt \ + --from-file=tls.key diff --git a/tests/templates/kuttl/snapshot-s3/20-assert.yaml.j2 b/tests/templates/kuttl/backup-restore/21-assert.yaml similarity index 81% rename from tests/templates/kuttl/snapshot-s3/20-assert.yaml.j2 rename to tests/templates/kuttl/backup-restore/21-assert.yaml index 06c64a1..d443938 100644 --- a/tests/templates/kuttl/snapshot-s3/20-assert.yaml.j2 +++ b/tests/templates/kuttl/backup-restore/21-assert.yaml @@ -6,7 +6,7 @@ timeout: 600 apiVersion: apps/v1 kind: StatefulSet metadata: - name: opensearch-nodes-default + name: opensearch-1-nodes-default status: readyReplicas: 1 replicas: 1 diff --git a/tests/templates/kuttl/snapshot-s3/20-install-opensearch.yaml.j2 b/tests/templates/kuttl/backup-restore/21-install-opensearch-1.yaml.j2 similarity index 80% rename from tests/templates/kuttl/snapshot-s3/20-install-opensearch.yaml.j2 rename to tests/templates/kuttl/backup-restore/21-install-opensearch-1.yaml.j2 index 2839ecb..fa2e305 100644 --- a/tests/templates/kuttl/snapshot-s3/20-install-opensearch.yaml.j2 +++ b/tests/templates/kuttl/backup-restore/21-install-opensearch-1.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: opensearch.stackable.tech/v1alpha1 kind: OpenSearchCluster metadata: - name: opensearch + name: opensearch-1 spec: image: {% if test_scenario['values']['opensearch'].find(",") > 0 %} @@ -33,6 +33,8 @@ spec: # not be created even if enough disk space would be available. cluster.routing.allocation.disk.threshold_enabled: "false" plugins.security.allow_default_init_securityindex: "true" + plugins.security.authcz.admin_dn: CN=opensearch-1-admin-certificate + plugins.security.restapi.roles_enabled: all_access plugins.security.ssl.transport.enabled: "true" plugins.security.ssl.transport.pemcert_filepath: /stackable/opensearch/config/tls/tls.crt plugins.security.ssl.transport.pemkey_filepath: /stackable/opensearch/config/tls/tls.key @@ -96,6 +98,34 @@ spec: mountPath: /etc/pki/ca-trust/source/anchors/s3-ca.crt subPath: tls.crt readOnly: true + - name: init-tls +{% if test_scenario['values']['opensearch'].find(",") > 0 %} + image: "{{ test_scenario['values']['opensearch'].split(',')[1] }}" +{% else %} + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} +{% endif %} + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + cp /stackable/opensearch/config/tls/tls.* /stackable/opensearch/config/tls-concatenated + cat \ + /stackable/opensearch/config/tls/ca.crt \ + /stackable/opensearch/config/tls-admin/tls.crt > \ + /stackable/opensearch/config/tls-concatenated/ca.crt + volumeMounts: + - name: tls + mountPath: /stackable/opensearch/config/tls + readOnly: true + - name: admin-certificate + mountPath: /stackable/opensearch/config/tls-admin + readOnly: true + - name: tls-concatenated + mountPath: /stackable/opensearch/config/tls-concatenated + readOnly: false containers: - name: opensearch volumeMounts: @@ -106,7 +136,7 @@ spec: mountPath: /etc/pki/java/cacerts subPath: java/cacerts readOnly: true - - name: tls + - name: tls-concatenated mountPath: /stackable/opensearch/config/tls readOnly: true - name: keystore @@ -125,9 +155,13 @@ spec: secret: secretName: minio-ca-crt defaultMode: 0o660 + - name: admin-certificate + secret: + secretName: opensearch-1-admin-certificate + defaultMode: 0o660 - name: security-config secret: - secretName: opensearch-security-config + secretName: opensearch-1-security-config defaultMode: 0o660 - name: system-trust-store emptyDir: @@ -137,7 +171,7 @@ spec: volumeClaimTemplate: metadata: annotations: - secrets.stackable.tech/scope: node,pod,service=opensearch,service=opensearch-nodes-default-headless + secrets.stackable.tech/scope: node,pod,service=opensearch-1,service=opensearch-1-nodes-default,service=opensearch-1-nodes-default-headless,listener-volume=listener secrets.stackable.tech/class: tls spec: storageClassName: secrets.stackable.tech @@ -146,11 +180,14 @@ spec: resources: requests: storage: "1" + - name: tls-concatenated + emptyDir: + sizeLimit: 1Mi --- apiVersion: v1 kind: Secret metadata: - name: opensearch-security-config + name: opensearch-1-security-config stringData: action_groups.yml: | --- diff --git a/tests/templates/kuttl/backup-restore/22-assert.yaml b/tests/templates/kuttl/backup-restore/22-assert.yaml new file mode 100644 index 0000000..2c068ef --- /dev/null +++ b/tests/templates/kuttl/backup-restore/22-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-testuser +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/22-create-testuser.yaml b/tests/templates/kuttl/backup-restore/22-create-testuser.yaml new file mode 100644 index 0000000..9689f15 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/22-create-testuser.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-testuser +spec: + template: + spec: + containers: + - name: create-testuser + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + pip install opensearch-py==3.0.0 + python scripts/create-testuser.py + env: + # required for pip install + - name: HOME + value: /stackable + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: script + mountPath: /stackable/scripts + - name: tls + mountPath: /stackable/tls + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: create-testuser-script + - name: tls + configMap: + name: truststore-pem + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-testuser-script +data: + create-testuser.py: | + import os + from opensearchpy import OpenSearch + from opensearchpy.exceptions import RequestError + + namespace = os.environ['NAMESPACE'] + + # Login as admin + client = OpenSearch( + http_auth=('admin', 'AJVFsGJBbpT6mChn'), + hosts=[{ + 'host': f'opensearch-1-nodes-default.{namespace}.svc.cluster.local', + 'port': 9200 + }], + http_compress=True, + use_ssl=True, + verify_certs=True, + ca_certs='/stackable/tls/ca.crt' + ) + + # Create a test user and grant all access + response = client.security.create_user( + username='testuser', + body={ + 'password': 'L9hUHtLVVEsrcLzZ', + 'opendistro_security_roles': ['all_access'] + } + ) + + print(f'Creating test user; {response=}') diff --git a/tests/templates/kuttl/backup-restore/23-assert.yaml b/tests/templates/kuttl/backup-restore/23-assert.yaml new file mode 100644 index 0000000..88c838d --- /dev/null +++ b/tests/templates/kuttl/backup-restore/23-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-data +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/23-create-data.yaml b/tests/templates/kuttl/backup-restore/23-create-data.yaml new file mode 100644 index 0000000..1c27372 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/23-create-data.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-data +spec: + template: + spec: + containers: + - name: create-data + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + pip install opensearch-py==3.0.0 + python scripts/create-data.py + env: + # required for pip install + - name: HOME + value: /stackable + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: script + mountPath: /stackable/scripts + - name: tls + mountPath: /stackable/tls + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: create-data-script + - name: tls + configMap: + name: truststore-pem + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-data-script +data: + create-data.py: | + import os + from opensearchpy import OpenSearch + from opensearchpy.exceptions import RequestError + + namespace = os.environ['NAMESPACE'] + + # Login as test user + client = OpenSearch( + http_auth=('testuser', 'L9hUHtLVVEsrcLzZ'), + hosts=[{ + 'host': f'opensearch-1-nodes-default.{namespace}.svc.cluster.local', + 'port': 9200 + }], + http_compress=True, + use_ssl=True, + verify_certs=True, + ca_certs='/stackable/tls/ca.crt' + ) + + # Create an index + index_name = 'test-index' + + try: + response = client.indices.create(index=index_name) + print(f'Creating index; {response=}') + except RequestError as err: + if err.error == 'resource_already_exists_exception': + print(f'The index was already created in a prior test run; {index_name=}') + else: + raise + + # Add a document to the index + response = client.index( + index=index_name, + body={ + 'name': 'Stackable' + }, + id=1, + ) + + print(f'Adding document; {response=}') diff --git a/tests/templates/kuttl/snapshot-s3/30-assert.yaml b/tests/templates/kuttl/backup-restore/30-assert.yaml similarity index 84% rename from tests/templates/kuttl/snapshot-s3/30-assert.yaml rename to tests/templates/kuttl/backup-restore/30-assert.yaml index 9e330a0..e3cf38c 100644 --- a/tests/templates/kuttl/snapshot-s3/30-assert.yaml +++ b/tests/templates/kuttl/backup-restore/30-assert.yaml @@ -6,6 +6,6 @@ timeout: 600 apiVersion: batch/v1 kind: Job metadata: - name: test-snapshot + name: create-snapshot status: succeeded: 1 diff --git a/tests/templates/kuttl/snapshot-s3/30-test-snapshot.yaml b/tests/templates/kuttl/backup-restore/30-create-snapshot.yaml similarity index 55% rename from tests/templates/kuttl/snapshot-s3/30-test-snapshot.yaml rename to tests/templates/kuttl/backup-restore/30-create-snapshot.yaml index ad95ecd..c1dd4a7 100644 --- a/tests/templates/kuttl/snapshot-s3/30-test-snapshot.yaml +++ b/tests/templates/kuttl/backup-restore/30-create-snapshot.yaml @@ -2,12 +2,12 @@ apiVersion: batch/v1 kind: Job metadata: - name: test-snapshot + name: create-snapshot spec: template: spec: containers: - - name: test-snapshot + - name: create-snapshot image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev command: - /bin/bash @@ -17,7 +17,7 @@ spec: args: - | pip install opensearch-py==3.0.0 - python scripts/test.py + python scripts/create-snapshot.py env: # required for pip install - name: HOME @@ -47,20 +47,10 @@ spec: volumes: - name: script configMap: - name: test-opensearch + name: create-snapshot-script - name: tls - ephemeral: - volumeClaimTemplate: - metadata: - annotations: - secrets.stackable.tech/class: tls - spec: - storageClassName: secrets.stackable.tech - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "1" + configMap: + name: truststore-pem serviceAccountName: test-service-account securityContext: fsGroup: 1000 @@ -69,52 +59,27 @@ spec: apiVersion: v1 kind: ConfigMap metadata: - name: test-opensearch + name: create-snapshot-script data: - test.py: | + create-snapshot.py: | import os from opensearchpy import OpenSearch from opensearchpy.exceptions import RequestError namespace = os.environ['NAMESPACE'] - host = f'opensearch.{namespace}.svc.cluster.local' - port = 9200 - auth = ('admin', 'AJVFsGJBbpT6mChn') # For testing only. Don't store credentials in code. - ca_certs_path = '/stackable/tls/ca.crt' - client = OpenSearch( - hosts = [{'host': host, 'port': port}], - http_compress = True, - http_auth = auth, - use_ssl = True, - verify_certs = True, - ca_certs = ca_certs_path - ) - - # Create an index - index_name = 'test-index' - - try: - response = client.indices.create(index=index_name) - print(f'Creating index; {response=}') - except RequestError as err: - if err.error == 'resource_already_exists_exception': - print(f'The index was already created in a prior test run; {index_name=}') - else: - raise - - # Add a document to the index - response = client.index( - index = index_name, - body = { - 'name': 'Stackable' - }, - id = 1, + hosts=[{ + 'host': f'opensearch-1-nodes-default.{namespace}.svc.cluster.local', + 'port': 9200 + }], + http_auth=('admin', 'AJVFsGJBbpT6mChn'), + http_compress=True, + use_ssl=True, + verify_certs=True, + ca_certs='/stackable/tls/ca.crt' ) - print(f'Adding document; {response=}') - # Create snapshot repository snapshot_repository = "snapshot_repository" @@ -123,7 +88,7 @@ data: body={ "type": "s3", "settings": { - "bucket": "opensearch" + "bucket": "opensearch-data" } } ) @@ -136,10 +101,7 @@ data: try: response = client.snapshot.create( repository=snapshot_repository, - snapshot=snapshot, - body={ - "indices": index_name - } + snapshot=snapshot ) print(f'Creating snapshot; {response=}') except RequestError as err: @@ -147,8 +109,3 @@ data: print(f'The snapshot was already created in a prior test run; {snapshot=}') else: raise - - # Delete the index. - response = client.indices.delete(index=index_name) - - print(f'Deleting index; {response=}') diff --git a/tests/templates/kuttl/backup-restore/31-assert.yaml b/tests/templates/kuttl/backup-restore/31-assert.yaml new file mode 100644 index 0000000..9da657e --- /dev/null +++ b/tests/templates/kuttl/backup-restore/31-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: backup-security-indices +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/31-backup-security-indices.yaml.j2 b/tests/templates/kuttl/backup-restore/31-backup-security-indices.yaml.j2 new file mode 100644 index 0000000..109431a --- /dev/null +++ b/tests/templates/kuttl/backup-restore/31-backup-security-indices.yaml.j2 @@ -0,0 +1,126 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: backup-security-indices +spec: + template: + spec: + initContainers: + - name: backup-security-indices + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} + command: + - /stackable/scripts/backup-security-indices.sh + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: scripts + mountPath: /stackable/scripts + - name: tls + # The Java policy allows reading from /stackable/opensearch/config. + mountPath: /stackable/opensearch/config/tls + readOnly: true + - name: tls-client + # The Java policy allows reading from /stackable/opensearch/config. + mountPath: /stackable/opensearch/config/tls-client + readOnly: true + - name: backup + mountPath: /tmp/backup + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + # securityadmin.sh requires a lot of memory. + memory: 1Gi + cpu: 100m + limits: + memory: 1Gi + cpu: 400m + containers: + - name: upload-security-indices-backup + image: minio/mc:RELEASE.2025-08-13T08-35-41Z + command: + - /root/scripts/upload-security-indices-backup.sh + env: + - name: S3_ACCESS_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: s3.client.default.access_key + - name: S3_SECRET_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: s3.client.default.secret_key + volumeMounts: + - name: scripts + mountPath: /root/scripts + - name: s3-ca-crt + mountPath: /root/.mc/certs/CAs + - name: backup + mountPath: /tmp/backup + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # The image minio/mc runs as root. + runAsNonRoot: false + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: scripts + configMap: + name: backup-security-indices-scripts + defaultMode: 0o770 + - name: tls + configMap: + name: truststore-pem + - name: tls-client + secret: + secretName: opensearch-1-admin-certificate + defaultMode: 0o660 + - name: s3-ca-crt + secret: + secretName: minio-ca-crt + defaultMode: 0o660 + - name: backup + emptyDir: + sizeLimit: 1Mi + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: backup-security-indices-scripts +data: + backup-security-indices.sh: | + #!/usr/bin/env sh + + plugins/opensearch-security/tools/securityadmin.sh \ + -cacert config/tls/ca.crt \ + -cert config/tls-client/tls.crt \ + -key config/tls-client/tls.key \ + --hostname opensearch-1-nodes-default.$NAMESPACE.svc.cluster.local \ + -backup /tmp/backup + upload-security-indices-backup.sh: | + #!/usr/bin/env sh + + mc alias set minio https://minio:9000/ $S3_ACCESS_KEY $S3_SECRET_KEY + mc mb minio/opensearch-security + mc cp /tmp/backup/* minio/opensearch-security/ diff --git a/tests/templates/kuttl/backup-restore/40-delete-opensearch-1.yaml b/tests/templates/kuttl/backup-restore/40-delete-opensearch-1.yaml new file mode 100644 index 0000000..42c24c8 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/40-delete-opensearch-1.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: + - apiVersion: opensearch.stackable.tech/v1alpha1 + kind: OpenSearchCluster + name: opensearch-1 + - apiVersion: v1 + kind: Secret + name: opensearch-1-security-config + - apiVersion: v1 + kind: Secret + name: opensearch-1-admin-certificate diff --git a/tests/templates/kuttl/backup-restore/50-assert.yaml b/tests/templates/kuttl/backup-restore/50-assert.yaml new file mode 100644 index 0000000..1c73025 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/50-assert.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-opensearch-2-admin-certificate +status: + succeeded: 1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: opensearch-2-admin-certificate diff --git a/tests/templates/kuttl/backup-restore/50-create-opensearch-2-admin-certificate.yaml b/tests/templates/kuttl/backup-restore/50-create-opensearch-2-admin-certificate.yaml new file mode 100644 index 0000000..4e3ebef --- /dev/null +++ b/tests/templates/kuttl/backup-restore/50-create-opensearch-2-admin-certificate.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-opensearch-2-admin-certificate +spec: + template: + spec: + containers: + - name: create-opensearch-2-admin-certificate + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /stackable/scripts/create-opensearch-2-admin-certificate.sh + volumeMounts: + - name: script + mountPath: /stackable/scripts + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: create-opensearch-2-admin-certificate-script + defaultMode: 0o770 + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: create-opensearch-2-admin-certificate-script +data: + create-opensearch-2-admin-certificate.sh: | + #!/usr/bin/env sh + + openssl req \ + -x509 \ + -nodes \ + -subj=/CN=opensearch-2-admin-certificate \ + -out=tls.crt \ + -keyout=tls.key + + kubectl create secret generic opensearch-2-admin-certificate \ + --from-file=tls.crt \ + --from-file=tls.key diff --git a/tests/templates/kuttl/backup-restore/51-assert.yaml b/tests/templates/kuttl/backup-restore/51-assert.yaml new file mode 100644 index 0000000..c8a94f3 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/51-assert.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: opensearch-2-nodes-default +status: + readyReplicas: 1 + replicas: 1 diff --git a/tests/templates/kuttl/backup-restore/51-install-opensearch-2.yaml.j2 b/tests/templates/kuttl/backup-restore/51-install-opensearch-2.yaml.j2 new file mode 100644 index 0000000..996df72 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/51-install-opensearch-2.yaml.j2 @@ -0,0 +1,281 @@ +--- +apiVersion: opensearch.stackable.tech/v1alpha1 +kind: OpenSearchCluster +metadata: + name: opensearch-2 +spec: + image: +{% if test_scenario['values']['opensearch'].find(",") > 0 %} + custom: "{{ test_scenario['values']['opensearch'].split(',')[1] }}" +{% endif %} + productVersion: "{{ test_scenario['values']['opensearch'].split(',')[0] }}" + pullPolicy: IfNotPresent +{% if lookup('env', 'VECTOR_AGGREGATOR') %} + clusterConfig: + vectorAggregatorConfigMapName: vector-aggregator-discovery +{% endif %} + nodes: + config: + logging: + enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} + listenerClass: external-unstable + roleGroups: + default: + replicas: 1 + configOverrides: + opensearch.yml: + # Disable memory mapping in this test; If memory mapping were activated, the kernel setting + # vm.max_map_count would have to be increased to 262144 on the node. + node.store.allow_mmap: "false" + # Disable the disk allocation decider in this test; Otherwise the test depends on the disk + # usage of the node and if the relative watermark set in + # `cluster.routing.allocation.disk.watermark.high` is reached then the security index could + # not be created even if enough disk space would be available. + cluster.routing.allocation.disk.threshold_enabled: "false" + plugins.security.allow_default_init_securityindex: "true" + plugins.security.authcz.admin_dn: CN=opensearch-2-admin-certificate + plugins.security.restapi.roles_enabled: all_access + plugins.security.ssl.transport.enabled: "true" + plugins.security.ssl.transport.pemcert_filepath: /stackable/opensearch/config/tls/tls.crt + plugins.security.ssl.transport.pemkey_filepath: /stackable/opensearch/config/tls/tls.key + plugins.security.ssl.transport.pemtrustedcas_filepath: /stackable/opensearch/config/tls/ca.crt + plugins.security.ssl.http.enabled: "true" + plugins.security.ssl.http.pemcert_filepath: /stackable/opensearch/config/tls/tls.crt + plugins.security.ssl.http.pemkey_filepath: /stackable/opensearch/config/tls/tls.key + plugins.security.ssl.http.pemtrustedcas_filepath: /stackable/opensearch/config/tls/ca.crt + s3.client.default.endpoint: https://minio:9000/ + s3.client.default.protocol: https + s3.client.default.region: unused # but required + s3.client.default.path_style_access: "true" + podOverrides: + spec: + initContainers: + - name: init-keystore +{% if test_scenario['values']['opensearch'].find(",") > 0 %} + image: "{{ test_scenario['values']['opensearch'].split(',')[1] }}" +{% else %} + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} +{% endif %} + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + bin/opensearch-keystore create + + for i in keystore-secrets/*; do + key=$(basename $i) + bin/opensearch-keystore add-file "$key" "$i" + done + + cp --archive config/opensearch.keystore initialized-keystore + volumeMounts: + - name: keystore + mountPath: /stackable/opensearch/initialized-keystore + readOnly: false + - name: keystore-secrets + mountPath: /stackable/opensearch/keystore-secrets + readOnly: true + - name: init-system-keystore +{% if test_scenario['values']['opensearch'].find(",") > 0 %} + image: "{{ test_scenario['values']['opensearch'].split(',')[1] }}" +{% else %} + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} +{% endif %} + command: + - update-ca-trust + args: + - extract + - --output + - /stackable/ca-trust + volumeMounts: + - name: system-trust-store + mountPath: /stackable/ca-trust + readOnly: false + - name: s3-ca-crt + mountPath: /etc/pki/ca-trust/source/anchors/s3-ca.crt + subPath: tls.crt + readOnly: true + - name: init-tls +{% if test_scenario['values']['opensearch'].find(",") > 0 %} + image: "{{ test_scenario['values']['opensearch'].split(',')[1] }}" +{% else %} + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} +{% endif %} + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + cp /stackable/opensearch/config/tls/tls.* /stackable/opensearch/config/tls-concatenated + cat \ + /stackable/opensearch/config/tls/ca.crt \ + /stackable/opensearch/config/tls-admin/tls.crt > \ + /stackable/opensearch/config/tls-concatenated/ca.crt + volumeMounts: + - name: tls + mountPath: /stackable/opensearch/config/tls + readOnly: true + - name: admin-certificate + mountPath: /stackable/opensearch/config/tls-admin + readOnly: true + - name: tls-concatenated + mountPath: /stackable/opensearch/config/tls-concatenated + readOnly: false + containers: + - name: opensearch + volumeMounts: + - name: security-config + mountPath: /stackable/opensearch/config/opensearch-security + readOnly: true + - name: system-trust-store + mountPath: /etc/pki/java/cacerts + subPath: java/cacerts + readOnly: true + - name: tls-concatenated + mountPath: /stackable/opensearch/config/tls + readOnly: true + - name: keystore + mountPath: /stackable/opensearch/config/opensearch.keystore + subPath: opensearch.keystore + readOnly: true + volumes: + - name: keystore + emptyDir: + sizeLimit: 1Mi + - name: keystore-secrets + secret: + secretName: s3-credentials + defaultMode: 0o660 + - name: s3-ca-crt + secret: + secretName: minio-ca-crt + defaultMode: 0o660 + - name: admin-certificate + secret: + secretName: opensearch-2-admin-certificate + defaultMode: 0o660 + - name: security-config + secret: + secretName: opensearch-2-security-config + defaultMode: 0o660 + - name: system-trust-store + emptyDir: + sizeLimit: 10Mi + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/scope: node,pod,service=opensearch-2,service=opensearch-2-nodes-default,service=opensearch-2-nodes-default-headless,listener-volume=listener + secrets.stackable.tech/class: tls + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "1" + - name: tls-concatenated + emptyDir: + sizeLimit: 1Mi +--- +apiVersion: v1 +kind: Secret +metadata: + name: opensearch-2-security-config +stringData: + action_groups.yml: | + --- + _meta: + type: actiongroups + config_version: 2 + allowlist.yml: | + --- + _meta: + type: allowlist + config_version: 2 + + config: + enabled: false + audit.yml: | + --- + _meta: + type: audit + config_version: 2 + + config: + enabled: false + config.yml: | + --- + _meta: + type: config + config_version: 2 + + config: + dynamic: + authc: + basic_internal_auth_domain: + description: Authenticate via HTTP Basic against internal users database + http_enabled: true + transport_enabled: true + order: 1 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + authz: {} + internal_users.yml: | + --- + # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + + _meta: + type: internalusers + config_version: 2 + + admin: + hash: $2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/e + reserved: true + backend_roles: + - admin + description: OpenSearch admin user + + kibanaserver: + hash: $2y$10$vPgQ/6ilKDM5utawBqxoR.7euhVQ0qeGl8mPTeKhmFT475WUDrfQS + reserved: true + description: OpenSearch Dashboards user + nodes_dn.yml: | + --- + _meta: + type: nodesdn + config_version: 2 + roles.yml: | + --- + _meta: + type: roles + config_version: 2 + roles_mapping.yml: | + --- + _meta: + type: rolesmapping + config_version: 2 + + all_access: + reserved: false + backend_roles: + - admin + + kibana_server: + reserved: true + users: + - kibanaserver + tenants.yml: | + --- + _meta: + type: tenants + config_version: 2 diff --git a/tests/templates/kuttl/backup-restore/60-assert.yaml b/tests/templates/kuttl/backup-restore/60-assert.yaml new file mode 100644 index 0000000..636bc8c --- /dev/null +++ b/tests/templates/kuttl/backup-restore/60-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: restore-security-indices +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/60-restore-security-indices.yaml.j2 b/tests/templates/kuttl/backup-restore/60-restore-security-indices.yaml.j2 new file mode 100644 index 0000000..403763b --- /dev/null +++ b/tests/templates/kuttl/backup-restore/60-restore-security-indices.yaml.j2 @@ -0,0 +1,125 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: restore-security-indices +spec: + template: + spec: + initContainers: + - name: download-security-indices-backup + image: minio/mc:RELEASE.2025-08-13T08-35-41Z + command: + - /root/scripts/download-security-indices-backup.sh + env: + - name: S3_ACCESS_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: s3.client.default.access_key + - name: S3_SECRET_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: s3.client.default.secret_key + volumeMounts: + - name: scripts + mountPath: /root/scripts + - name: s3-ca-crt + mountPath: /root/.mc/certs/CAs + - name: backup + mountPath: /tmp/backup + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # The image minio/mc runs as root. + runAsNonRoot: false + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + containers: + - name: restore-security-indices + image: oci.stackable.tech/sdp/opensearch:{{ test_scenario['values']['opensearch'].split(',')[0] }}-stackable{{ test_scenario['values']['release'] }} + command: + - /stackable/scripts/restore-security-indices.sh + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: scripts + mountPath: /stackable/scripts + - name: tls + # The Java policy allows reading from /stackable/opensearch/config. + mountPath: /stackable/opensearch/config/tls + readOnly: true + - name: tls-client + # The Java policy allows reading from /stackable/opensearch/config. + mountPath: /stackable/opensearch/config/tls-client + readOnly: true + - name: backup + mountPath: /tmp/backup + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + # securityadmin.sh requires a lot of memory. + memory: 1Gi + cpu: 100m + limits: + memory: 1Gi + cpu: 400m + volumes: + - name: scripts + configMap: + name: restore-security-indices-scripts + defaultMode: 0o770 + - name: tls + configMap: + name: truststore-pem + - name: tls-client + secret: + secretName: opensearch-2-admin-certificate + defaultMode: 0o660 + - name: s3-ca-crt + secret: + secretName: minio-ca-crt + defaultMode: 0o660 + - name: backup + emptyDir: + sizeLimit: 1Mi + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: restore-security-indices-scripts +data: + download-security-indices-backup.sh: | + #!/usr/bin/env sh + + mc alias set minio https://minio:9000/ $S3_ACCESS_KEY $S3_SECRET_KEY + mc cp --recursive minio/opensearch-security/ /tmp/backup + restore-security-indices.sh: | + #!/usr/bin/env sh + + plugins/opensearch-security/tools/securityadmin.sh \ + -cacert config/tls/ca.crt \ + -cert config/tls-client/tls.crt \ + -key config/tls-client/tls.key \ + --hostname opensearch-2-nodes-default.$NAMESPACE.svc.cluster.local \ + --configdir /tmp/backup diff --git a/tests/templates/kuttl/backup-restore/61-assert.yaml b/tests/templates/kuttl/backup-restore/61-assert.yaml new file mode 100644 index 0000000..c50b5e3 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/61-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: restore-snapshot +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/61-restore-snapshot.yaml b/tests/templates/kuttl/backup-restore/61-restore-snapshot.yaml new file mode 100644 index 0000000..e9f5d56 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/61-restore-snapshot.yaml @@ -0,0 +1,118 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: restore-snapshot +spec: + template: + spec: + containers: + - name: restore-snapshot + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + pip install opensearch-py==3.0.0 + python scripts/restore-snapshot.py + env: + # required for pip install + - name: HOME + value: /stackable + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: script + mountPath: /stackable/scripts + - name: tls + mountPath: /stackable/tls + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: restore-snapshot-script + - name: tls + configMap: + name: truststore-pem + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: restore-snapshot-script +data: + restore-snapshot.py: | + import os + from opensearchpy import OpenSearch + from opensearchpy.exceptions import RequestError + + namespace = os.environ['NAMESPACE'] + + client = OpenSearch( + hosts=[{ + 'host': f'opensearch-2-nodes-default.{namespace}.svc.cluster.local', + 'port': 9200 + }], + http_auth=('admin', 'AJVFsGJBbpT6mChn'), + http_compress=True, + use_ssl=True, + verify_certs=True, + ca_certs='/stackable/tls/ca.crt' + ) + + # Create snapshot repository + snapshot_repository = "snapshot_repository" + + response = client.snapshot.create_repository( + repository=snapshot_repository, + body={ + "type": "s3", + "settings": { + "bucket": "opensearch-data" + } + } + ) + + print(f'Creating snapshot repository; {response=}') + + # Restore snapshot + snapshot = "test_snapshot" + + response = client.snapshot.restore( + repository='snapshot_repository', + snapshot=snapshot, + # Do not restore the following indices: + # - .opensearch_security will be restored with securityadmin.sh + # - .plugins-ml-config already was created by the plugin + # - .opensearch-sap-log-types-config already was created by the plugin + # + # see also https://github.com/opensearch-project/security-analytics/issues/1352 + body={ + 'indices': ','.join([ + '-.opendistro_security', + '-.plugins-ml-config', + '-.opensearch-sap-log-types-config' + ]) + } + ) + print(f'Restoring snapshot; {response=}') diff --git a/tests/templates/kuttl/backup-restore/70-assert.yaml b/tests/templates/kuttl/backup-restore/70-assert.yaml new file mode 100644 index 0000000..ffe2c60 --- /dev/null +++ b/tests/templates/kuttl/backup-restore/70-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 600 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: test-opensearch-2 +status: + succeeded: 1 diff --git a/tests/templates/kuttl/backup-restore/70-test-opensearch-2.yaml b/tests/templates/kuttl/backup-restore/70-test-opensearch-2.yaml new file mode 100644 index 0000000..f0e90eb --- /dev/null +++ b/tests/templates/kuttl/backup-restore/70-test-opensearch-2.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: test-opensearch-2 +spec: + template: + spec: + containers: + - name: test-opensearch-2 + image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev + command: + - /bin/bash + - -euxo + - pipefail + - -c + args: + - | + pip install opensearch-py==3.0.0 + python scripts/test-opensearch-2.py + env: + # required for pip install + - name: HOME + value: /stackable + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: script + mountPath: /stackable/scripts + - name: tls + mountPath: /stackable/tls + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + resources: + requests: + memory: 128Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 400m + volumes: + - name: script + configMap: + name: test-opensearch-2 + - name: tls + configMap: + name: truststore-pem + serviceAccountName: test-service-account + securityContext: + fsGroup: 1000 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-opensearch-2 +data: + test-opensearch-2.py: | + import os + from opensearchpy import OpenSearch + from opensearchpy.exceptions import RequestError + + namespace = os.environ['NAMESPACE'] + + # Login as test user + client = OpenSearch( + http_auth=('testuser', 'L9hUHtLVVEsrcLzZ'), + hosts=[{ + 'host': f'opensearch-2-nodes-default.{namespace}.svc.cluster.local', + 'port': 9200 + }], + http_compress=True, + use_ssl=True, + verify_certs=True, + ca_certs='/stackable/tls/ca.crt' + ) + + # Fetch a document from the index + response = client.get( + index='test-index', + id=1, + ) + + print(f'Fetching document; {response=}') + + assert response['_source'] == {'name': 'Stackable'} diff --git a/tests/templates/kuttl/snapshot-s3/10-install-s3-credentials-secret.yaml b/tests/templates/kuttl/snapshot-s3/10-install-s3-credentials-secret.yaml deleted file mode 100644 index e5b552f..0000000 --- a/tests/templates/kuttl/snapshot-s3/10-install-s3-credentials-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: s3-credentials -stringData: - s3.client.default.access_key: opensearchAccessKey - s3.client.default.secret_key: opensearchSecretKey diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index f224072..74d268e 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -40,7 +40,7 @@ tests: - opensearch_home - release # requires the repository-s3 plugin - - name: snapshot-s3 + - name: backup-restore dimensions: - opensearch - release