apps: Removal of previous work-around to increase vm.max_map_count for OpenSearch (#2723)

Co-authored-by: Simon Lundkvist <[email protected]>

Author: kcrwi

helmfile.d/lists/images.yaml

@@ -75,7 +75,6 @@ images:
     image: registry.k8s.io/dns/k8s-dns-node-cache:1.25.0
   opensearch:
     image: docker.io/opensearchproject/opensearch:2.19.3
-    initSysctl: ghcr.io/elastisys/curl-jq:1.0.0
     dashboards: docker.io/opensearchproject/opensearch-dashboards:2.19.3
     configurerJob: ghcr.io/elastisys/curl-jq:1.0.0
     curatorCronjob: ghcr.io/elastisys/bitnami/elasticsearch-curator:5.8.4-debian-10-r235

helmfile.d/stacks/opensearch.yaml.gotmpl

@@ -6,16 +6,6 @@ templates:
     labels:
       app: opensearch
 
-  opensearch-podsecuritypolicy:
-    inherit:
-      - template: opensearch
-      - template: podsecuritypolicies
-    installed: {{ and (.Values | get "ck8sManagementCluster.enabled" false) (.Values | get "opensearch.enabled" false) }}
-    labels:
-      psp: opensearch
-    values:
-      - values/podsecuritypolicies/service/opensearch.yaml.gotmpl
-
   opensearch-secrets:
     disableValidationOnInstall: true # creates cert-manager/certificates
     inherit: [ template: opensearch ]
@@ -41,7 +31,6 @@ templates:
       {{- end }}
       - kube-system/service-cluster-np
       - opensearch-system/opensearch-secrets
-      - opensearch-system/podsecuritypolicy
     values:
       - values/opensearch/common.yaml.gotmpl
       - values/opensearch/master.yaml.gotmpl
@@ -56,7 +45,6 @@ templates:
     needs:
       - kube-system/service-cluster-np
       - opensearch-system/opensearch-master
-      - opensearch-system/podsecuritypolicy
     values:
       - values/opensearch/common.yaml.gotmpl
       - values/opensearch/client.yaml.gotmpl
@@ -71,7 +59,6 @@ templates:
     needs:
       - kube-system/service-cluster-np
       - opensearch-system/opensearch-master
-      - opensearch-system/podsecuritypolicy
     values:
       - values/opensearch/common.yaml.gotmpl
       - values/opensearch/data.yaml.gotmpl
@@ -89,7 +76,6 @@ templates:
       {{- end }}
       - kube-system/service-cluster-np
       - opensearch-system/opensearch-master
-      - opensearch-system/podsecuritypolicy
     values:
       - values/opensearch/dashboards.yaml.gotmpl
     wait: true

helmfile.d/state.yaml.gotmpl

@@ -163,7 +163,6 @@ releases:
   - inherit: [ template: harbor-backup ]
   - inherit: [ template: harbor-mpu-cleaner ]
 
-  - inherit: [ template: opensearch-podsecuritypolicy ]
   - inherit: [ template: opensearch-secrets ]
   - inherit: [ template: opensearch-master ]
   - inherit: [ template: opensearch-client ]

helmfile.d/values/admin-namespaces-sc.yaml.gotmpl

@@ -67,9 +67,9 @@ namespaces:
       pod-security.kubernetes.io/warn: privileged
   - name: opensearch-system
     labels:
-      pod-security.kubernetes.io/audit: privileged
-      pod-security.kubernetes.io/enforce: privileged
-      pod-security.kubernetes.io/warn: privileged
+      pod-security.kubernetes.io/audit: restricted
+      pod-security.kubernetes.io/enforce: restricted
+      pod-security.kubernetes.io/warn: restricted
   {{ if or (.Values.objectStorage.sync.enabled) (.Values.objectStorage.restore.enabled) }}
   - name: rclone
     labels:

helmfile.d/values/opensearch/common.yaml.gotmpl

@@ -125,28 +125,6 @@ extraEnvs:
   - name: DISABLE_INSTALL_DEMO_CONFIG
     value: "true"
 
-# This is a workaround to set vm.max_map_count before OpenSearch starts.
-# The chart provides this using non privileged container, and instead allows the unsafe sysctl through PSP.
-# However this relies on the unsafe sysctl to be allowed in kubelet, which it is not by default.
-extraInitContainers:
-  - name: init-sysctl
-    {{- with .Values.images | dig "opensearch" "initSysctl" "" }}
-    {{- with merge (include "container_uri.parse" . | fromJson) $global }}
-    image: "{{- include "gen.container_uri" . }}"
-    {{- end }}
-    {{- else }}
-    image: ghcr.io/elastisys/curl-jq:1.0.0
-    {{- end }}
-    command:
-      - sysctl
-      - -w
-      - vm.max_map_count=262144
-    securityContext:
-      allowPrivilegeEscalation: true
-      privileged: true
-      runAsNonRoot: false
-      runAsUser: 0
-
 secretMounts:
   - secretName: opensearch-transport-cert
     name: opensearch-transport-cert

helmfile.d/values/podsecuritypolicies/service/opensearch.yaml.gotmpl

@@ -4,12 +4,6 @@ constraints:
       podSelectorLabels:
         app.kubernetes.io/name: opensearch
       allow:
-        allowPrivilegeEscalation: true
-        # allowedUnsafeSysctls:
-        #   - vm.max_map_count
-        privileged: true
-        runAsUser:
-          rule: RunAsAny
         volumes:
           - configMap
           - emptyDir

migration/v0.49/README.md

@@ -109,6 +109,12 @@ As with all scripts in this repository `CK8S_CONFIG_PATH` is expected to be set.
     export CK8S_CLUSTER=<wc|sc|both>
     ```
 
+1. Apply OpenSearch and remove PSPs, as its PSA has been lowered to `restricted`.
+
+    ```bash
+    ./migration/v0.49/apply/30-opensearch-initContainer.sh
+    ```
+
 1. Update apps configuration:
 
     This will take a backup into `backups/` before modifying any files.

migration/v0.49/apply/30-opensearch-initContainer.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+ROOT="$(readlink -f "$(dirname "${0}")/../../../")"
+
+# shellcheck source=scripts/migration/lib.sh
+source "${ROOT}/scripts/migration/lib.sh"
+
+run() {
+  case "${1:-}" in
+  execute)
+    if [[ "${CK8S_CLUSTER}" =~ ^(sc|both)$ ]]; then
+      log_info "operation on service cluster"
+      helmfile_upgrade sc app=opensearch
+      helm_uninstall sc opensearch-system podsecuritypolicy
+    fi
+    ;;
+  rollback)
+    log_warn "rollback not implemented"
+    ;;
+  *)
+    log_fatal "usage: \"${0}\" <execute|rollback>"
+    ;;
+  esac
+}
+
+run "${@}"

tests/unit/general/resources/images-parametric-tests.json

@@ -270,12 +270,6 @@
       "container_name": "opensearch",
       "template_file": "sc/opensearch/templates/statefulset.yaml"
     },
-    {
-      "image_property": "opensearch.initSysctl",
-      "helmfile_selector": "app=opensearch",
-      "container_name": "init-sysctl",
-      "template_file": "sc/opensearch/templates/statefulset.yaml"
-    },
     {
       "image_property": "opensearch.dashboards",
       "helmfile_selector": "app=opensearch",