3 nodes architecture
- Opensearch and Opensearch-Dashboards : 2.4.1
- Keycloak : 20
- Postgres (used for Keycloak) : 15
-
Important settings
As specified in opensearch documentation important settings, we will increase
vm.map_max_count
value, which is the maximum number of memory map areas a process may have.To increase the value, add the following line to /etc/sysctl.conf:
vm.max_map_count=262144
Then run
sudo sysctl -p
to reload. -
Generate certificates
This bash script will generate a root ca, an admin certificate (will be used to run securityadmin script later), a certificate for Keycloak, a certificate for opensearch nodes and one for opensearch dashboard.
bash generate_certs.sh
-
Start and configure Keycloak
Open the
.env
file and edit admin credentials. Default is toadmin:admin
.KEYCLOAK_ADMIN_USER=admin KEYCLOAK_ADMIN_PASSWORD=admin
Start keycloak
docker-compose up -d keycloak # or docker compose depending on your setup docker compose up -d keycloak
Create opensearch-dashboards Keycloak client
When keycloak container is healthy, go to https://172.17.0.1:8443, click on
Administration console
and log in with admin credentials you specified in.env
file.Click on
Clients
andCreate client
Edit
Client ID
to matchopensearch_security.openid.client_id
configured in opensearch-dashboards.ymlOnce created and saved, copy
opensearch-dashboards
clientsecret
and paste it inopensearch_security.openid.client_secret
field in opensearch-dashboards.yml -
Start and configure Opensearch
Start Opensearch
docker-compose up -d opensearch-node1 opensearch-node2 opensearch-node3
Wait a little until nodes are ready and then run securityadmin
docker-compose exec opensearch-node1 bash -c "chmod +x plugins/opensearch-security/tools/securityadmin.sh && bash plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert config/certificates/ca/root-ca.pem -cert config/certificates/ca/admin.pem -key config/certificates/ca/admin.key -h localhost"
-
Start Opensearch Dashboards
docker-compose up -d opensearch-dashboards
Opensearch Dashboards will be available at https://172.17.0.1:5601 and you can log in with credentials specified in
.env
file.