fix certificate generation to correctly use SAN

concierge_backend_lib/authentication.py

@@ -41,7 +41,7 @@ def get_keycloak_client():
         realm_name="concierge",
         client_id=keycloak_client_id,
         client_secret_key=keycloak_client_secret,
-        verify=False,
+        verify=os.getenv("ROOT_CA"),
     )
     return client
 
@@ -56,7 +56,7 @@ def get_service_account_connection():
         client_id=keycloak_client_id,
         client_secret_key=keycloak_client_secret,
         grant_type="client_credentials",
-        verify=False,
+        verify=os.getenv("ROOT_CA"),
     )
     return keycloak_connection
 

concierge_packages/launcher/src/launch_concierge/concierge_installer/create_certificates.py

@@ -66,7 +66,7 @@ def create_certificates(cert_dir):
         f.write(
             root_key.private_bytes(
                 encoding=serialization.Encoding.PEM,
-                format=serialization.PrivateFormat.TraditionalOpenSSL,
+                format=serialization.PrivateFormat.PKCS8,
                 encryption_algorithm=serialization.NoEncryption(),
             )
         )
@@ -138,7 +138,7 @@ def create_signed_cert(alt_names, cert_name):
             )
         )
         if alt_names:
-            builder.add_extension(
+            builder = builder.add_extension(
                 x509.SubjectAlternativeName(alt_names),
                 critical=False,
             )
@@ -149,7 +149,7 @@ def create_signed_cert(alt_names, cert_name):
             f.write(
                 ee_key.private_bytes(
                     encoding=serialization.Encoding.PEM,
-                    format=serialization.PrivateFormat.TraditionalOpenSSL,
+                    format=serialization.PrivateFormat.PKCS8,
                     encryption_algorithm=serialization.NoEncryption(),
                 )
             )

concierge_packages/launcher/src/launch_concierge/docker_compose/docker_compose_dependencies/docker-compose-opensearch.yml

@@ -41,7 +41,7 @@ services:
       - ./opensearch_config/opensearch.yml:/usr/share/opensearch/config/opensearch.yml
       - ./opensearch_config/opensearch-security/config.yml:/usr/share/opensearch/config/opensearch-security/config.yml
       - ./opensearch_config/opensearch-security/roles_mapping.yml:/usr/share/opensearch/config/opensearch-security/roles_mapping.yml
-            - ./opensearch_config/opensearch-security/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
+      - ./opensearch_config/opensearch-security/internal_users.yml:/usr/share/opensearch/config/opensearch-security/internal_users.yml
 
   opensearch-dashboards-base:
     image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes

concierge_packages/launcher/src/launch_concierge/docker_compose/docker_compose_dependencies/opensearch_config/opensearch-security/internal_users.yml

@@ -0,0 +1,18 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"

concierge_packages/launcher/src/launch_concierge/docker_compose/docker_compose_dependencies/opensearch_config/opensearch.yml

@@ -1,6 +1,44 @@
+# # Bind to all interfaces because we don't know what IP address Docker will assign to us.
+# network.host: 0.0.0.0
+
+# plugins.security.ssl.transport.pemcert_filepath: node1.pem
+# plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
+# plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+# plugins.security.ssl.transport.enforce_hostname_verification: false
+# plugins.security.ssl.http.enabled: true
+# plugins.security.ssl.http.pemcert_filepath: node1.pem
+# plugins.security.ssl.http.pemkey_filepath: node1-key.pem
+# plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+# plugins.security.ssl.http.clientauth_mode: OPTIONAL
+# plugins.security.allow_default_init_securityindex: true
+# plugins.security.authcz.admin_dn:
+#   - 'CN=opensearch-admin,O=Self Sign,L=Dublin,ST=Ohio,C=US'
+# plugins.security.nodes_dn:
+#   - 'CN=opensearch-node1,O=Self Sign,L=Dublin,ST=Ohio,C=US'
+# plugins.security.enable_snapshot_restore_privilege: true
+# plugins.security.check_snapshot_restore_write_privileges: true
+# plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+# cluster.routing.allocation.disk.threshold_enabled: false
+# opendistro_security.audit.config.disabled_rest_categories: NONE
+# opendistro_security.audit.config.disabled_transport_categories: NONE
+# plugins.security.allow_unsafe_democertificates: true
+
+---
+cluster.name: docker-cluster
+
 # Bind to all interfaces because we don't know what IP address Docker will assign to us.
 network.host: 0.0.0.0
 
+# # minimum_master_nodes need to be explicitly set when bound on a public IP
+# # set to 1 to allow single node clusters
+# discovery.zen.minimum_master_nodes: 1
+
+# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
+# discovery.type: single-node
+
+
+######## Start OpenSearch Security Demo Configuration ########
+# WARNING: revise all the lines below before you go into production
 plugins.security.ssl.transport.pemcert_filepath: node1.pem
 plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
 plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
@@ -9,15 +47,23 @@ plugins.security.ssl.http.enabled: true
 plugins.security.ssl.http.pemcert_filepath: node1.pem
 plugins.security.ssl.http.pemkey_filepath: node1-key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-plugins.security.ssl.http.clientauth_mode: OPTIONAL
+plugins.security.allow_unsafe_democertificates: true
 plugins.security.allow_default_init_securityindex: true
-plugins.security.authcz.admin_dn:
-  - 'CN=opensearch-admin,O=Self Sign,L=Dublin,ST=Ohio,C=US'
-plugins.security.nodes_dn:
-  - 'CN=opensearch-node1,O=Self Sign,L=Dublin,ST=Ohio,C=US'
+plugins.security.authcz.admin_dn: ['CN=opensearch-admin,O=Self Sign,L=Dublin,ST=Ohio,C=US']
+plugins.security.audit.type: internal_opensearch
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.check_snapshot_restore_write_privileges: true
-plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-opendistro_security.audit.config.disabled_rest_categories: NONE
-opendistro_security.audit.config.disabled_transport_categories: NONE
+plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
+  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
+  .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
+  .plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
+  .opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
+  .opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
+  .opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
+  .opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
+  .geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
+  .plugins-flow-framework-state]
+node.max_local_storage_nodes: 3
+######## End OpenSearch Security Demo Configuration ########