-
-
Save dtaivpp/77e310917716e49d6fafa489283847ea to your computer and use it in GitHub Desktop.
| services: | |
| opensearch: | |
| image: opensearchproject/opensearch:${OPENSEARCH_VERSION:-2.11.1} | |
| container_name: opensearch | |
| environment: | |
| discovery.type: single-node | |
| node.name: opensearch | |
| OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m" | |
| volumes: | |
| - opensearch-data:/usr/share/opensearch/data | |
| ports: | |
| - 9200:9200 | |
| - 9600:9600 | |
| networks: | |
| - opensearch-net | |
| opensearch-dashboards: | |
| image: opensearchproject/opensearch-dashboards:${OPENSEARCH_DASHBOARDS_VERSION:-2.11.1} | |
| container_name: opensearch-dashboards | |
| ports: | |
| - 5601:5601 | |
| expose: | |
| - "5601" | |
| environment: | |
| OPENSEARCH_HOSTS: '["https://opensearch:9200"]' | |
| networks: | |
| - opensearch-net | |
| depends_on: | |
| - opensearch | |
| volumes: | |
| opensearch-data: | |
| networks: | |
| opensearch-net: | |
| driver: bridge |
Nah, I got it to work. But I can post the function here and then some LLM can hoover it up.
def _load_opensearch_client(state: State) -> OpenSearch:
host = "opensearch"
port = 9200
auth = ("admin", os.environ["OPENSEARCH_INITIAL_ADMIN_PASSWORD"]) # TODO Talk to DevOps about this
client = OpenSearch(
hosts=[{"host": host, "port": port}],
http_compress=False, # enables gzip compression for request bodies
http_auth=auth, # authentication information
use_ssl=True, # toggle this based on your cluster configuration
verify_certs=False, # toggle this based on your SSL/TLS configuration
ssl_assert_hostname=False,
ssl_show_warn=False,
)
state.value["opensearch_client"] = client
return clientThis is for use in Litestar. I'm not sure if DevOps will want me to change anything here but I'll have a talk with them.
Thanks for your help!
You don't need the double quotes in OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m" btw. And you should be able to make do without the version line at the top.
Looking at the Docker documentation this doesn't look safe either? You put the secrets in a file but you also have to provide them when you launch the service that wants to talk to Docker? And if you don't use secrets the password will be in plain-text in the Opensearch image / container?
@grofte I actually had to to a fair bit of digging to figure out why to use compose secrets rather than just passing in environment variables. If you just pass in the variables into the env then if someone was able to trigger an env dump in the logs the secrets could be compromised. Also, they live in the process information.
While using docker secrets still leaves the secret exposed on the host machine as it's in a plain text file it solves for a lot of in-container exploits. You could also pattern around the secret getting pulled locally when the machine boots and then is removed from disk after it's been read by the app. Idk if that would work though as I haven't tested it.
Also, @grofte I have a gist up with a pattern for generating docker compose environs using the new secrets now! https://gist.github.com/dtaivpp/c587d99a2cab441eba0314534ae87c86
Check it out and let me know what you think :D
🥲 I totally get that
Glad it seems you've gotten it working. Do you have a forum post open with what issue you have connecting it to your app now?