diff --git a/bitnami/opensearch/CHANGELOG.md b/bitnami/opensearch/CHANGELOG.md
index 0538cce4e948bf..f9400e23a8b6dc 100644
--- a/bitnami/opensearch/CHANGELOG.md
+++ b/bitnami/opensearch/CHANGELOG.md
@@ -1,8 +1,12 @@
# Changelog
-## 1.3.14 (2024-11-08)
+## 1.4.0 (2024-11-15)
-* [bitnami/opensearch] Unify seLinuxOptions default value ([#30336](https://github.com/bitnami/charts/pull/30336))
+* [bitnami/opensearch] Enable automated setup of snapshot policies ([#29796](https://github.com/bitnami/charts/pull/29796))
+
+## 1.3.14 (2024-11-08)
+
+* [bitnami/opensearch] Unify seLinuxOptions default value (#30336) ([2b670fc](https://github.com/bitnami/charts/commit/2b670fc5c17e0dd5ddafef2c062c1a474d07eb21)), closes [#30336](https://github.com/bitnami/charts/issues/30336)
## 1.3.13 (2024-11-06)
diff --git a/bitnami/opensearch/Chart.yaml b/bitnami/opensearch/Chart.yaml
index 08e79a585ab0f1..e3d2d518aee222 100644
--- a/bitnami/opensearch/Chart.yaml
+++ b/bitnami/opensearch/Chart.yaml
@@ -30,4 +30,4 @@ maintainers:
name: opensearch
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/opensearch
-version: 1.3.14
+version: 1.4.0
diff --git a/bitnami/opensearch/README.md b/bitnami/opensearch/README.md
index ba94a73330738f..f884cdb5d2b685 100644
--- a/bitnami/opensearch/README.md
+++ b/bitnami/opensearch/README.md
@@ -94,20 +94,19 @@ initScriptsSecret=special-scripts-sensitive
As it's described in the [official documentation](https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/#register-repository), it's necessary to register a snapshot repository before you can perform snapshot and restore operations.
-This chart allows you to configure OpenSearch to use a shared file system to store snapshots. To do so, you need to mount a RWX volume on every OpenSearch node, and set the parameter `snapshotRepoPath` with the path where the volume is mounted. In the example below, you can find the values to set when using a NFS Persistent Volume:
+This chart allows you to configure snapshot repositories and snapshot policies in OpenSearch.
+A minimal configuration example looks like this:
```yaml
-extraVolumes:
- - name: snapshot-repository
- nfs:
- server: nfs.example.com # Please change this to your NFS server
- path: /share1
-extraVolumeMounts:
- - name: snapshot-repository
- mountPath: /snapshots
+snapshots:
+ enabled: true
+ persistence:
+ enabled: true
snapshotRepoPath: "/snapshots"
```
+For details, please refer to the `snapshots.*` documentation below.
+
### Sidecars and Init Containers
If you have a need for additional containers to run within the same pod as OpenSearch components (e.g. an additional metrics or logging exporter), you can do so via the `XXX.sidecars` parameter(s), where XXX is placeholder you need to replace with the actual component(s). Simply define your container according to the Kubernetes container spec.
@@ -982,6 +981,50 @@ You can enable this initContainer by setting `volumePermissions.enabled` to `tru
| `dashboards.persistence.selector` | Selector to match an existing Persistent Volume for OpenSearch data PVC | `{}` |
| `dashboards.persistence.dataSource` | Custom PVC data source | `{}` |
+### OpenSearch Snapshots Parameters
+
+| Name | Description | Value |
+| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
+| `snapshots.enabled` | Enable automatic setup of repositories and snapshot policies | `false` |
+| `snapshots.command` | Override default container command (useful when using custom images) | `["/usr/bin/curl"]` |
+| `snapshots.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `snapshots.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `snapshots.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
+| `snapshots.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
+| `snapshots.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
+| `snapshots.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
+| `snapshots.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
+| `snapshots.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
+| `snapshots.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
+| `snapshots.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `snapshots.fullnameOverride` | String to fully override opensearch.snapshots.fullname | `""` |
+| `snapshots.image.registry` | OpenSearch Snapshots image registry | `REGISTRY_NAME` |
+| `snapshots.image.repository` | OpenSearch Snapshots image repository | `REPOSITORY_NAME/os-shell` |
+| `snapshots.image.digest` | OpenSearch Snapshots image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
+| `snapshots.image.pullPolicy` | OpenSearch Snapshots image pull policy | `IfNotPresent` |
+| `snapshots.image.pullSecrets` | OpenSearch Snapshots image pull secrets | `[]` |
+| `snapshots.image.debug` | Enable OpenSearch Snapshots image debug mode | `false` |
+| `snapshots.nameOverride` | String to partially override common.names.fullname | `""` |
+| `snapshots.persistence.enabled` | Enable persistence using Persistent Volume Claims | `false` |
+| `snapshots.persistence.accessModes` | Persistent Volume Access Modes | `["ReadWriteMany"]` |
+| `snapshots.persistence.annotations` | Persistent Volume Claim annotations | `{}` |
+| `snapshots.persistence.dataSource` | Custom PVC data source | `{}` |
+| `snapshots.persistence.existingClaim` | The name of an existing PVC to use for persistence | `""` |
+| `snapshots.persistence.labels` | Extra labels for the Persistent Volume Claim | `{}` |
+| `snapshots.persistence.selector` | Selector to match an existing Persistent Volume for OpenSearch data PVC | `{}` |
+| `snapshots.persistence.size` | Size of data volume | `8Gi` |
+| `snapshots.persistence.storageClass` | Storage class of backing PVC | `""` |
+| `snapshots.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services | `""` |
+| `snapshots.podSecurityContext.enabled` | Enabled data pods' Security Context | `true` |
+| `snapshots.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `snapshots.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `snapshots.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `snapshots.podSecurityContext.fsGroup` | Set snapshots pod's Security Context fsGroup | `1001` |
+| `snapshots.policies` | Each object represents a snapshot policy in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API. | `SNAPSHOT_POLICY_API_BODY` |
+| `snapshots.repositories` | Each object represents a snapshot repository in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API. | `SNAPSHOT_REPO_API_BODY` |
+| `snapshots.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if snapshots.resources is set (snapshots.resources is recommended for production). | `nano` |
+| `snapshots.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
+
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
diff --git a/bitnami/opensearch/templates/NOTES.txt b/bitnami/opensearch/templates/NOTES.txt
index bbf7ae78be837b..b53cf8f856cad7 100644
--- a/bitnami/opensearch/templates/NOTES.txt
+++ b/bitnami/opensearch/templates/NOTES.txt
@@ -120,4 +120,4 @@ In order to replicate the container startup scripts execute this command:
{{- end }}
{{ include "opensearch.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "coordinating" "dashboards" "data" "ingest" "master" "sysctlImage" "volumePermissions") "context" $) }}
-{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image) "context" $) }}
\ No newline at end of file
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.volumePermissions.image .Values.sysctlImage .Values.dashboards.image .Values.snapshots.image) "context" $) }}
diff --git a/bitnami/opensearch/templates/_helpers.tpl b/bitnami/opensearch/templates/_helpers.tpl
index 601250d1c764c5..f227a48d16edc0 100644
--- a/bitnami/opensearch/templates/_helpers.tpl
+++ b/bitnami/opensearch/templates/_helpers.tpl
@@ -822,3 +822,44 @@ Return true if a TLS credentials secret object should be created
{{- true -}}
{{- end -}}
{{- end -}}
+
+{{/*
+Create a default fully qualified snapshots name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "opensearch.snapshots.fullname" -}}
+{{- $name := default "snapshots" .Values.snapshots.nameOverride -}}
+{{- if .Values.snapshots.fullnameOverride -}}
+{{- .Values.snapshots.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a global mount path for snapshots volume based on repo path
+*/}}
+{{- define "opensearch.snapshots.mountPath" -}}
+{{- required "Value snapshotRepoPath must be set!" $.Values.snapshotRepoPath -}}
+{{- end -}}
+
+{{/*
+Create name for snapshot API repo data ConfigMap
+*/}}
+{{- define "opensearch.snapshots.repoDataConfigMap" -}}
+{{- printf "%s-repo-data" (include "opensearch.snapshots.fullname" $) -}}
+{{- end -}}
+
+{{/*
+Create name for snapshot API policy data ConfigMap
+*/}}
+{{- define "opensearch.snapshots.policyDataConfigMap" -}}
+{{- printf "%s-policy-data" (include "opensearch.snapshots.fullname" $) -}}
+{{- end -}}
+
+{{/*
+Return the proper Opensearch Snapshots image name
+*/}}
+{{- define "opensearch.snapshots.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.snapshots.image "global" .Values.global) }}
+{{- end -}}
diff --git a/bitnami/opensearch/templates/coordinating/statefulset.yaml b/bitnami/opensearch/templates/coordinating/statefulset.yaml
index f571e85e37c6cc..59b66f7cb976ad 100644
--- a/bitnami/opensearch/templates/coordinating/statefulset.yaml
+++ b/bitnami/opensearch/templates/coordinating/statefulset.yaml
@@ -258,6 +258,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+ {{- end }}
{{- if .Values.coordinating.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -308,6 +312,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ persistentVolumeClaim:
+ claimName: {{ include "opensearch.snapshots.fullname" . }}
+ {{- end }}
{{- if .Values.coordinating.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.coordinating.extraVolumes "context" $) | nindent 8 }}
{{- end }}
diff --git a/bitnami/opensearch/templates/data/statefulset.yaml b/bitnami/opensearch/templates/data/statefulset.yaml
index 897a55daf71cbf..a4063764c3c515 100644
--- a/bitnami/opensearch/templates/data/statefulset.yaml
+++ b/bitnami/opensearch/templates/data/statefulset.yaml
@@ -284,6 +284,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+ {{- end }}
{{- if .Values.data.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -332,6 +336,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ persistentVolumeClaim:
+ claimName: {{ include "opensearch.snapshots.fullname" . }}
+ {{- end }}
{{- if .Values.data.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.data.extraVolumes "context" $) | nindent 8 }}
{{- end }}
diff --git a/bitnami/opensearch/templates/ingest/statefulset.yaml b/bitnami/opensearch/templates/ingest/statefulset.yaml
index 6c2b6861d4d630..a52e7e25603665 100644
--- a/bitnami/opensearch/templates/ingest/statefulset.yaml
+++ b/bitnami/opensearch/templates/ingest/statefulset.yaml
@@ -258,6 +258,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+ {{- end }}
{{- if .Values.ingest.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -308,6 +312,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ persistentVolumeClaim:
+ claimName: {{ include "opensearch.snapshots.fullname" . }}
+ {{- end }}
{{- if .Values.ingest.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingest.extraVolumes "context" $) | nindent 8 }}
{{- end }}
diff --git a/bitnami/opensearch/templates/master/statefulset.yaml b/bitnami/opensearch/templates/master/statefulset.yaml
index 006da824016559..ec8fdf4c5605bc 100644
--- a/bitnami/opensearch/templates/master/statefulset.yaml
+++ b/bitnami/opensearch/templates/master/statefulset.yaml
@@ -296,6 +296,10 @@ spec:
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/init-scripts-secret
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ mountPath: {{ include "opensearch.snapshots.mountPath" . }}
+ {{- end }}
{{- if .Values.master.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
@@ -344,6 +348,11 @@ spec:
secretName: {{ template "opensearch.initScriptsSecret" . }}
defaultMode: 0755
{{- end }}
+ {{- if .Values.snapshots.persistence.enabled }}
+ - name: snapshots
+ persistentVolumeClaim:
+ claimName: {{ include "opensearch.snapshots.fullname" . }}
+ {{- end }}
{{- if .Values.master.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.master.extraVolumes "context" $) | nindent 8 }}
{{- end }}
diff --git a/bitnami/opensearch/templates/snapshots/init-job.yaml b/bitnami/opensearch/templates/snapshots/init-job.yaml
new file mode 100644
index 00000000000000..d2bc584d213634
--- /dev/null
+++ b/bitnami/opensearch/templates/snapshots/init-job.yaml
@@ -0,0 +1,90 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if $.Values.snapshots.enabled -}}
+{{- $host := (include "opensearch.service.name" $) -}}
+{{- $port := (include "opensearch.service.ports.restAPI" $) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ annotations:
+ helm.sh/hook: post-install
+ {{- if .Values.commonAnnotations }}
+ {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: snapshots
+ name: {{ include "opensearch.snapshots.fullname" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+spec:
+ template:
+ spec:
+ automountServiceAccountToken: false
+ containers:
+ - args:
+ - --silent
+ - --show-error
+ - "file:///dev/null" # Starting with curl 8, a URL is required before the first `--next`
+ {{- range $name, $_ := $.Values.snapshots.repositories }}
+ # Register snapshot repository:
+ - --next
+ - -w
+ - '\n'
+ - -XPUT
+ - -H
+ - "Content-Type: application/json"
+ - -d
+ - "@/run/repo-data/{{ $name }}"
+ - http://{{ $host }}:{{ $port }}/_snapshot/{{ $name }}
+ {{- end }}
+ {{- range $name, $_ := $.Values.snapshots.policies }}
+ # Register snapshot policy:
+ - --next
+ - -w
+ - '\n'
+ - -H
+ - "Content-Type: application/json"
+ - -d
+ - "@/run/policy-data/{{ $name }}"
+ - http://{{ $host }}:{{ $port }}/_plugins/_sm/policies/{{ $name }}
+ {{- end }}
+ command: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.command "context" $) | nindent 12 }}
+ env:
+ - name: BITNAMI_DEBUG
+ value: {{ ternary "true" "false" (or .Values.snapshots.image.debug .Values.diagnosticMode.enabled) | quote }}
+ image: {{ template "opensearch.snapshots.image" . }}
+ imagePullPolicy: {{ .Values.snapshots.image.pullPolicy }}
+ name: {{ include "opensearch.snapshots.fullname" . }}
+ {{- if .Values.snapshots.containerSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.snapshots.containerSecurityContext "context" $) | nindent 12 }}
+ {{- end }}
+ {{- if .Values.snapshots.resources }}
+ resources: {{- toYaml .Values.snapshots.resources | nindent 12 }}
+ {{- else if ne .Values.snapshots.resourcesPreset "none" }}
+ resources: {{- include "common.resources.preset" (dict "type" .Values.snapshots.resourcesPreset) | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - name: repo-data
+ mountPath: /run/repo-data/
+ - name: policy-data
+ mountPath: /run/policy-data/
+ {{- with .Values.snapshots.image.pullSecrets }}
+ imagePullPolicy:
+ {{- range . }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ restartPolicy: Never
+ {{- if .Values.dashboards.podSecurityContext.enabled }}
+ securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dashboards.podSecurityContext "context" $) | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: policy-data
+ configMap:
+ name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
+ - name: repo-data
+ configMap:
+ name: {{ include "opensearch.snapshots.repoDataConfigMap" . }}
+{{- end -}}
diff --git a/bitnami/opensearch/templates/snapshots/networkpolicy.yaml b/bitnami/opensearch/templates/snapshots/networkpolicy.yaml
new file mode 100644
index 00000000000000..e30d7da9a4efc9
--- /dev/null
+++ b/bitnami/opensearch/templates/snapshots/networkpolicy.yaml
@@ -0,0 +1,50 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.snapshots.enabled }}
+---
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+kind: NetworkPolicy
+metadata:
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/part-of: opensearch
+ app.kubernetes.io/component: snapshots
+ name: {{ template "opensearch.snapshots.fullname" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+spec:
+ podSelector:
+ matchLabels:
+ batch.kubernetes.io/job-name: {{ template "opensearch.snapshots.fullname" . }}
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress: []
+ egress:
+ - to:
+ - namespaceSelector:
+ matchLabels:
+ kubernetes.io/metadata.name: kube-system
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: TCP
+ - port: 53
+ protocol: UDP
+ - to:
+ - podSelector:
+ matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+ {{- if (include "opensearch.coordinating.enabled" .) }}
+ app.kubernetes.io/component: coordinating-only
+ {{- else }}
+ app.kubernetes.io/component: master
+ {{- end }}
+ ports:
+ - port: {{ include "opensearch.service.ports.restAPI" $ }}
+{{- end }}
diff --git a/bitnami/opensearch/templates/snapshots/policies-cm.yaml b/bitnami/opensearch/templates/snapshots/policies-cm.yaml
new file mode 100644
index 00000000000000..382dbfcf3511b2
--- /dev/null
+++ b/bitnami/opensearch/templates/snapshots/policies-cm.yaml
@@ -0,0 +1,27 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if $.Values.snapshots.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: snapshots
+ name: {{ include "opensearch.snapshots.policyDataConfigMap" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+data:
+ {{- range $name, $policy := $.Values.snapshots.policies }}
+ {{- $repo := $policy.snapshot_config.repository -}}
+ {{- if (hasKey $.Values.snapshots.repositories $repo) -}}
+ {{- $name | nindent 2 }}: |
+ {{- $policy | mustToPrettyJson | nindent 4 }}
+ {{- else -}}
+ {{- fail (printf "Repository `%s` is not defined in .snapshots.repositories" $repo) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/bitnami/opensearch/templates/snapshots/pvc.yaml b/bitnami/opensearch/templates/snapshots/pvc.yaml
new file mode 100644
index 00000000000000..6a22f47e3bde96
--- /dev/null
+++ b/bitnami/opensearch/templates/snapshots/pvc.yaml
@@ -0,0 +1,36 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.snapshots.persistence.enabled (not .Values.snapshots.persistence.existingClaim) -}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: {{ include "opensearch.snapshots.fullname" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+ {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels .Values.snapshots.persistence.labels ) "context" . ) }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: snapshots
+ annotations:
+ helm.sh/resource-policy: keep
+ {{- if or .Values.snapshots.persistence.annotations .Values.commonAnnotations }}
+ {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.snapshots.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
+ {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+ {{- end }}
+spec:
+ accessModes:
+ {{- range .Values.snapshots.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.snapshots.persistence.size | quote }}
+ {{- if .Values.snapshots.persistence.selector }}
+ selector: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.selector "context" $) | nindent 4 }}
+ {{- end }}
+ {{- if .Values.snapshots.persistence.dataSource }}
+ dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.snapshots.persistence.dataSource "context" $) | nindent 4 }}
+ {{- end }}
+ {{- include "common.storage.class" (dict "persistence" .Values.snapshots.persistence "global" .Values.global) | nindent 2 }}
+{{- end -}}
diff --git a/bitnami/opensearch/templates/snapshots/repos-cm.yaml b/bitnami/opensearch/templates/snapshots/repos-cm.yaml
new file mode 100644
index 00000000000000..8e0b8f58bb4a2e
--- /dev/null
+++ b/bitnami/opensearch/templates/snapshots/repos-cm.yaml
@@ -0,0 +1,28 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if $.Values.snapshots.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ {{- if .Values.commonAnnotations }}
+ annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+ {{- end }}
+ labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+ app.kubernetes.io/component: snapshots
+ name: {{ include "opensearch.snapshots.repoDataConfigMap" . }}
+ namespace: {{ include "common.names.namespace" . | quote }}
+data:
+ {{- range $name, $repo := $.Values.snapshots.repositories }}
+ {{- if (eq $repo.type "fs") -}}
+ {{- $location := $repo.settings.location -}}
+ {{- if not (eq $location $.Values.snapshotRepoPath) -}}
+ {{- fail (printf "Location `%s` for repo `%s` must be allowed via .snapshotRepoPath" $location $name) -}}
+ {{- end -}}
+ {{- end -}}
+ {{ $name | nindent 2 }}: |
+ {{- $repo | mustToPrettyJson | nindent 4 }}
+ {{- end -}}
+{{- end -}}
diff --git a/bitnami/opensearch/values.yaml b/bitnami/opensearch/values.yaml
index 4e5bb09c534345..aa713a253f2372 100644
--- a/bitnami/opensearch/values.yaml
+++ b/bitnami/opensearch/values.yaml
@@ -3405,3 +3405,181 @@ dashboards:
## @param dashboards.persistence.dataSource Custom PVC data source
##
dataSource: {}
+
+## @section OpenSearch Snapshots Parameters
+snapshots:
+ ## @param snapshots.enabled Enable automatic setup of repositories and snapshot policies
+ ##
+ enabled: false
+ ## @param snapshots.command Override default container command (useful when using custom images)
+ ##
+ command:
+ - /usr/bin/curl
+ ## Configure Container Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ ## @param snapshots.containerSecurityContext.enabled Enabled containers' Security Context
+ ## @param snapshots.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
+ ## @param snapshots.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
+ ## @param snapshots.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
+ ## @param snapshots.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
+ ## @param snapshots.containerSecurityContext.privileged Set container's Security Context privileged
+ ## @param snapshots.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ ## @param snapshots.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
+ ## @param snapshots.containerSecurityContext.capabilities.drop List of capabilities to be dropped
+ ## @param snapshots.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ ##
+ containerSecurityContext:
+ enabled: true
+ seLinuxOptions: null
+ runAsUser: 1001
+ runAsGroup: 1001
+ runAsNonRoot: true
+ privileged: false
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ seccompProfile:
+ type: "RuntimeDefault"
+ ## @param snapshots.fullnameOverride String to fully override opensearch.snapshots.fullname
+ ##
+ fullnameOverride: ""
+ ## Bitnami OpenSearch Snapshots image
+ ## @param snapshots.image.registry [default: REGISTRY_NAME] OpenSearch Snapshots image registry
+ ## @param snapshots.image.repository [default: REPOSITORY_NAME/os-shell] OpenSearch Snapshots image repository
+ ## @skip snapshots.image.tag OpenSearch Snapshots image tag (immutable tags are recommended)
+ ## @param snapshots.image.digest OpenSearch Snapshots image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param snapshots.image.pullPolicy OpenSearch Snapshots image pull policy
+ ## @param snapshots.image.pullSecrets OpenSearch Snapshots image pull secrets
+ ## @param snapshots.image.debug Enable OpenSearch Snapshots image debug mode
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/os-shell
+ tag: 12-debian-12-r30
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## e.g:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: []
+ ## Enable debug mode
+ ##
+ debug: false
+ ## @param snapshots.nameOverride String to partially override common.names.fullname
+ ##
+ nameOverride: ""
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
+ ##
+ persistence:
+ ## @param snapshots.persistence.enabled Enable persistence using Persistent Volume Claims
+ ##
+ enabled: false
+ ## @param snapshots.persistence.accessModes Persistent Volume Access Modes
+ ##
+ accessModes:
+ - ReadWriteMany
+ ## @param snapshots.persistence.annotations Persistent Volume Claim annotations
+ ##
+ annotations: {}
+ ## @param snapshots.persistence.dataSource Custom PVC data source
+ ##
+ dataSource: {}
+ ## @param snapshots.persistence.existingClaim The name of an existing PVC to use for persistence
+ ##
+ existingClaim: ""
+ ## @param snapshots.persistence.labels Extra labels for the Persistent Volume Claim
+ ##
+ labels: {}
+ ## @param snapshots.persistence.selector Selector to match an existing Persistent Volume for OpenSearch data PVC
+ ## If set, the PVC can't have a PV dynamically provisioned for it
+ ## E.g.
+ ## selector:
+ ## matchLabels:
+ ## app: my-app
+ ##
+ selector: {}
+ ## @param snapshots.persistence.size Size of data volume
+ ##
+ size: 8Gi
+ ## @param snapshots.persistence.storageClass Storage class of backing PVC
+ ## If defined, storageClassName:
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ storageClass: ""
+ ## @param snapshots.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
+ ##
+ subPath: ""
+ ## Configure Pods Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ ## @param snapshots.podSecurityContext.enabled Enabled data pods' Security Context
+ ## @param snapshots.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ ## @param snapshots.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ ## @param snapshots.podSecurityContext.supplementalGroups Set filesystem extra groups
+ ## @param snapshots.podSecurityContext.fsGroup Set snapshots pod's Security Context fsGroup
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroupChangePolicy: Always
+ sysctls: []
+ supplementalGroups: []
+ fsGroup: 1001
+ ## @param snapshots.policies [default: SNAPSHOT_POLICY_API_BODY] Each object represents a snapshot policy in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
+ ## NOTE: The field `snapshot_config.repository` in each policy must match a repo name in `snapshots.repositories`.
+ ##
+ policies:
+ default:
+ creation:
+ schedule:
+ cron:
+ expression: "0 20 * * *"
+ timezone: UTC
+ deletion:
+ condition:
+ max_age: 7d
+ min_count: 1
+ schedule:
+ cron:
+ expression: 0 20 * * *
+ timezone: UTC
+ description: Default snapshot policy
+ enabled: true
+ snapshot_config:
+ repository: default
+ ## @param snapshots.repositories [default: SNAPSHOT_REPO_API_BODY] Each object represents a snapshot repository in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
+ ## NOTE: The field `settings.location` in each repo must match the snapshot repo path configured in `snapshotRepoPath`, if its `type` is `fs`.
+ ##
+ repositories:
+ default:
+ settings:
+ location: /snapshots
+ type: fs
+ ## OpenSearch resource requests and limits
+ ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
+ ## @param snapshots.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if snapshots.resources is set (snapshots.resources is recommended for production).
+ ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
+ ##
+ resourcesPreset: "nano"
+ ## @param snapshots.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
+ ## Example:
+ ## resources:
+ ## requests:
+ ## cpu: 100m
+ ## memory: 10Mi
+ ## limits:
+ ## cpu: 200m
+ ## memory: 20Mi
+ ##
+ resources: {}