Skip to content

Add Helm job for OpenSearch index creation #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bramwelt wants to merge 6 commits into
base: main
Choose a base branch
from
+176 −1
Open

Add Helm job for OpenSearch index creation #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3512a65
Add Helm job for OpenSearch index creation
bramwelt Jan 6, 2026
234dc9c
Improve OpenSearch index creation job
bramwelt Jan 7, 2026
4f5d8bb
Use release name prefix for job and configmap names
bramwelt Jan 7, 2026
f4b068d
Merge branch 'main' into bramwelt/indexer-job
bramwelt Jan 7, 2026
34edd78
Add OpenSearch authentication support to index setup job
bramwelt Jan 7, 2026
f9577f5
Merge branch 'main' into bramwelt/indexer-job
bramwelt Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/lfx-v2-indexer-service/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,5 @@ apiVersion: v2
name: lfx-v2-indexer-service
description: LFX Platform V2 Indexer Service chart
type: application
version: 0.4.13
version: 0.5.0
appVersion: "latest"
48 changes: 48 additions & 0 deletions charts/lfx-v2-indexer-service/files/opensearch-resources-index.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
{
"mappings": {
"properties": {
"object_ref": { "type": "keyword" },
"object_type": { "type": "keyword" },
"object_id": { "type": "keyword" },
"parent_refs": { "type": "keyword" },
"sort_name": { "type": "keyword" },
"name_and_aliases": { "type": "search_as_you_type" },
"tags": { "type": "keyword" },
"public": { "type": "boolean" },
"access_check_query": { "type": "keyword" },
"history_check_query": { "type": "keyword" },
"latest": { "type": "boolean" },
"created_at": { "type": "date" },
"created_by": { "type": "keyword" },
"created_by_principals": { "type": "keyword" },
"created_by_emails": { "type": "keyword" },
"updated_at": { "type": "date" },
"updated_by": { "type": "keyword" },
"updated_by_principals": { "type": "keyword" },
"updated_by_emails": { "type": "keyword" },
"deleted_at": { "type": "date" },
"deleted_by": { "type": "keyword" },
"deleted_by_principals": { "type": "keyword" },
"deleted_by_emails": { "type": "keyword" },
"data": {
"type": "flat_object"
},
"fulltext": {
"type": "match_only_text"
},
"contacts": {
"type": "nested",
"properties": {
"lfx_principal": { "type": "search_as_you_type" },
"name": { "type": "search_as_you_type" },
"emails": { "type": "search_as_you_type" },
"bot": { "type": "boolean" },
"profile": { "type": "flat_object" }
}
},
"v1_data": {
"type": "flat_object"
}
}
}
}
13 changes: 13 additions & 0 deletions charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Copyright The Linux Foundation and each contributor to LFX.
# SPDX-License-Identifier: MIT
{{- if .Values.opensearch.indexingJob.enabled }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-opensearch-index-config
namespace: {{ .Release.Namespace }}
data:
resources-index.json: |
Copy link
Contributor

@andrest50 andrest50 Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This index json content doesn't quite match what we should be actually using, which is https://github.com/linuxfoundation/lfx-architecture-scratch/blob/main/2024-12%20ReBAC%20Demo/opensearch-resources-index.json. But on that note, could we have this json content in a file instead and then have it read into the k8 template? I think that would be better.

Copy link
Author

@bramwelt bramwelt Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback! I realized I hadn't pulled the repo for a while and was using an outdated index.

I've moved the index JSON to it's own file and have it being included now with .Files.Get. I also update the job to not attempt to create the index if it already exists.

{{ .Files.Get "files/opensearch-resources-index.json" | nindent 4 }}
{{- end }}
84 changes: 84 additions & 0 deletions charts/lfx-v2-indexer-service/templates/job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Copyright The Linux Foundation and each contributor to LFX.
# SPDX-License-Identifier: MIT
{{- if .Values.opensearch.indexingJob.enabled }}
{{- $job := .Values.opensearch.indexingJob }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-opensearch-index-setup
namespace: {{ .Release.Namespace }}
spec:
ttlSecondsAfterFinished: {{ $job.ttlSecondsAfterFinished }}
backoffLimit: {{ $job.backoffLimit }}
{{- if $job.activeDeadlineSeconds }}
activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }}
{{- end }}
template:
spec:
restartPolicy: {{ $job.restartPolicy }}
volumes:
- name: index-config
configMap:
name: {{ .Release.Name }}-opensearch-index-config
containers:
- name: curl
image: {{ $job.image.repository }}:{{ $job.image.tag }}
imagePullPolicy: {{ $job.image.pullPolicy }}
{{- with $job.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.opensearch.auth.enabled }}
env:
- name: OPENSEARCH_USERNAME
{{- if .Values.opensearch.auth.existingSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.opensearch.auth.existingSecret }}
key: username
{{- else }}
value: {{ .Values.opensearch.auth.username | quote }}
{{- end }}
- name: OPENSEARCH_PASSWORD
{{- if .Values.opensearch.auth.existingSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.opensearch.auth.existingSecret }}
key: password
{{- else }}
value: {{ .Values.opensearch.auth.password | quote }}
{{- end }}
{{- end }}
volumeMounts:
- name: index-config
mountPath: /config
readOnly: true
command:
- sh
- -c
- |
set -e
OPENSEARCH_URL="{{ .Values.opensearch.url | trimSuffix "/" }}"
INDEX_NAME="{{ .Values.opensearch.index }}"
{{- if .Values.opensearch.auth.enabled }}
AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}"
{{- end }}

# Check if index already exists
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}")

if [ "$HTTP_CODE" = "200" ]; then
echo "Index '${INDEX_NAME}' already exists, skipping creation"
exit 0
elif [ "$HTTP_CODE" = "404" ]; then
echo "Index '${INDEX_NAME}' does not exist, creating..."
curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \
-H 'Content-Type: application/json' \
-d @/config/resources-index.json
echo "Index '${INDEX_NAME}' created successfully"
else
echo "Unexpected response checking index: HTTP ${HTTP_CODE}"
exit 1
fi
Comment on lines +68 to +83
Copy link

@coderabbitai coderabbitai bot Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd charts/lfx-v2-indexer-service && find . -type f -name "*.yaml" -o -name "*.yml" | head -20

Repository: linuxfoundation/lfx-v2-indexer-service

Length of output: 193

🏁 Script executed:

cat -n charts/lfx-v2-indexer-service/templates/job.yaml | sed -n '60,90p'

Repository: linuxfoundation/lfx-v2-indexer-service

Length of output: 1524

🏁 Script executed:

cat charts/lfx-v2-indexer-service/values.yaml

Repository: linuxfoundation/lfx-v2-indexer-service

Length of output: 4563

🏁 Script executed:

#!/bin/bash

# Check if the image tag exists on Docker Hub
echo "Checking Docker Hub for curlimages/curl:8.11.1..."
DOCKER_RESPONSE=$(curl -s "https://hub.docker.com/v2/repositories/curlimages/curl/tags/8.11.1/")
echo "$DOCKER_RESPONSE" | jq -r '.name // "NOT_FOUND"'

# Also check available tags to verify repository access
echo -e "\nRecent available tags (first 5):"
curl -s "https://hub.docker.com/v2/repositories/curlimages/curl/tags/?page_size=5" | jq -r '.results[].name'

Repository: linuxfoundation/lfx-v2-indexer-service

Length of output: 276

🌐 Web query:

curl 8.11.1 CVE security advisory vulnerability

💡 Result:

curl 8.11.1 had multiple security advisories fixed in curl 8.12.0 (released Feb 5, 2025). Summary of CVEs affecting 8.11.1:

  1. CVE-2025-0167 — netrc / default credential leak: under a rare .netrc “default” condition curl could pass a password to a redirected-to host. Severity: Low. Fix in 8.12.0. [1]

  2. CVE-2025-0725 — gzip integer overflow: an integer overflow when doing automatic gzip decompression with very old zlib (<=1.2.0.3) could lead to buffer overflow. Affects 7.10.5..8.11.1. Severity: Low (but high impact if you use ancient zlib). Fix in 8.12.0. [2]

  3. CVE-2025-0665 — eventfd double close: libcurl could close the same eventfd twice in specific threaded-resolver/eventfd builds (64-bit), causing reliability/resource issues. Affected: 8.11.1. Severity: Low. Fix in 8.12.0. [3]

Recommended action: upgrade curl/libcurl to 8.12.0 (or later) or apply the vendor patches; if you cannot upgrade immediately follow the per-advisory mitigations (avoid netrc+redirects, avoid CURLOPT_ACCEPT_ENCODING with ancient zlib, disable eventfd) until patched. [1][2][3]

Sources:
[1] curl CVE-2025-0167 advisory.
[2] curl CVE-2025-0725 advisory.
[3] curl CVE-2025-0665 advisory.

Upgrade curl image to version 8.12.0 or later to address known security advisories.

The index creation logic is well-structured with proper idempotency checks (HEAD before PUT) and appropriate error handling for different HTTP response codes. However, curlimages/curl:8.11.1 has three low-severity security advisories that were fixed in 8.12.0 (released February 5, 2025):

  • CVE-2025-0167: netrc/default credential leak under specific redirect conditions
  • CVE-2025-0725: gzip integer overflow with very old zlib versions
  • CVE-2025-0665: eventfd double close in specific threaded-resolver builds

Update the image tag in values.yaml from 8.11.1 to 8.12.0 or later.

🤖 Prompt for AI Agents 
In @charts/lfx-v2-indexer-service/templates/job.yaml around lines 68 - 83, Bump
the curl image tag in your Helm values to a secure release by updating the
curlimages/curl image tag from 8.11.1 to 8.12.0 (or later) in values.yaml (the
key that controls the image used by the job template referencing the curl
container), then re-render/validate the chart (helm template / CI) to ensure the
job.yaml template picks up the new tag and no other references remain to 8.11.1.

{{- end }}
30 changes: 30 additions & 0 deletions charts/lfx-v2-indexer-service/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,36 @@ opensearch:
url: http://opensearch-cluster-master.lfx.svc.cluster.local:9200/
# index is the index name for storing resources
index: resources
# auth configures authentication for OpenSearch
auth:
# enabled controls whether authentication is used
enabled: false
# existingSecret is the name of an existing secret containing credentials
# The secret should have 'username' and 'password' keys
existingSecret: ""
# username is the OpenSearch username (ignored if existingSecret is set)
username: ""
# password is the OpenSearch password (ignored if existingSecret is set)
password: ""
# indexingJob is the configuration for the OpenSearch index creation job
indexingJob:
# enabled is a boolean to determine if the indexing job should be created
enabled: true
# backoffLimit is the number of retries before marking the job as failed
backoffLimit: 3
# ttlSecondsAfterFinished is how long to keep the job after completion
ttlSecondsAfterFinished: 300
# activeDeadlineSeconds is the maximum time for the job to run (optional)
activeDeadlineSeconds: null
# restartPolicy is the pod restart policy (OnFailure or Never)
restartPolicy: OnFailure
# image is the container image for the job
image:
repository: curlimages/curl
tag: "8.11.1"
pullPolicy: IfNotPresent
# resources defines CPU and memory limits/requests for the job container
resources: {}

# heimdall is the configuration for the heimdall middleware
heimdall:
Expand Down