From 3512a65023e628c6b0be912c5dc8a3dbaf918a3a Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Tue, 6 Jan 2026 12:34:10 -0800 Subject: [PATCH 1/7] Add Helm job for OpenSearch index creation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a Kubernetes Job to the Helm chart that uses cURL to PUT the OpenSearch index mapping. The index definition is stored in a ConfigMap and includes mappings for all resource fields used by the query service. - Add indexing-configmap.yaml with OpenSearch index JSON - Add job.yaml that mounts ConfigMap and runs cURL PUT - Add indexingJob.enabled value (defaults to true) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude Signed-off-by: Trevor Bramwell --- charts/lfx-v2-indexer-service/Chart.yaml | 2 +- .../templates/indexing-configmap.yaml | 66 +++++++++++++++++++ .../lfx-v2-indexer-service/templates/job.yaml | 34 ++++++++++ charts/lfx-v2-indexer-service/values.yaml | 4 ++ 4 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml create mode 100644 charts/lfx-v2-indexer-service/templates/job.yaml diff --git a/charts/lfx-v2-indexer-service/Chart.yaml b/charts/lfx-v2-indexer-service/Chart.yaml index f23d2a2..23779bc 100644 --- a/charts/lfx-v2-indexer-service/Chart.yaml +++ b/charts/lfx-v2-indexer-service/Chart.yaml @@ -6,5 +6,5 @@ apiVersion: v2 name: lfx-v2-indexer-service description: LFX Platform V2 Indexer Service chart type: application -version: 0.4.12 +version: 0.5.0 appVersion: "latest" diff --git a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml new file mode 100644 index 0000000..fcdc4c5 --- /dev/null +++ b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml @@ -0,0 +1,66 @@ +# Copyright The Linux Foundation and each contributor to LFX. +# SPDX-License-Identifier: MIT +{{- if .Values.opensearch.indexingJob.enabled }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: opensearch-index-config + namespace: {{ .Release.Namespace }} +data: + resources-index.json: | + { + "settings": { + "index": { + "number_of_shards": 1, + "number_of_replicas": 1 + } + }, + "mappings": { + "properties": { + "object_ref": { + "type": "keyword" + }, + "object_type": { + "type": "keyword" + }, + "object_id": { + "type": "keyword" + }, + "latest": { + "type": "boolean" + }, + "public": { + "type": "boolean" + }, + "parent_refs": { + "type": "keyword" + }, + "name_and_aliases": { + "type": "search_as_you_type" + }, + "tags": { + "type": "keyword" + }, + "access_check_object": { + "type": "keyword" + }, + "access_check_relation": { + "type": "keyword" + }, + "history_check_object": { + "type": "keyword" + }, + "history_check_relation": { + "type": "keyword" + }, + "access_check_query": { + "type": "keyword" + }, + "history_check_query": { + "type": "keyword" + } + } + } + } +{{- end }} diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml new file mode 100644 index 0000000..5726b35 --- /dev/null +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -0,0 +1,34 @@ +# Copyright The Linux Foundation and each contributor to LFX. +# SPDX-License-Identifier: MIT +{{- if .Values.opensearch.indexingJob.enabled }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: opensearch-index-setup + namespace: {{ .Release.Namespace }} +spec: + ttlSecondsAfterFinished: 300 + backoffLimit: 3 + template: + spec: + restartPolicy: Never + volumes: + - name: index-config + configMap: + name: opensearch-index-config + containers: + - name: curl + image: curlimages/curl:8.11.1 + volumeMounts: + - name: index-config + mountPath: /config + readOnly: true + command: + - sh + - -c + - | + curl -X PUT "{{ .Values.opensearch.url | trimSuffix "/" }}/{{ .Values.opensearch.index }}" \ + -H 'Content-Type: application/json' \ + -d @/config/resources-index.json +{{- end }} diff --git a/charts/lfx-v2-indexer-service/values.yaml b/charts/lfx-v2-indexer-service/values.yaml index d53f043..a0bbeba 100644 --- a/charts/lfx-v2-indexer-service/values.yaml +++ b/charts/lfx-v2-indexer-service/values.yaml @@ -25,6 +25,10 @@ opensearch: url: http://opensearch-cluster-master.lfx.svc.cluster.local:9200/ # index is the index name for storing resources index: resources + # indexingJob is the configuration for the OpenSearch index creation job + indexingJob: + # enabled is a boolean to determine if the indexing job should be created + enabled: true # heimdall is the configuration for the heimdall middleware heimdall: From 234dc9cd37ecdca5d8ed254c836d2267413352ca Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Tue, 6 Jan 2026 16:13:53 -0800 Subject: [PATCH 2/7] Improve OpenSearch index creation job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Extract index mapping to separate JSON file for better maintainability - Add idempotent index creation that skips if index already exists - Change restartPolicy to OnFailure for better retry behavior - Add proper error handling with set -e and curl -f flags 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Signed-off-by: Trevor Bramwell --- .../files/opensearch-resources-index.json | 48 ++++++++++++++++ .../templates/indexing-configmap.yaml | 55 +------------------ .../lfx-v2-indexer-service/templates/job.yaml | 25 +++++++-- 3 files changed, 70 insertions(+), 58 deletions(-) create mode 100644 charts/lfx-v2-indexer-service/files/opensearch-resources-index.json diff --git a/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json b/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json new file mode 100644 index 0000000..df7296c --- /dev/null +++ b/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json @@ -0,0 +1,48 @@ +{ + "mappings": { + "properties": { + "object_ref": { "type": "keyword" }, + "object_type": { "type": "keyword" }, + "object_id": { "type": "keyword" }, + "parent_refs": { "type": "keyword" }, + "sort_name": { "type": "keyword" }, + "name_and_aliases": { "type": "search_as_you_type" }, + "tags": { "type": "keyword" }, + "public": { "type": "boolean" }, + "access_check_query": { "type": "keyword" }, + "history_check_query": { "type": "keyword" }, + "latest": { "type": "boolean" }, + "created_at": { "type": "date" }, + "created_by": { "type": "keyword" }, + "created_by_principals": { "type": "keyword" }, + "created_by_emails": { "type": "keyword" }, + "updated_at": { "type": "date" }, + "updated_by": { "type": "keyword" }, + "updated_by_principals": { "type": "keyword" }, + "updated_by_emails": { "type": "keyword" }, + "deleted_at": { "type": "date" }, + "deleted_by": { "type": "keyword" }, + "deleted_by_principals": { "type": "keyword" }, + "deleted_by_emails": { "type": "keyword" }, + "data": { + "type": "flat_object" + }, + "fulltext": { + "type": "match_only_text" + }, + "contacts": { + "type": "nested", + "properties": { + "lfx_principal": { "type": "search_as_you_type" }, + "name": { "type": "search_as_you_type" }, + "emails": { "type": "search_as_you_type" }, + "bot": { "type": "boolean" }, + "profile": { "type": "flat_object" } + } + }, + "v1_data": { + "type": "flat_object" + } + } + } +} diff --git a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml index fcdc4c5..b1565b9 100644 --- a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml +++ b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml @@ -9,58 +9,5 @@ metadata: namespace: {{ .Release.Namespace }} data: resources-index.json: | - { - "settings": { - "index": { - "number_of_shards": 1, - "number_of_replicas": 1 - } - }, - "mappings": { - "properties": { - "object_ref": { - "type": "keyword" - }, - "object_type": { - "type": "keyword" - }, - "object_id": { - "type": "keyword" - }, - "latest": { - "type": "boolean" - }, - "public": { - "type": "boolean" - }, - "parent_refs": { - "type": "keyword" - }, - "name_and_aliases": { - "type": "search_as_you_type" - }, - "tags": { - "type": "keyword" - }, - "access_check_object": { - "type": "keyword" - }, - "access_check_relation": { - "type": "keyword" - }, - "history_check_object": { - "type": "keyword" - }, - "history_check_relation": { - "type": "keyword" - }, - "access_check_query": { - "type": "keyword" - }, - "history_check_query": { - "type": "keyword" - } - } - } - } + {{ .Files.Get "files/opensearch-resources-index.json" | nindent 4 }} {{- end }} diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml index 5726b35..fd22537 100644 --- a/charts/lfx-v2-indexer-service/templates/job.yaml +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -12,7 +12,7 @@ spec: backoffLimit: 3 template: spec: - restartPolicy: Never + restartPolicy: OnFailure volumes: - name: index-config configMap: @@ -28,7 +28,24 @@ spec: - sh - -c - | - curl -X PUT "{{ .Values.opensearch.url | trimSuffix "/" }}/{{ .Values.opensearch.index }}" \ - -H 'Content-Type: application/json' \ - -d @/config/resources-index.json + set -e + OPENSEARCH_URL="{{ .Values.opensearch.url | trimSuffix "/" }}" + INDEX_NAME="{{ .Values.opensearch.index }}" + + # Check if index already exists + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") + + if [ "$HTTP_CODE" = "200" ]; then + echo "Index '${INDEX_NAME}' already exists, skipping creation" + exit 0 + elif [ "$HTTP_CODE" = "404" ]; then + echo "Index '${INDEX_NAME}' does not exist, creating..." + curl -f -X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ + -H 'Content-Type: application/json' \ + -d @/config/resources-index.json + echo "Index '${INDEX_NAME}' created successfully" + else + echo "Unexpected response checking index: HTTP ${HTTP_CODE}" + exit 1 + fi {{- end }} From 4f5d8bb7c5be4d5b874f47a0cd327362fe87213a Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Wed, 7 Jan 2026 09:19:37 -0800 Subject: [PATCH 3/7] Use release name prefix for job and configmap names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensures unique resource names across multiple Helm releases. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 Signed-off-by: Trevor Bramwell --- .../lfx-v2-indexer-service/templates/indexing-configmap.yaml | 2 +- charts/lfx-v2-indexer-service/templates/job.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml index b1565b9..95a300e 100644 --- a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml +++ b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: opensearch-index-config + name: {{ .Release.Name }}-opensearch-index-config namespace: {{ .Release.Namespace }} data: resources-index.json: | diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml index fd22537..a3bda0c 100644 --- a/charts/lfx-v2-indexer-service/templates/job.yaml +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -5,7 +5,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: opensearch-index-setup + name: {{ .Release.Name }}-opensearch-index-setup namespace: {{ .Release.Namespace }} spec: ttlSecondsAfterFinished: 300 @@ -16,7 +16,7 @@ spec: volumes: - name: index-config configMap: - name: opensearch-index-config + name: {{ .Release.Name }}-opensearch-index-config containers: - name: curl image: curlimages/curl:8.11.1 From 34edd785bfc6328ad25eb43b0a7b7aebfff0bec6 Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Wed, 7 Jan 2026 10:18:31 -0800 Subject: [PATCH 4/7] Add OpenSearch authentication support to index setup job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Support optional basic auth for OpenSearch via existingSecret reference or direct username/password values. Also makes job configuration (backoffLimit, ttlSecondsAfterFinished, image, resources) configurable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 Signed-off-by: Trevor Bramwell --- .../lfx-v2-indexer-service/templates/job.yaml | 45 ++++++++++++++++--- charts/lfx-v2-indexer-service/values.yaml | 26 +++++++++++ 2 files changed, 65 insertions(+), 6 deletions(-) diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml index a3bda0c..6641a3a 100644 --- a/charts/lfx-v2-indexer-service/templates/job.yaml +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -1,6 +1,7 @@ # Copyright The Linux Foundation and each contributor to LFX. # SPDX-License-Identifier: MIT {{- if .Values.opensearch.indexingJob.enabled }} +{{- $job := .Values.opensearch.indexingJob }} --- apiVersion: batch/v1 kind: Job @@ -8,18 +9,47 @@ metadata: name: {{ .Release.Name }}-opensearch-index-setup namespace: {{ .Release.Namespace }} spec: - ttlSecondsAfterFinished: 300 - backoffLimit: 3 + ttlSecondsAfterFinished: {{ $job.ttlSecondsAfterFinished }} + backoffLimit: {{ $job.backoffLimit }} + {{- if $job.activeDeadlineSeconds }} + activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }} + {{- end }} template: spec: - restartPolicy: OnFailure + restartPolicy: {{ $job.restartPolicy }} volumes: - name: index-config configMap: name: {{ .Release.Name }}-opensearch-index-config containers: - name: curl - image: curlimages/curl:8.11.1 + image: {{ $job.image.repository }}:{{ $job.image.tag }} + imagePullPolicy: {{ $job.image.pullPolicy }} + {{- with $job.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.opensearch.auth.enabled }} + env: + - name: OPENSEARCH_USERNAME + {{- if .Values.opensearch.auth.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.opensearch.auth.existingSecret }} + key: username + {{- else }} + value: {{ .Values.opensearch.auth.username | quote }} + {{- end }} + - name: OPENSEARCH_PASSWORD + {{- if .Values.opensearch.auth.existingSecret }} + valueFrom: + secretKeyRef: + name: {{ .Values.opensearch.auth.existingSecret }} + key: password + {{- else }} + value: {{ .Values.opensearch.auth.password | quote }} + {{- end }} + {{- end }} volumeMounts: - name: index-config mountPath: /config @@ -31,16 +61,19 @@ spec: set -e OPENSEARCH_URL="{{ .Values.opensearch.url | trimSuffix "/" }}" INDEX_NAME="{{ .Values.opensearch.index }}" + {{- if .Values.opensearch.auth.enabled }} + AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" + {{- end }} # Check if index already exists - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") if [ "$HTTP_CODE" = "200" ]; then echo "Index '${INDEX_NAME}' already exists, skipping creation" exit 0 elif [ "$HTTP_CODE" = "404" ]; then echo "Index '${INDEX_NAME}' does not exist, creating..." - curl -f -X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ + curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ -H 'Content-Type: application/json' \ -d @/config/resources-index.json echo "Index '${INDEX_NAME}' created successfully" diff --git a/charts/lfx-v2-indexer-service/values.yaml b/charts/lfx-v2-indexer-service/values.yaml index a0bbeba..322d707 100644 --- a/charts/lfx-v2-indexer-service/values.yaml +++ b/charts/lfx-v2-indexer-service/values.yaml @@ -25,10 +25,36 @@ opensearch: url: http://opensearch-cluster-master.lfx.svc.cluster.local:9200/ # index is the index name for storing resources index: resources + # auth configures authentication for OpenSearch + auth: + # enabled controls whether authentication is used + enabled: false + # existingSecret is the name of an existing secret containing credentials + # The secret should have 'username' and 'password' keys + existingSecret: "" + # username is the OpenSearch username (ignored if existingSecret is set) + username: "" + # password is the OpenSearch password (ignored if existingSecret is set) + password: "" # indexingJob is the configuration for the OpenSearch index creation job indexingJob: # enabled is a boolean to determine if the indexing job should be created enabled: true + # backoffLimit is the number of retries before marking the job as failed + backoffLimit: 3 + # ttlSecondsAfterFinished is how long to keep the job after completion + ttlSecondsAfterFinished: 300 + # activeDeadlineSeconds is the maximum time for the job to run (optional) + activeDeadlineSeconds: null + # restartPolicy is the pod restart policy (OnFailure or Never) + restartPolicy: OnFailure + # image is the container image for the job + image: + repository: curlimages/curl + tag: "8.11.1" + pullPolicy: IfNotPresent + # resources defines CPU and memory limits/requests for the job container + resources: {} # heimdall is the configuration for the heimdall middleware heimdall: From 6f0124dbf3f3fcb0c7f707d4b3fa46da048ea9ee Mon Sep 17 00:00:00 2001 From: Andres Tobon Date: Tue, 5 May 2026 17:47:25 -0700 Subject: [PATCH 5/7] fix: use --head instead of -X HEAD in opensearch index job -X HEAD causes curl to wait for a response body that never arrives, hanging the job indefinitely. --head correctly skips body reading. Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon --- charts/lfx-v2-indexer-service/templates/job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml index 6641a3a..a430e89 100644 --- a/charts/lfx-v2-indexer-service/templates/job.yaml +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -66,7 +66,7 @@ spec: {{- end }} # Check if index already exists - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X HEAD "${OPENSEARCH_URL}/${INDEX_NAME}") + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}--head "${OPENSEARCH_URL}/${INDEX_NAME}") if [ "$HTTP_CODE" = "200" ]; then echo "Index '${INDEX_NAME}' already exists, skipping creation" From 8971941b32772982ff1ede317b0a9af9dd109453 Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Thu, 7 May 2026 10:05:44 -0700 Subject: [PATCH 6/7] feat(LFXV2-1698): update OpenSearch index mapping MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add access_check_object, access_check_relation - Add history_check_object, history_check_relation - Add scheduled_start_time, scheduled_end_time - Change access_check_query/history_check_query to text with keyword sub-field (ignore_above: 256) - Add doc_values: false, max_shingle_size: 3 to all search_as_you_type fields 🤖 Generated with [Claude Code](https://claude.com/claude-code) Issue: LFXV2-1698 Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Trevor Bramwell --- .../files/opensearch-resources-index.json | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json b/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json index df7296c..59c2da9 100644 --- a/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json +++ b/charts/lfx-v2-indexer-service/files/opensearch-resources-index.json @@ -9,8 +9,22 @@ "name_and_aliases": { "type": "search_as_you_type" }, "tags": { "type": "keyword" }, "public": { "type": "boolean" }, - "access_check_query": { "type": "keyword" }, - "history_check_query": { "type": "keyword" }, + "access_check_query": { + "type": "text", + "fields": { + "keyword": { "type": "keyword", "ignore_above": 256 } + } + }, + "access_check_object": { "type": "keyword" }, + "access_check_relation": { "type": "keyword" }, + "history_check_query": { + "type": "text", + "fields": { + "keyword": { "type": "keyword", "ignore_above": 256 } + } + }, + "history_check_object": { "type": "keyword" }, + "history_check_relation": { "type": "keyword" }, "latest": { "type": "boolean" }, "created_at": { "type": "date" }, "created_by": { "type": "keyword" }, @@ -24,6 +38,8 @@ "deleted_by": { "type": "keyword" }, "deleted_by_principals": { "type": "keyword" }, "deleted_by_emails": { "type": "keyword" }, + "scheduled_start_time": { "type": "date" }, + "scheduled_end_time": { "type": "date" }, "data": { "type": "flat_object" }, From 1a85468424c237787ba02443da472cbe3cad3c1f Mon Sep 17 00:00:00 2001 From: Trevor Bramwell Date: Thu, 7 May 2026 13:21:11 -0700 Subject: [PATCH 7/7] fix(LFXV2-1698): address PR #36 review comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Convert Job and ConfigMap to Helm hooks (post-install/post-upgrade) with before-hook-creation,hook-succeeded delete policy; ConfigMap uses weight 0, Job uses weight 1 to ensure ordering - Add securityContext.allowPrivilegeEscalation: false to Job container - Remove AUTH_OPTS shell variable; inline credentials directly as -u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" to avoid unquoted variable expansion - Fix nindent formatting in ConfigMap to remove leading whitespace before Files.Get template call 🤖 Generated with [Claude Code](https://claude.com/claude-code) Issue: LFXV2-1698 Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Trevor Bramwell --- .../templates/indexing-configmap.yaml | 6 +++++- charts/lfx-v2-indexer-service/templates/job.yaml | 13 ++++++++----- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml index 95a300e..593f63c 100644 --- a/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml +++ b/charts/lfx-v2-indexer-service/templates/indexing-configmap.yaml @@ -7,7 +7,11 @@ kind: ConfigMap metadata: name: {{ .Release.Name }}-opensearch-index-config namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "0" data: resources-index.json: | - {{ .Files.Get "files/opensearch-resources-index.json" | nindent 4 }} +{{- .Files.Get "files/opensearch-resources-index.json" | nindent 4 }} {{- end }} diff --git a/charts/lfx-v2-indexer-service/templates/job.yaml b/charts/lfx-v2-indexer-service/templates/job.yaml index a430e89..3d488d1 100644 --- a/charts/lfx-v2-indexer-service/templates/job.yaml +++ b/charts/lfx-v2-indexer-service/templates/job.yaml @@ -8,6 +8,10 @@ kind: Job metadata: name: {{ .Release.Name }}-opensearch-index-setup namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "1" spec: ttlSecondsAfterFinished: {{ $job.ttlSecondsAfterFinished }} backoffLimit: {{ $job.backoffLimit }} @@ -50,6 +54,8 @@ spec: value: {{ .Values.opensearch.auth.password | quote }} {{- end }} {{- end }} + securityContext: + allowPrivilegeEscalation: false volumeMounts: - name: index-config mountPath: /config @@ -61,19 +67,16 @@ spec: set -e OPENSEARCH_URL="{{ .Values.opensearch.url | trimSuffix "/" }}" INDEX_NAME="{{ .Values.opensearch.index }}" - {{- if .Values.opensearch.auth.enabled }} - AUTH_OPTS="-u ${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" - {{- end }} # Check if index already exists - HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}--head "${OPENSEARCH_URL}/${INDEX_NAME}") + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" {{ if .Values.opensearch.auth.enabled }}-u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" {{ end }}--head "${OPENSEARCH_URL}/${INDEX_NAME}") if [ "$HTTP_CODE" = "200" ]; then echo "Index '${INDEX_NAME}' already exists, skipping creation" exit 0 elif [ "$HTTP_CODE" = "404" ]; then echo "Index '${INDEX_NAME}' does not exist, creating..." - curl -f {{ if .Values.opensearch.auth.enabled }}${AUTH_OPTS} {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ + curl -f {{ if .Values.opensearch.auth.enabled }}-u "${OPENSEARCH_USERNAME}:${OPENSEARCH_PASSWORD}" {{ end }}-X PUT "${OPENSEARCH_URL}/${INDEX_NAME}" \ -H 'Content-Type: application/json' \ -d @/config/resources-index.json echo "Index '${INDEX_NAME}' created successfully"