Platform Administrator FAQ

I updated some OpenSearch options but it didn't work, now what?

If you update the OpenSearch securityConfig you will have to make sure that the master Pod(s) are restarted so that they pick up the new Secret and then run the securityadmin.sh script. This happens for example if you switch from non-SSO to SSO.

To reload the configuration you need to run the following commands:

# Make the script executable
kubectl -n opensearch-system exec opensearch-master-0 -- chmod +x ./plugins/opensearch-security/tools/securityadmin.sh
# Run the script to update the configuration
kubectl -n opensearch-system exec opensearch-master-0 -- ./plugins/opensearch-security/tools/securityadmin.sh \
    -f plugins/opensearch-security/securityconfig/config.yml \
    -icl -nhnv \
    -cacert config/admin/ca.crt \
    -cert config/admin/tls.crt \
    -key config/admin/tls.key

Note that the above only reloads the config.yml (as specified with the -f). If you made changes to other parts of the system you will need to point to the relevant file to reload, or reload everything like this:

# Run the script to update "everything" (internal users, roles, configuration, etc.)
kubectl -n opensearch-system exec opensearch-master-0 -- ./plugins/opensearch-security/tools/securityadmin.sh \
    -cd plugins/opensearch-security/securityconfig/ \
    -icl -nhnv \
    -cacert config/admin/ca.crt \
    -cert config/admin/tls.crt \
    -key config/admin/tls.key

When you update things other than config.yml you will also need to rerun the Configurer Job by syncing the opensearch-configurer chart.

What should I do if GitHub is down?

Tip

To reduce dependence on external systems outside your control, consider deploying Welkin air-gapped.

For auto-updates and automatic patching of the underlying OS on the Nodes, Welkin requires access to a set of external systems, such as:

• configuration of the Welkin environment, usually stored in a git repository, like GitLab or GitHub;
• public container image repositories, such as:
  • Docker Container Registry (docker.io)
  • GitHub Container Registry (ghcr.io)
  • Google Container Registry (mirror.gcr.io)
  • Quay (quay.io)
  • the Kubernetes public container registry (registry.k8s.io)

Tip

Use the following command to list all container images in use by Welkin, both by applications and platform components:

kubectl get pods -A -o jsonpath="{..image}" | tr ' ' '\n' | sort -u

If these external systems are malfunctioning (i.e., are down or suspected compromised), then Welkin recommends to:

• disable auto-update by setting tektonPipelines.enabled: false;
• disable automatic patching of the underlying OS by setting kured.enabled: false.