Add anonymous auth to helm charts (#10)

* Get anon auth on terraform

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>

* Add back metrics port

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>

---------

Signed-off-by: Ashish Agrawal <ashisagr@amazon.com>Signed-off-by: Kyle Hounslow <kylhouns@amazon.com>
Signed-off-by: Kyle Hounslow <kylhouns@amazon.com>

Author: lezzago

charts/observability-stack/files/init-opensearch-dashboards.py

@@ -14,7 +14,7 @@
 PROMETHEUS_HOST = os.getenv("PROMETHEUS_HOST", "prometheus")
 PROMETHEUS_PORT = os.getenv("PROMETHEUS_PORT", "9090")
 _opensearch_protocol = os.getenv("OPENSEARCH_PROTOCOL", "https")
-OPENSEARCH_ENDPOINT = f"{_opensearch_protocol}://{os.getenv('OPENSEARCH_HOST', 'opensearch')}:{os.getenv('OPENSEARCH_PORT', '9200')}"
+OPENSEARCH_ENDPOINT = os.getenv("OPENSEARCH_ENDPOINT", f"{_opensearch_protocol}://{os.getenv('OPENSEARCH_HOST', 'opensearch')}:{os.getenv('OPENSEARCH_PORT', '9200')}")
 
 def wait_for_dashboards():
     """Wait for OpenSearch Dashboards to be ready"""
@@ -100,6 +100,43 @@ def create_workspace():
         return "default"
 
 
+def set_default_workspace(workspace_id):
+    """Set the default workspace so all users land here on login.
+
+    When workspace.enabled is true, users see a workspace picker on first load.
+    Setting defaultWorkspace directs all users (including anonymous) straight
+    to the Observability Stack workspace instead.
+    """
+    if not workspace_id or workspace_id == "default":
+        print("⏭️  Skipping default workspace (using default)")
+        return False
+
+    print(f"⭐ Setting default workspace: {workspace_id}")
+
+    url = f"{BASE_URL}/api/opensearch-dashboards/settings"
+    payload = {"changes": {"defaultWorkspace": workspace_id}}
+
+    try:
+        response = requests.post(
+            url,
+            auth=(USERNAME, PASSWORD),
+            headers={"Content-Type": "application/json", "osd-xsrf": "true"},
+            json=payload,
+            verify=False,
+            timeout=10,
+        )
+
+        if response.status_code == 200:
+            print("✅ Default workspace set")
+            return True
+        else:
+            print(f"⚠️  Failed to set default workspace: {response.status_code} {response.text}")
+            return False
+    except requests.exceptions.RequestException as e:
+        print(f"⚠️  Error setting default workspace: {e}")
+        return False
+
+
 def get_existing_index_pattern(workspace_id, title):
     """Check if an index pattern with the given title already exists"""
     try:
@@ -230,9 +267,13 @@ def create_prometheus_datasource(workspace_id):
 
     prometheus_endpoint = f"http://{PROMETHEUS_HOST}:{PROMETHEUS_PORT}"
 
+    # Grant anonymous users access to the Prometheus datasource when anonymous auth is enabled
+    anonymous_auth = os.getenv("ANONYMOUS_AUTH_ENABLED", "false").lower() == "true"
+    allowed_roles = ["all_access", "opendistro_security_anonymous_role"] if anonymous_auth else ["all_access"]
+
     payload = {
         "name": datasource_name,
-        "allowedRoles": [],
+        "allowedRoles": allowed_roles,
         "connector": "prometheus",
         "properties": {
             "prometheus.uri": prometheus_endpoint,
@@ -1253,6 +1294,9 @@ def main():
     else:
         workspace_id = create_workspace()
 
+    # Set as default workspace so users skip the workspace picker
+    set_default_workspace(workspace_id)
+
     # Create index patterns (idempotent - will skip if already exist)
     # Titles must match exactly what the APM plugin expects
     logs_schema_mappings = '{"otelLogs":{"timestamp":"time","traceId":"traceId","spanId":"spanId","serviceName":"resource.attributes.service.name"}}'

charts/observability-stack/templates/init-dashboards-job.yaml

@@ -44,6 +44,8 @@ spec:
               value: "80"
             - name: OPENSEARCH_ENDPOINT
               value: "https://opensearch-cluster-master:9200"
+            - name: ANONYMOUS_AUTH_ENABLED
+              value: {{ ((.Values.anonymousAuth).enabled) | default false | quote }}
           volumeMounts:
             - name: init-script
               mountPath: /scripts

charts/observability-stack/values-anonymous-auth.yaml

@@ -0,0 +1,156 @@
+# Anonymous Authentication overlay for Observability Stack Helm chart.
+#
+# Usage:
+#   helm install obs-stack . -f values-anonymous-auth.yaml
+#   helm upgrade obs-stack . -f values-anonymous-auth.yaml
+#
+# This enables anonymous access to OpenSearch Dashboards — users can browse
+# data, view/create/modify saved objects, explore traces, and run queries
+# without logging in. They cannot delete existing saved objects or perform
+# admin operations.
+#
+# IMPORTANT: If toggling on an existing deployment, you must delete the
+# OpenSearch StatefulSet PVCs to force security config reinitialization:
+#   helm uninstall obs-stack
+#   kubectl delete pvc -l app.kubernetes.io/instance=obs-stack
+#   helm install obs-stack . -f values-anonymous-auth.yaml
+
+anonymousAuth:
+  enabled: true
+
+# OpenSearch — enable anonymous auth in the security plugin
+opensearch:
+  securityConfig:
+    config:
+      dataComplete: false
+      data:
+        config.yml: |-
+          _meta:
+            type: "config"
+            config_version: 2
+          config:
+            dynamic:
+              http:
+                anonymous_auth_enabled: true
+                xff:
+                  enabled: false
+                  internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
+              authc:
+                basic_internal_auth_domain:
+                  description: "Authenticate via HTTP Basic against internal users database"
+                  http_enabled: true
+                  transport_enabled: true
+                  order: 4
+                  http_authenticator:
+                    type: "basic"
+                    challenge: true
+                  authentication_backend:
+                    type: "intern"
+        roles.yml: |-
+          _meta:
+            type: "roles"
+            config_version: 2
+          opendistro_security_anonymous_role:
+            reserved: true
+            cluster_permissions:
+              - "read"
+              - "cluster_monitor"
+              - "cluster_composite_ops"
+              - "indices:data/read/scroll*"
+              - "cluster:admin/opensearch/ppl"
+              - "cluster:admin/opensearch/sql"
+              - "cluster:admin/opensearch/ql/datasources/read"
+              - "cluster:admin/opensearch/ql/async_query/read"
+              - "cluster:admin/opensearch/direct_query/read/query"
+            index_permissions:
+              - index_patterns:
+                  - ".kibana"
+                  - ".kibana-6"
+                  - ".kibana_*"
+                  - ".opensearch_dashboards"
+                  - ".opensearch_dashboards-6"
+                  - ".opensearch_dashboards_*"
+                allowed_actions:
+                  - "read"
+                  - "indices:data/write/index*"
+                  - "indices:data/write/update*"
+                  - "indices:data/write/bulk*"
+              - index_patterns:
+                  - ".tasks"
+                  - ".management-beats"
+                  - "*:.tasks"
+                  - "*:.management-beats"
+                allowed_actions:
+                  - "read"
+              - index_patterns:
+                  - '*'
+                allowed_actions:
+                  - "read"
+                  - "indices:data/read/*"
+                  - "indices:admin/get"
+                  - "indices:admin/exists"
+                  - "indices:admin/aliases/exists*"
+                  - "indices:admin/aliases/get*"
+                  - "indices:admin/mappings/get"
+                  - "indices:admin/resolve/index"
+                  - "indices:monitor/settings/get"
+                  - "indices:monitor/stats"
+            tenant_permissions:
+              - tenant_patterns:
+                  - '*'
+                allowed_actions:
+                  - "kibana_all_write"
+        roles_mapping.yml: |-
+          _meta:
+            type: "rolesmapping"
+            config_version: 2
+          opendistro_security_anonymous_role:
+            backend_roles:
+              - "opendistro_security_anonymous_backendrole"
+          all_access:
+            reserved: true
+            backend_roles:
+              - "admin"
+            description: "Maps admin to all_access"
+          kibana_server:
+            reserved: true
+            users:
+              - "kibanaserver"
+            description: "Maps kibana_server role to kibanaserver user"
+
+# OpenSearch Dashboards — enable anonymous login and disable saved-object
+# permission checks (required so anonymous users can access workspaces
+# created by the init script; OSD doesn't support per-workspace permission
+# grants via the API).
+opensearch-dashboards:
+  config:
+    opensearch_dashboards.yml: |
+      server.host: "0.0.0.0"
+      server.name: "observability-stack-dashboards"
+      opensearch.hosts: ["https://opensearch-cluster-master:9200"]
+      opensearch.username: "admin"
+      opensearch.password: "My_password_123!@#"
+      opensearch.ssl.verificationMode: none
+      opensearch.requestTimeout: 30000
+      opensearch.requestHeadersAllowlist: ["authorization", "securitytenant"]
+      opensearch_security.auth.anonymous_auth_enabled: true
+      savedObjects.permission.enabled: false
+      opensearch_security.multitenancy.enabled: false
+      opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+      console.enabled: true
+      server.maxPayloadBytes: 1048576
+      savedObjects.maxImportPayloadBytes: 26214400
+      csp.strict: false
+      explore.enabled: true
+      explore.discoverTraces.enabled: true
+      explore.discoverMetrics.enabled: true
+      explore.agentTraces.enabled: true
+      workspace.enabled: true
+      data_source.enabled: true
+      data_source.ssl.verificationMode: none
+      datasetManagement.enabled: true
+      data.savedQueriesNewUI.enabled: true
+      opensearchDashboards.branding.useExpandedHeader: false
+      uiSettings.overrides.home:useNewHomePage: true
+      uiSettings.overrides.query:enhancements:enabled: true
+      uiSettings.overrides.explore:experimental: true

charts/observability-stack/values.yaml

@@ -26,15 +26,43 @@ opensearch:
     enabled: true
     size: 8Gi                    # Increase for production (e.g. 100Gi, 500Gi)
     # storageClass: "gp3"       # Uncomment for AWS gp3 (better IOPS/$ than gp2)
+  # JVM heap — set to 50% of resources.requests.memory, max 31g
+  opensearchJavaOpts: "-Xms2g -Xmx2g"
   extraEnvs:
     - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
       value: "My_password_123!@#"
-    # JVM heap — set to 50% of resources.requests.memory, max 31g
-    - name: OPENSEARCH_JAVA_OPTS
-      value: "-Xms2g -Xmx2g"
   config:
     opensearch.yml: |
       plugins.query.datasources.encryption.masterkey: "BTqK4Ytdz67La1kShIKV3Pu9"
+  # Security config — controls anonymous authentication.
+  # Default: anonymous auth disabled. To enable, use values-anonymous-auth.yaml overlay
+  # or set opensearch.securityConfig.config.data."config.yml" with anonymous_auth_enabled: true.
+  securityConfig:
+    config:
+      dataComplete: false
+      data:
+        config.yml: |-
+          _meta:
+            type: "config"
+            config_version: 2
+          config:
+            dynamic:
+              http:
+                anonymous_auth_enabled: false
+                xff:
+                  enabled: false
+                  internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
+              authc:
+                basic_internal_auth_domain:
+                  description: "Authenticate via HTTP Basic against internal users database"
+                  http_enabled: true
+                  transport_enabled: true
+                  order: 4
+                  http_authenticator:
+                    type: "basic"
+                    challenge: true
+                  authentication_backend:
+                    type: "intern"
 
 # -- OpenSearch Dashboards
 opensearch-dashboards:
@@ -430,6 +458,22 @@ prometheus:
 opensearchUsername: "admin"
 opensearchPassword: "My_password_123!@#"
 
+# -- Anonymous Authentication
+# When enabled, users can access OpenSearch Dashboards without logging in.
+# Anonymous users can browse data, view/create/modify saved objects, explore
+# traces and service maps, run queries, and access the REST API.
+# They cannot delete existing saved objects or perform admin operations.
+#
+# To enable:
+#   helm install obs-stack . -f values-anonymous-auth.yaml
+#
+# Or override individual values:
+#   --set anonymousAuth.enabled=true
+#   (plus the opensearch.securityConfig and opensearch-dashboards.config overrides
+#    shown in values-anonymous-auth.yaml)
+anonymousAuth:
+  enabled: false
+
 # -- OpenSearch Prometheus Exporter
 opensearchExporter:
   enabled: true

terraform/aws/observability-stack.tf

@@ -114,7 +114,10 @@ resource "helm_release" "observability_stack" {
   wait_for_jobs   = true
   cleanup_on_fail = true
 
-  values = [file("${path.module}/values-eks.yaml")]
+  values = concat(
+    [file("${path.module}/values-eks.yaml")],
+    var.anonymous_auth ? [file("${path.module}/../../charts/observability-stack/values-anonymous-auth.yaml")] : []
+  )
 
   # --- TLS / Domain (conditional) ---
   dynamic "set" {
@@ -163,6 +166,12 @@ resource "helm_release" "observability_stack" {
     }
   }
 
+  # --- Examples (conditional) ---
+  set {
+    name  = "examples.enabled"
+    value = var.enable_examples ? "true" : "false"
+  }
+
   depends_on = [
     helm_release.aws_lb_controller,
   ]

terraform/aws/values-eks.yaml

@@ -19,11 +19,10 @@ opensearch:
     limits:
       memory: "4Gi"
       cpu: "4000m"
+  opensearchJavaOpts: "-Xms2g -Xmx2g"
   extraEnvs:
     - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
       value: "My_password_123!@#"
-    - name: OPENSEARCH_JAVA_OPTS
-      value: "-Xms2g -Xmx2g"
 
 opensearch-dashboards:
   replicaCount: 3
@@ -58,6 +57,7 @@ prometheus:
     persistentVolume:
       enabled: true
       size: 50Gi
+      storageClass: gp2
     resources:
       requests:
         memory: "2Gi"

terraform/aws/variables.tf

@@ -30,7 +30,7 @@ variable "node_instance_type" {
 variable "node_count" {
   description = "Number of EKS worker nodes"
   type        = number
-  default     = 2
+  default     = 3
 }
 
 # ============================================================================