Use random password on >=2.12

Signed-off-by: Thomas Farr <[email protected]>
opensearch-project · Jan 17, 2024 · 3a3c282 · 3a3c282
1 parent bf0f213
commit 3a3c282
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 8 deletions.
diff --git a/.github/actions/run-released-opensearch/action.yml b/.github/actions/run-released-opensearch/action.yml
@@ -11,6 +11,9 @@ outputs:
   opensearch_url:
     description: The URL where the OpenSearch node is accessible
     value: ${{ steps.opensearch.outputs.opensearch_url }}
+  admin_password:
+    description: The initial admin password
+    value: ${{ steps.opensearch.outputs.admin_password }}
 runs:
   using: composite
   steps:

diff --git a/.github/actions/start-opensearch/action.yml b/.github/actions/start-opensearch/action.yml
@@ -8,6 +8,9 @@ outputs:
   opensearch_url:
     description: The URL where the OpenSearch node is accessible
     value: ${{ steps.opensearch.outputs.url }}
+  admin_password:
+    description: The initial admin password
+    value: ${{ steps.opensearch.outputs.password }}
 runs:
   using: composite
   steps:
@@ -24,7 +27,7 @@ runs:
         if [[ "$RUNNER_OS" == "macOS" ]]; then
           brew install -q coreutils
         fi
-        OPENSEARCH_HOME=$(realpath ./opensearch-*)
+        OPENSEARCH_HOME=$(realpath ./opensearch-[1-9]*)
         CONFIG_DIR=$OPENSEARCH_HOME/config
         CONFIG_FILE=$CONFIG_DIR/opensearch.yml
         SECURITY_DIR=$OPENSEARCH_HOME/plugins/opensearch-security
@@ -34,21 +37,22 @@ runs:
         cp ./client/.ci/opensearch/opensearch.yml $CONFIG_FILE
 
         bash ./client/.ci/generate-certs.sh
+        
+        export OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin
 
         if [[ -d "$SECURITY_DIR" ]]; then
           if [[ "$SECURED" == "true" ]]; then
-            DEMO_CONFIG_SCRIPT="$SECURITY_DIR/tools/install_demo_configuration.sh"
             SECURITY_VERSION=$(cat $SECURITY_DIR/plugin-descriptor.properties | grep '^version=' | cut -d'=' -f 2)
             SECURITY_VERSION_COMPONENTS=(${SECURITY_VERSION//./ })
             SECURITY_MAJOR="${SECURITY_VERSION_COMPONENTS[0]}"
             SECURITY_MINOR="${SECURITY_VERSION_COMPONENTS[1]}"
         
             if (( $SECURITY_MAJOR > 2 || ( $SECURITY_MAJOR == 2 && $SECURITY_MINOR >= 12 ) )); then
-              OPENSEARCH_INITIAL_ADMIN_PASSWORD=admin bash "$DEMO_CONFIG_SCRIPT" -y -i -s -t
-            else
-              bash "$DEMO_CONFIG_SCRIPT" -y -i -s
+              export OPENSEARCH_INITIAL_ADMIN_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 16)
             fi
         
+            bash "$SECURITY_DIR/tools/install_demo_configuration.sh" -y -i -s
+        
             sed -i.bak -e 's/plugins.security.audit.type:.*/plugins.security.audit.type: log4j/' $CONFIG_FILE
             cp ./client/.ci/opensearch/*.pem $CONFIG_DIR/
             URL="https://localhost:9200"
@@ -61,7 +65,11 @@ runs:
           sed -i.bak -e 's/bootstrap.memory_lock:.*/bootstrap.memory_lock: false/' $CONFIG_FILE
         fi
 
-        echo "url=$URL" >> $GITHUB_OUTPUT
+        {
+          echo "url=$URL"
+          echo "password=$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
+        } | tee -a $GITHUB_OUTPUT
+        
         if [[ "$RUNNER_OS" == "Linux" ]]; then
           sudo swapoff -a
           sudo sysctl -w vm.swappiness=1
@@ -78,7 +86,7 @@ runs:
 
         for attempt in {1..20}; do
           sleep 5
-          if curl -k -sS --cacert ./client/.ci/certs/root-ca.crt -u admin:admin $URL; then
+          if curl -k -sS --cacert ./client/.ci/certs/root-ca.crt -u admin:${OPENSEARCH_INITIAL_ADMIN_PASSWORD} $URL; then
             echo '=====> ready'
             exit 0
           fi

diff --git a/.github/workflows/integration-yaml-tests.yml b/.github/workflows/integration-yaml-tests.yml
@@ -109,13 +109,18 @@ jobs:
         uses: ./client/.github/actions/build-opensearch
         with:
           ref: ${{ matrix.opensearch_ref }}
+          security_plugin: true
 
       - name: Unpack OpenSearch
-        run: tar -xzf ${{ steps.opensearch_build.outputs.distribution }}
+        run: |
+          tar -xzf ${{ steps.opensearch_build.outputs.distribution }} \
+          && ./opensearch-*/bin/opensearch-plugin install --batch file://$(realpath ./opensearch-security/build/distributions/opensearch-security-*-SNAPSHOT.zip)
 
       - name: Start OpenSearch
         id: opensearch
         uses: ./client/.github/actions/start-opensearch
+        with:
+          secured: true
 
       - name: Run YAML tests
         working-directory: client
@@ -124,9 +129,12 @@ jobs:
             --project ./tests/Tests.YamlRunner/Tests.YamlRunner.fsproj \
             -- \
             --endpoint $OPENSEARCH_URL \
+            --auth-cert ./.ci/certs/kirk.p12 \
+            --auth-cert-pass kirk \
             --junit-output-file ./test-results.xml
         env:
           OPENSEARCH_URL: ${{ steps.opensearch.outputs.opensearch_url }}
+          ADMIN_PASS: ${{ steps.opensearch.outputs.admin_password }}
 
       - name: Save OpenSearch logs
         if: failure()