Setup & Integrations
Observability
OpenSearch
prerequisite the resolve satellite should already be installed in your environment if you need assistance with installation, refer to the instructions provided in this resolve satellite docid\ flobwpcs4h5lxfb6ijsun section configure opensearch to allow auth via jwt to see the official instructions please read https //docs aws amazon com/opensearch service/latest/developerguide/json web tokens html https //docs aws amazon com/opensearch service/latest/developerguide/json web tokens html opensearch 2 11 is the earliest compatible version that can be used for jwt authentication below is an example of how to setup jwt authentication on opensearch and create a token modifying your domain access policy before you can configure your domain to use jwt authentication and authorization, you must update your domain access policy to allow jwt users to access the domain create your permission keys use openssl to create the keys privatekey pem used to sign jwts publickey pem uploaded to opensearch to verify jwts openssl genrsa out privatekey pem 2048 openssl rsa in privatekey pem pubout out publickey pem configure jwt authentication and authorization the following steps explain how to configure an existing domain for jwt authentication and authorization in the opensearch service console under domain configuration, navigate to jwt authentication and authorization for opensearch, select enable jwt authentication and authorization configure the public key to use for your domain to do this, you can either upload a pem file, containing a public key, or manually enter it use the key that you generated in the previous section (optional) under additional settings, you can configure the following optional fields subject key — you can leave this field empty to use the default sub key for your jwts roles key — you can leave this field empty to use the default roles key for your jwts create a jwt for resolve ai use a library (e g , jsonwebtoken in node js or pyjwt in python) to generate a jwt signed with privatekey pem examples are shown below first install the following dependencies npm install jsonwebtoken then create a script to generate your token you will use the privatekey pem that was generated in the step above the subject key and roles key that were generated in the step above const fs = require('fs'); const jwt = require('jsonwebtoken'); // load private key (pem format) const privatekey = fs readfilesync('privatekey pem', 'utf8'); // define jwt payload const payload = { sub 'opensearch user', // replace with your opensearch username roles \['all access'] // replace with opensearch role(s) assigned }; // optional jwt options const options = { algorithm 'rs256', issuer '\<your issuer> // optional issuer }; // generate jwt const token = jwt sign(payload, privatekey, options); // output the token console log('generated jwt \n'); console log(token); finally run the script node generate jwt js first install the following dependencies pip install pyjwt then create a script to generate your token you will use the privatekey pem that was generated in the step above the subject key and roles key that were generated in the step above import jwt from datetime import datetime, timedelta \# load private key from pem file with open("privatekey pem", "r") as f private key = f read() \# define payload (claims) payload = { "sub" "opensearch user", # replace with valid opensearch username "roles" \["all access"], # replace with opensearch roles } \# create jwt token = jwt encode( payload, private key, algorithm="rs256", # opensearch supports rs256 or es256 headers={"alg" "rs256"} ) print("generated jwt \n") print(token) finally run the script python3 generate jwt py configure the integration in resolve satellite below is an example of how to setup the opensearch integration in the satellite with the url property as well as using the k8s secret (potentially backed by an aws secret manager or another mechanism) for authentication create a kubernetes secret create a kubernetes secret of the following form note that the structure of the secret is important and for a opensearch api key, it must have the top level key token ‘token value’ opensearch resolve access token yml apiversion v1 kind secret type opaque metadata name opensearch resolve access token stringdata token "\<your opensearch jwt token>" to apply the secret run apply secret kubectl apply f opensearch resolve access token yml configure your opensearch jwt token in the resolve satellite update your helm values override file with the following information (e g resolve values yaml ) resolve values yaml integrations opensearchintegration type opensearch create true secretname "opensearch resolve access token" connection url "\<your opensearch endpoint>" install the satellite and apply the values from the yaml file that you have just updated e g resolve values yaml to find the latest version, visit resolve ai's docker hub repository for the helm chart and satellite image apply config to satellite and redeploy helm upgrade install oci //registry 1 docker io/resolveaihq/satellite chart version \<latestchart> values resolve values yaml set image tag=\<latestimage> once your satellite is deployed, we will automatically create an integration instance for you verify your integration status in resolve ai login to https //app0 resolve ai/ https //app0 resolve ai/ go to the integrations page and and select “opensearch” you should see an automatically created integration based on the provided configuration