Configuration⚓︎
How the BB is configured - with examples etc.
How to put health checks into different namespaces⚓︎
In the reference deployment, all health checks are in resource-health namespace, together with all the other parts of Resource Health BB, such as Check API, Telemetry API, OpenSearch, OpenTelemetry (OTel) Collector, etc.
It could be useful to put health checks into separate namespaces, for example, to have a separate namespace for each user (or user group). You might also wish to run the health checks in a separate (virtual) cluster. The steps below will focus on the use case of putting health checks into per-user namespaces, with some notes on how to run them in a different (virtual) cluster. It should not be difficult to adapt this to other setups.
How to put the checks into per-user namespaces:
- Create a namespace for each user
-
Implement
get_k8s_namespacehook to get the namespace based onuserid(see Hooks Tutorial)Info
In case you want the checks to run on another cluster, you should also implement
get_k8s_configto return an appropriate K8s config. -
Now we need to ensure that the health checks can still communicate with the other parts of Resource Health. That means sending the telemetry to OTel Collector, and querying the previous telemetry from OpenSearch. We need to use Fully Qualified Domain Name (FQDN) for both OTel Collector and OpenSearch endpoint. Specifically, use FQDN for
DEFAULT_COLLECTOR_URL_NO_PROTOCOLandDEFAULT_PROXY_REMOTE_DOMAINhere. Alternatively, use FQDN forcollector_url_no_protocolandproxy_remote_domainparameters tosimple_runner_templatefunction for each check template here. Socollector_url_no_protocolshould beresource-health-opentelemetry-collector.<collector-namespace>.<internal-domain>:4317, for exampleresource-health-opentelemetry-collector.resource-health.svc.cluster.local:4317for the reference deployment.proxy_remote_domainshould behttps://opensearch-cluster-master-headless.<opensearch-namespace>.<internal-domain>:9200.Info
In case you want the checks to run on another cluster, you should ensure that sending telemetry to OTel Collector and querying telemetry from OpenSearch is still possible. For OTel Collector, we would recommend to deploy one in the same cluster as the health checks, based on the OTel Collector in the reference deployment here. The OTel Collector could just forward everything to the main one (if such exists). For OpenSearch, you need to ensure that query endpoint is accessible, for example by exposing it to the outside.
Auth⚓︎
OpenID Connect⚓︎
Resource Health BB is designed to work with any OpenID Provider. To integrate with you OpenID Provider you just need to point OpenSearch, Health Check API, and Telemetry API to it.
Specifically, you need to:
- Configure OpenSearch to use your OpenID Provider by following this. See an example here.
- Set
OPEN_ID_CONNECT_URLandOPEN_ID_CONNECT_AUDIENCEenvironment variables here for Health Check Api, and here for Telemetry API.
Alternative Auth Schemes⚓︎
To use some other auth scheme (such as basic HTTP auth), you need to:
- Configure OpenSearch authentication, see here.
- Implement Health Check API hooks
get_fastapi_securityandon_authbased on examples here. - Implement Telemetry API hooks
get_fastapi_security,on_auth, andget_opensearch_configbased on the example here. - For health checks to be able to access telemetry using alternative authentication methods:
Resource Health APIs⚓︎
Resource Health APIs authentication and authorization is configured through hooks, see Hooks Tutorial and Hooks Documentation.
OpenSearch⚓︎
OpenSearch configuration for the reference deployment is defined here
Index⚓︎
Currently all the health check telemetry is written to ss4o_traces-default-namespace index. The index is created by OTel Collector OpenSearch exporter. In particular, this means that the index will not exist until the first health check telemetry gets to OpenSearch.
Info
ss4o_traces-default-namespace index name is generated by the formula by OTel Collector OpensSearch exporter, see here. So to change the index name you need to:
- Update the OpenSearch Exporter configuration here.
- Update document-level security filter to the new namespace.
- Point Telemetry API to the new index here.
- Point health checks which use previous telemetry to the new index here.
You should also consider doing index management optimized for data streams, such as rotating backing indices, deleting old data, etc., see Data Streams and Index State Management for more.
Document-level security⚓︎
Each trace is tagged with user.id of the user who created the check. To give a user access to telemetry annotated with their user.id, give the user the role own_trace_data_access, which is defined here. This uses document-level security feature of OpenSearch.
Info
The current user.id annotation is meant to signal who is allowed to view the health check telemetry. For a different or more complex security model, you would need to tag the OTel traces with identifier(s) to be used in authorization decisions, and to create a document-level-security role similar to this, but with a different filtering condition.