feat: Allow the configuration of the security plugin (#117)

* test: Add security-config integration test

* feat: Add securityConfig to the CRD; Deploy the initial security configuration

* Deploy security config files only if completely managed by the API

* test(smoke): Use securityConfig

* Deploy security config files only to the managing role group

* Create admin certificate in init container

* Add update-security-config container

* Configure DN of the admin certificate

* Allow only one pod to manage the security configuration

* Validate the security configuration; Fix all unit tests

* Allow to disable the security plugin

* Use a structure for the validated security configuration

* Declare security init containers

* test(backup-restore): Use securityConfig

* test(external-access): Use securityConfig

* test(ldap): Use securityConfig

* test(logging): Use securityConfig

* test(metrics): Use securityConfig

* test(opensearch-dashboards): Use securityConfig

* Rename clusterConfig.security.config to clusterConfig.security.settings; Fix admin DN; Fix integration tests

* Update the CRD documentation

* Rename admin_dn() to super_admin_dn()

* Do not use overrides to determine if TLS is enabled

* Delete unit tests for removed functions

* Update changelog

* Fix shellcheck warnings

* Extend node_config unit test

* Rename ValidatedSecurity::config to settings

* Restructure role group builder

* Move init-keystore script into separate file

* Add security modes to the role group builder

* test(smoke): Fix assertion

* test: Test role group security modes

* Regenerate charts

* Rework RoleGroupSecurityMode

* Test NodeConfig::super_admin_dn

* Remove redundant enum SecurityConfigFileType

* Fix comments

* Test RoleGroupBuilder::security_settings_file_type_managed_by_env_var

* Add ValidatedSecurity::Disabled

* Test the preprocess step

* Rename security_config_managing_role_group to security_config_managing_role_group_default

* Upgrade opensearch-py to version 3.1.0

* Fix tests

* Fix the test cases that work with the original image

* Add support for DEPRECATION log level

* test: Set backoffLimit for all jobs

* Validate node roles; Fix coordinating_only node role

* doc: Document the security plugin configuration

* Rename allow_list.yml to allowlist.yml

* test(smoke): Fix test assertion

* doc: Improve the security documentation

* doc: Remove deprecation warning for the opensearch-operator

* Store the Vector state in /stackable/log/_vector-state

* Update docs/modules/opensearch/pages/usage-guide/security.adoc

Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

* Update rust/operator-binary/src/controller/validate.rs

Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

* Regenerate charts

* test: Fix unit tests

* Regenerate Nix files

* test(smoke): Fix test assertion

---------

Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

Author: siegfriedweber

CHANGELOG.md

@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file.
   - Configuration parameter `spec.nodes.roleGroups.<role-group-name>.config.discoveryServiceExposed`
     added to expose a role-group via the discovery service.
 - Add support for OpenSearch 3.4.0 ([#108]).
+- Allow the configuration of the OpenSearch security plugin ([#117]).
 
 ### Changed
 
@@ -50,6 +51,7 @@ All notable changes to this project will be documented in this file.
 [#108]: https://github.com/stackabletech/opensearch-operator/pull/108
 [#110]: https://github.com/stackabletech/opensearch-operator/pull/110
 [#114]: https://github.com/stackabletech/opensearch-operator/pull/114
+[#117]: https://github.com/stackabletech/opensearch-operator/pull/117
 [#120]: https://github.com/stackabletech/opensearch-operator/pull/120
 
 ## [25.11.0] - 2025-11-07

Cargo.nix

@@ -47,7 +47,7 @@ esac
 
 echo "Creating OpenSearch security plugin configuration"
 # tag::apply-security-config[]
-kubectl apply -f opensearch-security-config.yaml
+kubectl apply -f initial-opensearch-security-config.yaml
 # end::apply-security-config[]
 
 echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
     --json '{"name": "Stackable"}' \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "result": "created",
+#   "_shards": {
+#     "total": 2,
+#     "successful": 1,
+#     "failed": 0
+#   },
+#   "_seq_no": 0,
+#   "_primary_term": 1
+# }
+
 
 curl \
     --insecure \
     --user $CREDENTIALS \
     --request GET \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "_seq_no": 0,
+#   "_primary_term": 1,
+#   "found": true,
+#   "_source": {
+#     "name": "Stackable"
+#   }
+# }
 # end::rest-api[]
 
 echo

crate-hashes.json

@@ -47,7 +47,7 @@ esac
 
 echo "Creating OpenSearch security plugin configuration"
 # tag::apply-security-config[]
-kubectl apply -f opensearch-security-config.yaml
+kubectl apply -f initial-opensearch-security-config.yaml
 # end::apply-security-config[]
 
 echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
     --json '{"name": "Stackable"}' \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "result": "created",
+#   "_shards": {
+#     "total": 2,
+#     "successful": 1,
+#     "failed": 0
+#   },
+#   "_seq_no": 0,
+#   "_primary_term": 1
+# }
+
 
 curl \
     --insecure \
     --user $CREDENTIALS \
     --request GET \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "_seq_no": 0,
+#   "_primary_term": 1,
+#   "found": true,
+#   "_source": {
+#     "name": "Stackable"
+#   }
+# }
 # end::rest-api[]
 
 echo

docs/modules/opensearch/examples/getting_started/getting_started.sh

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: initial-opensearch-security-config
+stringData:
+  internal_users.yml: |
+    ---
+    _meta:
+      type: internalusers
+      config_version: 2
+    admin:
+      hash: $2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/e
+      reserved: true
+      backend_roles:
+      - admin
+      description: OpenSearch admin user
+    kibanaserver:
+      hash: $2y$10$vPgQ/6ilKDM5utawBqxoR.7euhVQ0qeGl8mPTeKhmFT475WUDrfQS
+      reserved: true
+      description: OpenSearch Dashboards user
+  roles_mapping.yml: |
+    ---
+    _meta:
+      type: rolesmapping
+      config_version: 2
+    all_access:
+      reserved: false
+      backend_roles:
+      - admin
+    kibana_server:
+      reserved: true
+      users:
+      - kibanaserver

docs/modules/opensearch/examples/getting_started/getting_started.sh.j2

@@ -17,43 +17,43 @@ config:
       ssl:
         verificationMode: full
         certificateAuthorities:
-          - /stackable/opensearch-dashboards/config/tls/ca.crt
+        - /stackable/opensearch-dashboards/config/tls/ca.crt
     opensearch_security:
       cookie:
         secure: true
 # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/templates/deployment.yaml#L122
 opensearchHosts: ""
 extraEnvs:
-  - name: OPENSEARCH_HOSTS
-    valueFrom:
-      configMapKeyRef:
-        name: simple-opensearch
-        key: OPENSEARCH_HOSTS
-  - name: OPENSEARCH_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: opensearch-credentials
-        key: kibanaserver
+- name: OPENSEARCH_HOSTS
+  valueFrom:
+    configMapKeyRef:
+      name: simple-opensearch
+      key: OPENSEARCH_HOSTS
+- name: OPENSEARCH_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: opensearch-credentials
+      key: kibanaserver
 extraVolumes:
-  - name: tls
-    ephemeral:
-      volumeClaimTemplate:
-        metadata:
-          annotations:
-            secrets.stackable.tech/class: tls
-            secrets.stackable.tech/scope: service=opensearch-dashboards
-        spec:
-          storageClassName: secrets.stackable.tech
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: "1"
+- name: tls
+  ephemeral:
+    volumeClaimTemplate:
+      metadata:
+        annotations:
+          secrets.stackable.tech/class: tls
+          secrets.stackable.tech/scope: service=opensearch-dashboards
+      spec:
+        storageClassName: secrets.stackable.tech
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "1"
 extraVolumeMounts:
-  - mountPath: /stackable/opensearch-dashboards/config/tls
-    name: tls
-  - mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
-    name: config
-    subPath: opensearch_dashboards.yml
+- mountPath: /stackable/opensearch-dashboards/config/tls
+  name: tls
+- mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
+  name: config
+  subPath: opensearch_dashboards.yml
 podSecurityContext:
   fsGroup: 1000