feat: Allow the configuration of the security plugin

CHANGELOG.md

@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file.
   - Configuration parameter `spec.nodes.roleGroups.<role-group-name>.config.discoveryServiceExposed`
     added to expose a role-group via the discovery service.
 - Add support for OpenSearch 3.4.0 ([#108]).
+- Allow the configuration of the OpenSearch security plugin ([#117]).
 
 ### Changed
 
@@ -49,6 +50,7 @@ All notable changes to this project will be documented in this file.
 [#108]: https://github.com/stackabletech/opensearch-operator/pull/108
 [#110]: https://github.com/stackabletech/opensearch-operator/pull/110
 [#114]: https://github.com/stackabletech/opensearch-operator/pull/114
+[#117]: https://github.com/stackabletech/opensearch-operator/pull/117
 
 ## [25.11.0] - 2025-11-07
 

docs/modules/opensearch/examples/getting_started/getting_started.sh

@@ -47,7 +47,7 @@ esac
 
 echo "Creating OpenSearch security plugin configuration"
 # tag::apply-security-config[]
-kubectl apply -f opensearch-security-config.yaml
+kubectl apply -f initial-opensearch-security-config.yaml
 # end::apply-security-config[]
 
 echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
     --json '{"name": "Stackable"}' \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "result": "created",
+#   "_shards": {
+#     "total": 2,
+#     "successful": 1,
+#     "failed": 0
+#   },
+#   "_seq_no": 0,
+#   "_primary_term": 1
+# }
+
 
 curl \
     --insecure \
     --user $CREDENTIALS \
     --request GET \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "_seq_no": 0,
+#   "_primary_term": 1,
+#   "found": true,
+#   "_source": {
+#     "name": "Stackable"
+#   }
+# }
 # end::rest-api[]
 
 echo

docs/modules/opensearch/examples/getting_started/getting_started.sh.j2

@@ -47,7 +47,7 @@ esac
 
 echo "Creating OpenSearch security plugin configuration"
 # tag::apply-security-config[]
-kubectl apply -f opensearch-security-config.yaml
+kubectl apply -f initial-opensearch-security-config.yaml
 # end::apply-security-config[]
 
 echo "Creating OpenSearch cluster"
@@ -91,17 +91,40 @@ curl \
     --json '{"name": "Stackable"}' \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "result": "created",
+#   "_shards": {
+#     "total": 2,
+#     "successful": 1,
+#     "failed": 0
+#   },
+#   "_seq_no": 0,
+#   "_primary_term": 1
+# }
+
 
 curl \
     --insecure \
     --user $CREDENTIALS \
     --request GET \
     "$OPENSEARCH_HOST/sample_index/_doc/1"
 
-# Output:
-# {"_index":"sample_index","_id":"1","_version":1,"_seq_no":0,"_primary_term":1,"found":true,"_source":{"name": "Stackable"}}
+# Formatted output:
+# {
+#   "_index": "sample_index",
+#   "_id": "1",
+#   "_version": 1,
+#   "_seq_no": 0,
+#   "_primary_term": 1,
+#   "found": true,
+#   "_source": {
+#     "name": "Stackable"
+#   }
+# }
 # end::rest-api[]
 
 echo

docs/modules/opensearch/examples/getting_started/initial-opensearch-security-config.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: initial-opensearch-security-config
+stringData:
+  internal_users.yml: |
+    ---
+    _meta:
+      type: internalusers
+      config_version: 2
+    admin:
+      hash: $2y$10$xRtHZFJ9QhG9GcYhRpAGpufCZYsk//nxsuel5URh0GWEBgmiI4Q/e
+      reserved: true
+      backend_roles:
+      - admin
+      description: OpenSearch admin user
+    kibanaserver:
+      hash: $2y$10$vPgQ/6ilKDM5utawBqxoR.7euhVQ0qeGl8mPTeKhmFT475WUDrfQS
+      reserved: true
+      description: OpenSearch Dashboards user
+  roles_mapping.yml: |
+    ---
+    _meta:
+      type: rolesmapping
+      config_version: 2
+    all_access:
+      reserved: false
+      backend_roles:
+      - admin
+    kibana_server:
+      reserved: true
+      users:
+      - kibanaserver

docs/modules/opensearch/examples/getting_started/opensearch-dashboards-values.yaml

@@ -17,43 +17,43 @@ config:
       ssl:
         verificationMode: full
         certificateAuthorities:
-          - /stackable/opensearch-dashboards/config/tls/ca.crt
+        - /stackable/opensearch-dashboards/config/tls/ca.crt
     opensearch_security:
       cookie:
         secure: true
 # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/templates/deployment.yaml#L122
 opensearchHosts: ""
 extraEnvs:
-  - name: OPENSEARCH_HOSTS
-    valueFrom:
-      configMapKeyRef:
-        name: simple-opensearch
-        key: OPENSEARCH_HOSTS
-  - name: OPENSEARCH_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: opensearch-credentials
-        key: kibanaserver
+- name: OPENSEARCH_HOSTS
+  valueFrom:
+    configMapKeyRef:
+      name: simple-opensearch
+      key: OPENSEARCH_HOSTS
+- name: OPENSEARCH_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: opensearch-credentials
+      key: kibanaserver
 extraVolumes:
-  - name: tls
-    ephemeral:
-      volumeClaimTemplate:
-        metadata:
-          annotations:
-            secrets.stackable.tech/class: tls
-            secrets.stackable.tech/scope: service=opensearch-dashboards
-        spec:
-          storageClassName: secrets.stackable.tech
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: "1"
+- name: tls
+  ephemeral:
+    volumeClaimTemplate:
+      metadata:
+        annotations:
+          secrets.stackable.tech/class: tls
+          secrets.stackable.tech/scope: service=opensearch-dashboards
+      spec:
+        storageClassName: secrets.stackable.tech
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "1"
 extraVolumeMounts:
-  - mountPath: /stackable/opensearch-dashboards/config/tls
-    name: tls
-  - mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
-    name: config
-    subPath: opensearch_dashboards.yml
+- mountPath: /stackable/opensearch-dashboards/config/tls
+  name: tls
+- mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
+  name: config
+  subPath: opensearch_dashboards.yml
 podSecurityContext:
   fsGroup: 1000

docs/modules/opensearch/examples/getting_started/opensearch-dashboards-values.yaml.j2

@@ -17,43 +17,43 @@ config:
       ssl:
         verificationMode: full
         certificateAuthorities:
-          - /stackable/opensearch-dashboards/config/tls/ca.crt
+        - /stackable/opensearch-dashboards/config/tls/ca.crt
     opensearch_security:
       cookie:
         secure: true
 # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch-dashboards/templates/deployment.yaml#L122
 opensearchHosts: ""
 extraEnvs:
-  - name: OPENSEARCH_HOSTS
-    valueFrom:
-      configMapKeyRef:
-        name: simple-opensearch
-        key: OPENSEARCH_HOSTS
-  - name: OPENSEARCH_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: opensearch-credentials
-        key: kibanaserver
+- name: OPENSEARCH_HOSTS
+  valueFrom:
+    configMapKeyRef:
+      name: simple-opensearch
+      key: OPENSEARCH_HOSTS
+- name: OPENSEARCH_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: opensearch-credentials
+      key: kibanaserver
 extraVolumes:
-  - name: tls
-    ephemeral:
-      volumeClaimTemplate:
-        metadata:
-          annotations:
-            secrets.stackable.tech/class: tls
-            secrets.stackable.tech/scope: service=opensearch-dashboards
-        spec:
-          storageClassName: secrets.stackable.tech
-          accessModes:
-            - ReadWriteOnce
-          resources:
-            requests:
-              storage: "1"
+- name: tls
+  ephemeral:
+    volumeClaimTemplate:
+      metadata:
+        annotations:
+          secrets.stackable.tech/class: tls
+          secrets.stackable.tech/scope: service=opensearch-dashboards
+      spec:
+        storageClassName: secrets.stackable.tech
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: "1"
 extraVolumeMounts:
-  - mountPath: /stackable/opensearch-dashboards/config/tls
-    name: tls
-  - mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
-    name: config
-    subPath: opensearch_dashboards.yml
+- mountPath: /stackable/opensearch-dashboards/config/tls
+  name: tls
+- mountPath: /stackable/opensearch-dashboards/config/opensearch_dashboards.yml
+  name: config
+  subPath: opensearch_dashboards.yml
 podSecurityContext:
   fsGroup: 1000

docs/modules/opensearch/examples/getting_started/opensearch.yaml

@@ -6,6 +6,44 @@ metadata:
 spec:
   image:
     productVersion: 3.4.0
+  clusterConfig:
+    security:
+      settings:
+        config:
+          managedBy: API
+          content:
+            value:
+              _meta:
+                type: config
+                config_version: 2
+              config:
+                dynamic:
+                  authc:
+                    basic_internal_auth_domain:
+                      description: Authenticate via HTTP Basic against internal users database
+                      http_enabled: true
+                      transport_enabled: true
+                      order: 1
+                      http_authenticator:
+                        type: basic
+                        challenge: true
+                      authentication_backend:
+                        type: intern
+                  authz: {}
+        internalUsers:
+          managedBy: API
+          content:
+            valueFrom:
+              secretKeyRef:
+                name: initial-opensearch-security-config
+                key: internal_users.yml
+        rolesMapping:
+          managedBy: API
+          content:
+            valueFrom:
+              secretKeyRef:
+                name: initial-opensearch-security-config
+                key: roles_mapping.yml
   nodes:
     roleConfig:
       discoveryServiceListenerClass: external-stable
@@ -14,18 +52,4 @@ spec:
         replicas: 3
     configOverrides:
       opensearch.yml:
-        plugins.security.allow_default_init_securityindex: "true"
         plugins.security.restapi.roles_enabled: all_access
-    podOverrides:
-      spec:
-        containers:
-          - name: opensearch
-            volumeMounts:
-              - name: security-config
-                mountPath: /stackable/opensearch/config/opensearch-security
-                readOnly: true
-        volumes:
-          - name: security-config
-            secret:
-              secretName: opensearch-security-config
-              defaultMode: 0o660