Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Allow resolving environment variables while using opensearch-security plugin #16806

Closed
burzala opened this issue Dec 9, 2024 · 1 comment
Closed

[Feature Request] Allow resolving environment variables while using opensearch-security plugin #16806

burzala opened this issue Dec 9, 2024 · 1 comment
Labels
enhancement Enhancement or improvement to existing feature or request Plugins untriaged

Comments

@burzala
Copy link

burzala commented Dec 9, 2024

Is your feature request related to a problem? Please describe

It looks like it is not possible to pass sensitive values to opensearch-security plugin configuration which is stored under <OPENSEARCH_CONFIG_HOME>/opensearch-security/config.yml

Let's say I have LDAP password configured like below

config:
  dynamic:
    authc:
      ldap:
        authentication_backend:
          type: ldap
          config:
            password: SomeSecretText

but I don't want to pass my SomeSecretText in plain text form since it's a sensitive value. Instead, I would like to use ${env.LDAP_PASSWORD} syntax to take it from the environment variable

Describe the solution you'd like

Generally, opensearch-security plugin supports environment variables but such option is not supported by the operator.

If we look at the existing parameters for securityadmin.sh script, we can see that below option is available:

 -rev,--resolve-env-vars                        Resolve/Substitute env
                                                vars in config with their
                                                value before uploading

However, the same is not used within the operator.

I did small experiment and it looks that building the image containing -rev parameter injected to the following places makes everything working as expected:

(a) opensearch-operator/pkg/reconcilers/securityconfig.go

BEFORE:

until $ADMIN -cacert %s -cert %s -key %s -cd %s -icl -nhnv -h %s -p %v || (( count++ >= 20 ));

AFTER:

until $ADMIN -rev -cacert %s -cert %s -key %s -cd %s -icl -nhnv -h %s -p %v || (( count++ >= 20 ));

(b) opensearch-operator/pkg/reconcilers/securityconfig_test.go

BEFORE:

until $ADMIN -cacert /certs/ca.crt -cert /certs/tls.crt -key /certs/tls.key -cd /usr/share/opensearch/config/opensearch-security -icl -nhnv -h no-securityconfig-tl    s-configured.no-securityconfig-tls-configured.svc.cluster.local -p 9200 || (( count++ >= 20 ));

AFTER:

until $ADMIN -rev -cacert /certs/ca.crt -cert /certs/tls.crt -key /certs/tls.key -cd /usr/share/opensearch/config/opensearch-security -icl -nhnv -h no-securityconfig-tl    s-configured.no-securityconfig-tls-configured.svc.cluster.local -p 9200 || (( count++ >= 20 ));

Would it be possible to have -rev option supported in the operator? (by default or by some operator setting)

Related component

Plugins

Describe alternatives you've considered

No response

Additional context

No response
@burzala burzala added enhancement Enhancement or improvement to existing feature or request untriaged labels Dec 9, 2024
@burzala
Copy link
Author

burzala commented Dec 9, 2024

I used the wrong place accidentally :( New item available here: opensearch-project/opensearch-k8s-operator#914

@burzala burzala closed this as not planned Won't fix, can't repro, duplicate, stale Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement or improvement to existing feature or request Plugins untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@burzala