issues with basic securityconfig from userguide

[treknado]

Hello,
i followed the userguide and the first approach with demo configurations worked like expected.
since i would like to use keycloak as authentication provider, according to the userguide i have to configure the securityconfig. I have done this, but unfortunately the examples do not work for me and the cluster does not start properly.

Hopefully you can show me my error and help me fix it.

below I provide my configuration and logs

Config

opensearch.yaml

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: my-first-cluster
  namespace: my-namespace
spec:
  general:
    httpPort: 9200
    serviceName: my-first-cluster
    version: 2.7.0
  security:
    tls:  # Everything related to TLS configuration
      transport:  # Configuration of the transport endpoint
        generate: true  # Have the operator generate and sign certificates
        perNode: true  # Separate certificate per node
    config:  # Everything related to the securityconfig
      securityConfigSecret:
        name:  securityconfig-secret # Name of the secret that contains the securityconfig files
      adminCredentialsSecret:
        name: admin-credentials-secret # Name of a secret that contains username/password for admin access
  nodePools:
    - component: nodes
      replicas: 3
      diskSize: "5Gi"
      nodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "cluster_manager"
        - "data"
      labels:
        app: Opensearch

customadmin.yaml

apiVersion: v1
kind: Secret
metadata:
  name: admin-credentials-secret
  namespace: my-namespace
type: Opaque
data:
  username: XXX
  password: xxx

securityconfig-secret.yaml

only hash from admin changed

LOGS

my-first-cluster-securityconfig-update logs:

Waiting to connect to the cluster
Waiting to connect to the cluster
Waiting to connect to the cluster

my-first-cluster-nodes-0 logs

[2023-05-31T12:37:09,810][INFO ][o.o.s.c.ConfigurationRepository] [my-first-cluster-nodes-0] Will not attempt to create index .opendistro_security and default configs if they are absent. Use securityadmin to initialize cluster
[2023-05-31T12:37:09,810][INFO ][o.o.d.PeerFinder         ] [my-first-cluster-nodes-0] setting findPeersInterval to [1s] as node commission status = [true] for local node [{my-first-cluster-nodes-0}{j1he0alGQGm5KVXBOyrV_g}{3ONDIoMLQhGc0QIslXJF2w}{my-first-cluster-nodes-0}{100.121.40.36:9300}{dm}{shard_indexing_pressure_enabled=true}]
[2023-05-31T12:37:09,812][INFO ][o.o.s.c.ConfigurationRepository] [my-first-cluster-nodes-0] Background init thread started. Install default config?: false
[2023-05-31T12:37:09,813][INFO ][o.o.s.OpenSearchSecurityPlugin] [my-first-cluster-nodes-0] 0 OpenSearch Security modules loaded so far: []
[2023-05-31T12:37:09,818][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [my-first-cluster-nodes-0] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

my-first-cluster-bootstrap-0 logs

[2023-05-31T12:36:12,301][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [my-first-cluster-bootstrap-0] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

best regards

[swoehrl-mw]

Hi @treknado please add the option to configure tls for the http port and then try again:

spec:
  security:
    tls:
      http:
        generate: true

There is a deficit that as soon as one part of tls security is configured the demo configuration is completly disabled and that leads to the http port not being configured with TLS. But the securityconfig-update-job always expects TLS to be enabled.

[treknado]

Hello @swoehrl-mw,
thank you for the fast response. added your config and it works like expected.

Due to internal regulations I have to use istio as a virtual service to expose dashboards to the internet.

unfortunately I run into the same error as described above when i activate istio on the namespace.
This thread features my ongoing istio integration with the demo OpenSearch setup.

asked in a different way:
since we use istio we actually use the security plugin only to set the admin password and to add the config.yml with the keycloak authentication. Is there a way to do this without the security plugin ?

[swoehrl-mw]

Hi @treknado. The way the operator is written it cannot deploy opensearch without the security plugin and it also cannot disable TLS for opensearch (for dashboards it's optional). And anything relating to authentication must be done via the security plugin, there is no way around it.