Two queries related to opendistro_security index and REST api -
Referring to opendistro docker images & helm charts, the script install_demo_configuration.sh is used in the docker entrypoint to generate demo certificates and configure elasticsearch.yml accordingly.
But, can you help me understand when does it actually run securityadmin.sh to initialize the
.opendistro_securityindex for the 1st time?
I see by default
opendistro_security.allow_default_init_securityindex is true.
As I install the helm chart, the opendistro_security index gets created, but I am unable to find the script where it actually executes securityadmin.sh.
Assuming it does run securityadmin.sh on pod’s entrypoint, then how will the security config changes done via REST api survive helm upgrades?
a) Install helm chart with default security configurations.
b) Use security REST API or kibana UI to add new users, roles etc.
c) Upgrade the helm chart with addition of new envs etc that results in elasticsearch pods to restart.
Now, the new pods again run securityadmin.sh on their docker-entrypoint and they will update opendistro_security index with the default security configurations. That way the new roles,users and configurations made in step (b) would be lost and replaced with defaults in the .yml files.
Is this the expected behaviour and is there a better way to handle this especially in helm environments?