How to configure OIDC via the operator?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch Operator - opensearch-operator-2.4.0

OpenSearch 2.11.1
OS: ubuntu 22.04
Kubernetes: KinD 1.28

Describe the issue:

I am trying to integrate OpenID Connect into OpenSearch via the operator. The dashboard’s oidc integration works (I can see that SSO is succeeding and it’s requesting an id_token in my idp logs. Now I’m trying to configure the backend to accept the tokens but I can’t get masters or nodes to start because they don’t recognize the configuration options via environment variable (see logs section). I feel like I’m missing something very simple.

Configuration:

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: local
  namespace: opensearch-cp
spec:
  general:
    version: "2.11.1"
    httpPort: 9200
    vendor: opensearch
    serviceName: my-cluster
    monitoring:
     enable: true
    pluginsList: ["repository-s3"]
    additionalConfig:
      node.store.allow_mmap: "false"
      openid_auth_domain.http_enabled: "true"
      openid_auth_domain.transport_enabled: "true"
      openid_auth_domain.order: "0"
      openid_auth_domain.http_authenticator.type: openid
      openid_auth_domain.http_authenticator.challenge: "false"
      openid_auth_domain.http_authenticator.config.openid_connect_idp.enable_ssl: "true"
      openid_auth_domain.http_authenticator.config.openid_connect_idp.verify_hostnames: "true"
      openid_auth_domain.http_authenticator.config.openid_connect_idp.pemtrustedcas_filepath: /etc/enterprise-ca/ca.crt
      openid_auth_domain.http_authenticator.config.subject_key: sub
      openid_auth_domain.http_authenticator.config.roles_key: roles
      openid_auth_domain.http_authenticator.config.openid_connect_url: https://k8sou.apps.192-168-2-93.nip.io/auth/idp/opensearch/.well-known/openid-configuration
      openid_auth_domain.authentication_backend.type: noop
    additionalVolumes:
    - name: enterprise-ca
      path: /etc/enterprise-ca
      configMap:
        name: enterprise-root-ca.crt
  dashboards:
    version: "2.11.1"
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "1Gi"
         cpu: "500m"
      limits:
         memory: "1Gi"
         cpu: "500m"
    additionalConfig:
      server.name: opensearch.apps.192-168-2-93.nip.io
      opensearch_security.auth.type: "openid"
      opensearch_security.openid.connect_url: https://k8sou.apps.192-168-2-93.nip.io/auth/idp/opensearch/.well-known/openid-configuration
      opensearch_security.openid.base_redirect_url: https://opensearch.apps.192-168-2-93.nip.io/
      opensearch_security.openid.client_id: opensearch
      opensearch_security.openid.client_secret: BLxvl7oMSx8mxpSGpOV0UtRiKArFLMm4n368nzT4cu9cXuVc3AZq69vcPcQ2zetj
      opensearch_security.openid.scope: openid profile email
      opensearch_security.openid.root_ca: /etc/enterprise-ca/ca.crt
      opensearch_security.openid.refresh_tokens: "true"
    additionalVolumes:
    - name: enterprise-ca
      path: /etc/enterprise-ca
      configMap:
        name: enterprise-root-ca.crt
  confMgmt:
    smartScaler: true
  nodePools:
    - component: masters
      replicas: 3
      diskSize: "3Gi"
      nodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "master"
        - "data"
    - component: nodes
      replicas: 1
      diskSize: "3Gi"
      nodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "data"
    - component: coordinators
      replicas: 1
      diskSize: "3Gi"
      nodeSelector:
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "ingest"

Relevant Logs or Screenshots:

java.lang.IllegalArgumentException: unknown setting [openid_auth_domain.http_authenticator.config.roles_key] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
 at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:608)
 at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:549)
 at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:519)
 at org.opensearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:489)
 at org.opensearch.common.settings.SettingsModule.<init>(SettingsModule.java:178)
 at org.opensearch.node.Node.<init>(Node.java:578)
 at org.opensearch.node.Node.<init>(Node.java:407)
 at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
 at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
 at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
 at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
 at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
 at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
 at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
 at org.opensearch.cli.Command.main(Command.java:101)
 at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
 at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)

I finally figured it out. The configs need to be added to the security section, not the node or master section

@mlbiam That’s correct.

  security:
    config:
      adminCredentialsSecret:
        name: admin-credentials-secret  # The secret with the admin credentials for the operator to use
      securityConfigSecret:
       name: securityconfig-secret  # The secret containing your customized securityconfig
    tls:
      transport:
        generate: true
      http:
        generate: true