How to protect truststore_password deploying with Helm

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Detected OpenSearch Version: x-content-2.11.0
Detected OpenSearch Security Version: 2.11.0.0

Describe the issue:

I’m deploying OpenSearch with Helm.
I’m trying to configure connection to LDAP server for authentication and authorization. As the connection is with LDAPS, I provide a truststore with the CA certificates for the LDAP server, and I have to provide the password for the truststore file.

I managed to get it working, but with the password for the truststore file in clear text in the opensearch.yml file.

The issue I have now is that I’m trying to protect the password by not having the password in cleartext, but I cannot get it to work.

I tried to pass the password as a secret, read in an ENV variable and use it in the config for ‘opensearch.yml’, but I got an error that it cannot resolve ${env.TRUSTSTORE_PASSWORD}
This method works for protecting the LDAP password in opensearch-security/config.yml, there I can refer to the password with ${env.LDAP_PASSWORD}, but it does not work for the truststore.
I read that it has to do with the opensearch.yml being processed before the ENV vars are ready…

I tried to set
plugins.security.ssl.transport.truststore_password_secure with the hash of the password, but I get error that truststore_password_secure cannot be set in the opensearch.yml

And in my last try, I tried to set plugins.security.ssl.transport.truststore_password_secure in the keystore, but I get an error
[c.a.d.a.l.b.LDAPAuthorizationBackend] [opensearch-ldap-test-master-0] Unable to connect to ldapserver ad01.ad.lab.se:636 due to java.lang.IllegalStateException: **Keystore is closed.** Try next.

Now I’m stuck and out of ideas.
How can I protect the password for the truststore file when deploying with Helm?

Configuration:

opensearch.yml: |

# Start OpenSearch Security Demo Configuration
# WARNING: revise all the lines below before you go into production
plugins:
security:
ssl:
transport:
pemcert_filepath: esnode.pem
pemkey_filepath: esnode-key.pem
pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca.pem
truststore_filepath: /usr/share/opensearch/config/cacerts/cacerts.jks
enforce_hostname_verification: false
http:
enabled: false
pemcert_filepath: esnode.pem
pemkey_filepath: esnode-key.pem
pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca.pem
allow_unsafe_democertificates: true
allow_default_init_securityindex: true


securityConfig:
config:
data:
config.yml: |-
config:
dynamic:

authc:

ldap:

authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:

hosts:
- ad01.ad.lab.se:636
password: ${env.AUTH_LDAP_BIND_PASSWORD}

keystore:

  • secretName: s3-secrets
  • secretName: truststore-password-secret

    apiVersion: v1
    kind: Secret
    metadata:
    name: truststore-password-secret
    data:
    plugins.security.ssl.transport.truststore_password_secure: ++++++++

Relevant Logs or Screenshots:

[c.a.d.a.l.b.LDAPAuthorizationBackend] [opensearch-ldap-test-master-2] Unable to connect to ldapserver ad01.ad.lab.se:636 due to java.lang.IllegalStateException: Keystore is closed. Try next.

2

I was able to solve it using ENV variable. I didn’t get it to work previously because ENV variables are loaded differently for different files.
for opensearch.yaml, in values.yaml
${TRUSTSTORE_PASSWORD}

config:
    opensearch.yml
    ...
    plugins.security.ssl.transport.truststore_password: ${TRUSTSTORE_PASSWORD}

while for the config.yml in the opensearch-security folder the ENV variable is specified as
${env.AUTH_LDAP_BIND_PASSWORD}

securityConfig:
  config:
     data:
         config.yml: |-
            ...
                  password: ${env.AUTH_LDAP_BIND_PASSWORD}

I removed the definition for the keystore.

1 Like