How to provide credentials for repository-azure plugin on Kubernetes?

General Feedback
1

Hi team,
I am trying to enable OpenSearch snapshots to Azure blob storage. My OpenSearch cluster is on Kubernetes and I deployed it using Helm.

Based on some research that I did, I learned that the repository-azure plugin has to be installed and the credentials have to be configured when building the OpenSearch Docker image. i.e. similar to how it has been done for S3 - Take and restore snapshots - OpenSearch Documentation

Passing account credentials at Docker image build time would not be possible because we deploy the same Docker image to multiple environments. Each environment needs to store snapshots in different blob storage accounts. Is there a way to pass Azure account credentials through Kubernetes secrets and enable the repository-azure plugin using the Helm chart?

I am looking for something like this - How to use Azure Storage plugin in ECK for Snapshot - Elastic Cloud on Kubernetes (ECK) - Discuss the Elastic Stack
But I have been unable to figure out where to pass that secret in OpenSearch

2

We have solved this by building a custom container with the storage plugin but using init containers to push the credentials. Best of both worlds.

3

@neographikal thanks for the reply. Can you explain how you pushed the credentials from the init-container?
From what I understood, the credentials are added by running the opensearch-keystore add command. This command is available in the OpenSearch container. So I am a bit confused how you did it from the init-container

4

Sure, we use terraform:

init_container {
          name  = "create-volume-keystore"
          image = var.opensearch_image
          
          volume_mount {
            name       = "data-volume"
            mount_path = "/usr/share/opensearch/data"
          }
          volume_mount {
            name       = "volume-keystore"
            mount_path = "/tmp/keystore/"
          }
          volume_mount {
            name       = "opensearch-config-volume"
            mount_path = "/usr/share/opensearch/config/keystore.sh"
            sub_path   = "keystore.sh"
          }

          env {
            name  = "AZ_ACCOUNT"
            value = var.opensearch-azure-account
          }

          env {
            name  = "AZ_KEY"
            value = var.opensearch-azure-key
          }

#!/bin/bash

#This script creates the java key store and pushes the azure account and key in it

#The Azure plugin needs to be installed in the image already (otherwise the startup of the containers is dependent on the availability of Github)

rm -f /usr/share/opensearch/config/opensearch.keystore

/usr/share/opensearch/bin/opensearch-keystore create

echo $AZ_ACCOUNT | /usr/share/opensearch/bin/opensearch-keystore add --stdin azure.client.default.account

echo $AZ_KEY | /usr/share/opensearch/bin/opensearch-keystore add --stdin azure.client.default.key

cp /usr/share/opensearch/config/opensearch.keystore /tmp/keystore/

ls /tmp/keystore/
5

Thank you @neographikal. I will try these steps