@pablo @OkComputer I found the solution, tagging you OkComputer, in case you have the same problem as I had.
I managed to find a way to enable more verbose logs in my OpenSearch container by adding the following yaml key-value pair to my OpenSearch .values file at the top level.
rootLogger.level: Debug
This was kinda hard to figure out, since the helm chart templates that you can find for OpenSearch has changed a lot since the guides were made. After enabling this debugging I was able to find out that the error was due to OpenSearch not being able to verify the CA-chain of Keycloak. I fixed this issue by adding the CA chain to my OpenSearch container with the following addition to the yaml:
securityConfig:
enabled: true
config:
dataComplete: false
data:
root-ca.pem: |
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
as well as the following addition to my config.yml:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/opensearch/config/opensearch-security/root-ca.pem
roles_key: roles
subject_key: preferred_username
openid_connect_url: "https://qa.idp.supplier-overview.kmd.dk/realms/opensearch/.well-known/openid-configuration"
authentication_backend:
type: noop
The important change here is the pemtrustedcas_filepath which is now pointing to the root-ca.pem which I defined earlier. The way to get your CA chain is to go the URL of your IDP in the browser (in my case it was keycloak). Click on the lock next to the left of your URL, click the arrow to the right of “connection is secure”, then click on “Certificate is valid” and go to details. Here you will see the Certificate Hierachy. Export all the certificates in your hierachy and concatenate them into a single file like I have doon in my root-ca.pem. These are all public certificates, and do not need to be hidden away as a secret.
