Versions:
I’m trying to use the OpenSearch Helm Chart to connect my OpenSearch cluster to a Keycloak identity provider. How would I go about setting the OpenID security configuration so that I may authenticate against my IDP?
Would I still be able to use local accounts with OpenSearch (i.e. kibana, admin) even with OpenID configured?
I figured out how to get the OpenID configuration using the helm chart. In values.yaml you have to set securityConfig.config. You could either create a Kubernetes Secret or provide plain YAML into securityConfig.config.data.
This is my config.yaml:
_meta:
type: config
config_version: 2
config
dynamic:
authc:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /usr/share/opensearch/config/root-ca/root.ca.crt
openid_connect_url: "https://{{ keycloak_server }}/auth/realms/{{ realm_name }}/.well-known/openid-configuration"
authentication_backend:
type: noop
thanks for coming back to post what you learned @mikeyGlitz - the community appreciates it!