Read credentials from file in security config

maxnitze · December 11, 2023, 6:36pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.11.1 running in Kubernetes (various versions from 1.23 to 1.27)

Describe the issue:

Is it somehow possible to get configuration values from files?

My use case: I “manage” all my infrastructure and applications “the GitOps way” using ArgoCD. This is especially useful, since I use it to bootstrap new clusters fast!

So all my configuration is in Git.

To add my login config (I use Keycloak OIDC for it), I need to provide the client name and client secret. But I don’t want to add it directly to Git, of course! So I tried the following:

opensearch_security:
  cookie:
    secure: true
  auth.type: openid
  openid:
    connect_url: ...
    client_id: $(cat /run/secrets/oidc-client-credentials/id)
    client_secret: $(cat /run/secrets/oidc-client-credentials/secret)
    scope: openid profile email

That’s not working.

Is there a way to ge the id and secret from the files? I would prefer files directly, but Env variables would also be fine.

Thanks in advance!

maxnitze · December 12, 2023, 1:14am

Found out you can just use env variables, like

...
  openid:
    client_id: ${OPENSEARCH_OIDC_CLIENT_ID}

At least when using the Bitnami Helm chart (maybe this sets some config on the security shell script already).

Still it would be interesting, if there is a way to read them from files.

Leaving these two here for reference:

Topic		Replies	Views
Openseach HELM charts + Azure OIDC Security	2	512	July 14, 2022
Q: How do I configure OpenID using the Helm chart? General Feedback configure , install	2	415	February 15, 2023
Custom config files cannot take effect Security troubleshoot	7	723	March 1, 2023
OpenSearch OpenID connect with Google Security configure	1	117	January 26, 2024
OpenSearch client certificate authentication Security	4	1264	May 6, 2022

Read credentials from file in security config

Related Topics