Found out you can just use env variables, like
...
openid:
client_id: ${OPENSEARCH_OIDC_CLIENT_ID}
At least when using the Bitnami Helm chart (maybe this sets some config on the security shell script already).
Still it would be interesting, if there is a way to read them from files.
Leaving these two here for reference: