Skip to content

Opensearch access via LoginPassword or Certificate#264

Open
bertrandrigaud wants to merge 13 commits into
DIRACGrid:masterfrom
bertrandrigaud:oscertneo
Open

Opensearch access via LoginPassword or Certificate#264
bertrandrigaud wants to merge 13 commits into
DIRACGrid:masterfrom
bertrandrigaud:oscertneo

Conversation

@bertrandrigaud
Copy link
Copy Markdown
Contributor

@bertrandrigaud bertrandrigaud commented Apr 28, 2026

Propose a way to manage both login/password and certificate for Opensearch DBs access :

The main idea is to have a default configuration used by DBs. Each DB is able to overide default values and to choose between login/pwd or certificate access (userCRT). By default useCRT is set to false.

Here are the different cases covered:

osDbs:
    default:
      host: default.tada.fr:9200
      user: dirac
      password: dirac
      rootUser: dirac
      rootPassword: dirac
      indexPrefix: diracx-testbed01
      ca.crt: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
      tls.crt: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
      tls.key: |
        -----BEGIN PRIVATE KEY-----
        -----END PRIVATE KEY-----
    dbs:
      tutuDB:
        user: dirac
        password: dirac
        rootUser: dirac
        rootPassword: dirac
      titiDB:
        host: titi.tada.fr:9200
        ca.crt: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        tls.crt: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        tls.key: |
          -----BEGIN PRIVATE KEY-----
          -----END PRIVATE KEY-----
        useCRT: true
      tataDB:
        useCRT: true
      totoDB:
      noobDB:
        host: noob.tada.fr:9200
        ca.crt: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        tls.crt: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
        tls.key: |
          -----BEGIN PRIVATE KEY-----
          -----END PRIVATE KEY-----
      
Certs are detected for default and titiDB (secrets and mounts will be created for both) :   
  => oscert-default secret => /os-certs/default  
  => oscert-titiDB secret => /os-certs/titiDB  
  
tutuDB:   
  => tutuDB password will be used  
titiDB:   
  => titiDB cert will be used  
tataDB:  
  => default cert will be used  
totoDB:  
  => default password will be used  
noobDB:  
  => useCRT is NOT set, then default password will be used (not cert)

Related to #252

@bertrandrigaud bertrandrigaud marked this pull request as ready for review April 28, 2026 09:31
@bertrandrigaud bertrandrigaud changed the title Oscertneo Opensearch access via LoginPassword or Certificate Apr 28, 2026
@aldbr aldbr requested a review from chaen April 29, 2026 09:36
@chaen
Copy link
Copy Markdown
Contributor

chaen commented May 12, 2026

The use cases you show make sense to me, however can you:

  • please rebase
  • add documentation for that in the values.yaml ? We will probably need to add an extra part of the doc for this sort of configuration, but probably not for you right now :-)
  • you have an indexPrefix in the config. This is coming, but not in this PR :-)

@aldbr
Copy link
Copy Markdown
Contributor

aldbr commented May 13, 2026

ddev: indexPrefix should be removed, will be added as a second step

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaen chaen Awaiting requested review from chaen

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bertrandrigaud @chaen @aldbr