Skip to content

feat: Allow adding entries to the OpenSearch keystore #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Allow adding entries to the OpenSearch keystore #76

wants to merge 2 commits into from
+385 −75

Conversation

@labrenbe
Copy link
Member

@labrenbe labrenbe commented Nov 21, 2025
edited by siegfriedweber
Loading

Description

Allow referencing Secret keys in the OpenSearch config to add them as entries to the OpenSearch keystore.

Part of #44.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@labrenbe labrenbe self-assigned this Nov 21, 2025
@labrenbe labrenbe moved this to Development: In Progress in Stackable Engineering Nov 21, 2025
@labrenbe labrenbe marked this pull request as ready for review November 21, 2025 10:36
@labrenbe labrenbe moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering Nov 21, 2025
@siegfriedweber siegfriedweber mentioned this pull request Dec 2, 2025
Open
3 tasks
@siegfriedweber siegfriedweber moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Dec 3, 2025
siegfriedweber
siegfriedweber requested changes Dec 4, 2025
View reviewed changes
docs/modules/opensearch/pages/usage-guide/keystore.adoc
:description: Add entries to the OpenSearch Keystore

The OpenSearch keystore provides secure storage for sensitive configuration settings such as credentials and API keys.
You can populate the keystore by referencing Secrets from in your OpenSearch configuration.
Copy link
Member

@siegfriedweber siegfriedweber Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
You can populate the keystore by referencing Secrets from in your OpenSearch configuration.
You can populate the keystore by referencing Secrets within your OpenSearch configuration.

rust/operator-binary/src/controller.rs
]
.into(),
vec![OpenSearchKeystore {
key: "Keystore1".to_string(),
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
key: "Keystore1".to_string(),
key: "Keystore1".to_owned(),

rust/operator-binary/src/controller.rs
Comment on lines +385 to +388
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to use the versioned module explicitly.

Suggested change
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
crd::{NodeRoles, v1alpha1},

rust/operator-binary/src/controller.rs
crd::{
NodeRoles,
v1alpha1::{self},
v1alpha1::{self, OpenSearchKeystore},
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
v1alpha1::{self, OpenSearchKeystore},
v1alpha1::{self},

rust/operator-binary/src/crd/mod.rs
Comment on lines +86 to 87
pub keystore: Vec<OpenSearchKeystore>,
/// Name of the Vector aggregator [discovery ConfigMap](DOCS_BASE_URL_PLACEHOLDER/concepts/service_discovery).
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
pub keystore: Vec<OpenSearchKeystore>,
/// Name of the Vector aggregator [discovery ConfigMap](DOCS_BASE_URL_PLACEHOLDER/concepts/service_discovery).
pub keystore: Vec<OpenSearchKeystore>,
/// Name of the Vector aggregator [discovery ConfigMap](DOCS_BASE_URL_PLACEHOLDER/concepts/service_discovery).

rust/operator-binary/src/controller/validate.rs
crd::{
NodeRoles,
v1alpha1::{self},
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
v1alpha1::{self},

rust/operator-binary/src/controller/build.rs
Comment on lines +80 to +83
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
crd::{NodeRoles, v1alpha1},

rust/operator-binary/src/controller/build/role_group_builder.rs
Comment on lines +757 to +760
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
crd::{
NodeRoles,
v1alpha1::{self, OpenSearchKeystore, SecretKeyRef},
},
crd::{NodeRoles, v1alpha1},

tests/templates/kuttl/snapshot-s3/20-install-opensearch.yaml.j2
- key: s3.client.default.access_key
secretKeyRef:
name: s3-credentials
key: s3.client.default.access_key
Copy link
Member

@siegfriedweber siegfriedweber Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The keys in the Secret could be renamed to ACCESS_KEY and SECRET_KEY. If a test uses the same value for different fields (keystore.key and keystore.secretKeyRef.key in this case), the code could read the wrong field and the test would still be successful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@siegfriedweber siegfriedweber siegfriedweber requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@labrenbe labrenbe

Labels

None yet

Projects

Stackable Engineering
Status: Development: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@labrenbe @siegfriedweber