Skip to content

Propagate requested entity secret for OpenSearch#267

Open
s-mlnk wants to merge 1 commit into
canonical:mainfrom
s-mlnk:opensearch-entity-fix
Open

Propagate requested entity secret for OpenSearch#267
s-mlnk wants to merge 1 commit into
canonical:mainfrom
s-mlnk:opensearch-entity-fix

Conversation

@s-mlnk

@s-mlnk s-mlnk commented Jun 25, 2026

Copy link
Copy Markdown

This PR adds support of requested-entity-secret (requested-entities-secret config field) for OpenSearch connections, which is required for bringing LDAP integration according to DA-265.

Before:

┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ data-integrator                                                                         ┃
╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ =                                                                                       │
│ =                                                                                       │
│ =                                                                                       │
│ =                                                                                       │
│ requirer                                                                                │
│ opensearch                                                                              │
│ 0                                                                                       │
┼─────────────────────────────────────────────────────────────────────────────────────────┤
│ ╭─────────────────────────────────────────────────────────────────────────────────────╮ │
│ │                                                                                     │ │
│ │  entity-type        GROUP                                                           │ │
│ │  index              test                                                            │ │
│ │  provided-secrets   ["mtls-cert"]                                                   │ │
│ │  requested-secrets  ["username", "password", "tls", "tls-ca", "uris",               │ │
│ │                     "read-only-uris", "entity-name", "entity-password"]             │ │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯ │
│                                                                                         │
│ ╭─ data-integrator/0* ────────────────────────────────────────────────────────────────╮ │
│ │                                                                                     │ │
│ │  data               {"endpoints":                                                   │ │
│ │                     "10.222.10.113:9200,10.222.10.114:9200,10.222.10.175:9200,10.…  │ │
│ │                     "index": "test"}                                                │ │
│ │  provided-secrets   ["mtls-cert"]                                                   │ │
│ │  requested-secrets  ["username", "password", "tls", "tls-ca", "uris",               │ │
│ │                     "read-only-uris", "entity-name", "entity-password"]             │ │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯ │
┴─────────────────────────────────────────────────────────────────────────────────────────┘

After:

┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ data-integrator                                                                         ┃
╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ =                                                                                       │
│ =                                                                                       │
│ =                                                                                       │
│ =                                                                                       │
│ requirer                                                                                │
│ opensearch                                                                              │
│ 0                                                                                       │
┼─────────────────────────────────────────────────────────────────────────────────────────┤
│ ╭─────────────────────────────────────────────────────────────────────────────────────╮ │
│ │                                                                                     │ │
│ │  entity-type              GROUP                                                     │ │
│ │  index                    test                                                      │ │
│ │  provided-secrets         ["mtls-cert"]                                             │ │
│ │  requested-entity-secret  secret://a1a7d1ff-2b18-41a9-8f63-f0da8f17d19a/r68hc8kma…  │ │
│ │  requested-secrets        ["username", "password", "tls", "tls-ca", "uris",         │ │
│ │                           "read-only-uris", "entity-name", "entity-password"]       │ │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯ │
│                                                                                         │
│                                                                                         │
│                                                                                         │
│                                                                                         │
│                                                                                         │
│ ╭─ data-integrator/0* ────────────────────────────────────────────────────────────────╮ │
│ │                                                                                     │ │
│ │  data               {"endpoints":                                                   │ │
│ │                     "10.222.10.113:9200,10.222.10.114:9200,10.222.10.175:9200,10.…  │ │
│ │                     "index": "test", "secret-tls":                                  │ │
│ │                     "secret://a1a7d1ff-2b18-41a9-8f63-f0da8f17d19a/bpsgc6ngplrbv5…  │ │
│ │                     "secret-user":                                                  │ │
│ │                     "secret://a1a7d1ff-2b18-41a9-8f63-f0da8f17d19a/bhgvqjvj8n6nqv…  │ │
│ │                     "version": "2.19.4"}                                            │ │
│ │  provided-secrets   ["mtls-cert"]                                                   │ │
│ │  requested-secrets  ["username", "password", "tls", "tls-ca", "uris",               │ │
│ │                     "read-only-uris", "entity-name", "entity-password"]             │ │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯ │
┴─────────────────────────────────────────────────────────────────────────────────────────┘

@s-mlnk

s-mlnk commented Jun 25, 2026

Copy link
Copy Markdown
Author

@sinclert-canonical sinclert-canonical left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Giving a +1 just to help the OpenSearch team get this unblocked.

Please consider: I have no context whether these fields make sense for OpenSearch, the main reviewers should be @akram09 (as OpenSeach main dev) and @dragomirp (who introduced this functionality to begin with).

@reneradoi reneradoi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Serhii! Thank you for bringing this PR! I want to point you to an issue related to secrets sharing in cross-model relations that should be fixed, to avoid unpleasant deploy-time issues. Please see the comment below for details. Happy to provide more context or information if required, please let me know (you can ping me in the Opensearch Mattermost channel).

Furthermore I see that quite a few integration tests are failing currently. This should also be investigated.

ping @akram09 for heads-up

extra_group_roles,
entity_type,
entity_permissions,
None,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better pass keyword arguments instead of just None to make it easier to read/understand.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sharing a secret directly most probably won't be supported in v1, so it is OK to skip, but it is better to use keywords as requested.

secret = self.charm.app.add_secret(
content, label=f"{self.model.uuid}-{event.relation.id}-requested-entity"
)
secret.grant(event.relation)

@reneradoi reneradoi Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will fail in cross-model relations, due to a constraint in Juju: sharing consumer secrets across a cross model relation not supported. For details, see DA264.

Cross-model relations could be more relevant for Opensearch than they are for the current users of this feature, therefor I would recommend to take this into consideration before going forward with this PR.

With #266 a solution was added for the mTLS certificate that could be adapted for the requested_entity_password, too: In case of cross-model relations, store the sensitive information in encrypted form as part of the relation data itself and not as a secret.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For context, when I implemented this originally for Postgresql I followed the same approach as mTLS. Since mTLS itself switched, it makes sense to port this as well. I lack the context to say if it is a strict requirement for Opensearch or not.

@dragomirp dragomirp left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM in principle. It needs to be decided if switching to encrypted credentials instead of consumer secret is a hard requirement for Opensearch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants