Skip to content

feat: Add anonymous authentication support to Helm chart / Kubernetes deployment #5

Description

@kylehounslow

Summary

Port the existing anonymous authentication feature from docker-compose to the Helm chart so Kubernetes deployments can skip the OpenSearch Dashboards login page (useful for demos, workshops, shared dev environments).

Context

Docker Compose already supports anonymous auth via OPENSEARCH_ANONYMOUS_AUTH_ENABLED in .env. When enabled, it configures:

  1. OpenSearch security plugin — sets anonymous_auth_enabled: true in config.yml, mounts custom roles.yml (defines opendistro_security_anonymous_role) and roles_mapping.yml
  2. OpenSearch Dashboards — sets opensearch_security.auth.anonymous_auth_enabled: true and savedObjects.permission.enabled: false
  3. Init script — conditionally adds opendistro_security_anonymous_role to workspace allowedRoles

The Helm chart (charts/observability-stack/) currently has zero anonymous auth support. The Terraform module defines variable "anonymous_auth" but it is not wired to anything.

Reference Files (docker-compose implementation)

  • .envOPENSEARCH_ANONYMOUS_AUTH_ENABLED=false
  • docker-compose.local-opensearch.yml — mounts security config templates, runs sed to inject value
  • docker-compose.local-opensearch-dashboards.yml — injects anon auth + savedObjects.permission.enabled via sed
  • docker-compose/opensearch/opensearch-security/config.template.yml — security plugin config with anonymous_auth_enabled placeholder
  • docker-compose/opensearch/opensearch-security/roles.yml — defines opendistro_security_anonymous_role with read + limited write permissions
  • docker-compose/opensearch/opensearch-security/roles_mapping.yml — maps anonymous backend role
  • docker-compose/opensearch-dashboards/opensearch_dashboards.template.yml — dashboards config with anon auth placeholders
  • docker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py — reads OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var

Tasks

Task 1: Add anonymousAuth.enabled toggle to values.yaml

File: charts/observability-stack/values.yaml

Add a top-level value:

# -- Anonymous authentication (skip login page for demos/workshops)
anonymousAuth:
  enabled: false

Task 2: Sync Helm init script with docker-compose version

File: charts/observability-stack/files/init-opensearch-dashboards.py

The docker-compose copy (docker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py) has anonymous auth logic:

  • Line 18: ANONYMOUS_AUTH_ENABLED = os.getenv("OPENSEARCH_ANONYMOUS_AUTH_ENABLED", "false").lower() == "true"
  • Line 236: conditionally adds opendistro_security_anonymous_role to workspace allowedRoles

The Helm copy (charts/observability-stack/files/init-opensearch-dashboards.py) does not have this logic. Diff and sync.

Task 3: Pass OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var to init-dashboards Job

File: charts/observability-stack/templates/init-dashboards-job.yaml

Add env var to the init container based on .Values.anonymousAuth.enabled:

- name: OPENSEARCH_ANONYMOUS_AUTH_ENABLED
  value: {{ .Values.anonymousAuth.enabled | quote }}

Task 4: Add OpenSearch security config via securityConfig

New file: charts/observability-stack/templates/opensearch-security-config.yaml
Modified: charts/observability-stack/values.yaml

Create a custom Secret containing the 3 security files (config.yml, roles.yml, roles_mapping.yml) using Go templates to set anonymous_auth_enabled based on .Values.anonymousAuth.enabled. Point opensearch.securityConfig.config.securityConfigSecret to this Secret.

The anonymous role/mapping files are harmless when anonymous_auth_enabled: false (the role exists but is never assigned), so they can always be included.

Source content for the security files:

  • config.yml: see docker-compose/opensearch/opensearch-security/config.template.yml — replace OPENSEARCH_ANONYMOUS_AUTH_ENABLED placeholder with Go template {{ .Values.anonymousAuth.enabled }}
  • roles.yml: copy from docker-compose/opensearch/opensearch-security/roles.yml as-is
  • roles_mapping.yml: copy from docker-compose/opensearch/opensearch-security/roles_mapping.yml as-is

Task 5: Update OpenSearch Dashboards config for anonymous auth

Modified: charts/observability-stack/values.yaml (or new template)

Add to the dashboards opensearch_dashboards.yml config:

  • opensearch_security.auth.anonymous_auth_enabled: <value>
  • savedObjects.permission.enabled: <inverse of value>

Since the subchart takes config as a raw string, either:

  • (a) Create a custom ConfigMap template that renders the full config with Go template conditionals, OR
  • (b) Move the dashboards config out of values.yaml into a template file

Task 6: Wire up Terraform variable

File: terraform/aws/observability-stack.tf

Add to the Helm release resource:

set {
  name  = "anonymousAuth.enabled"
  value = var.anonymous_auth
}

Task 7: Add Helm chart tests

File: charts/observability-stack/tests/anonymous_auth_test.yaml (new)

Test cases:

  • Default (anonymousAuth.enabled: false): security config Secret has anonymous_auth_enabled: false, init job does NOT have OPENSEARCH_ANONYMOUS_AUTH_ENABLED=true
  • Enabled (anonymousAuth.enabled: true): security config Secret has anonymous_auth_enabled: true, init job has OPENSEARCH_ANONYMOUS_AUTH_ENABLED=true, dashboards config has anonymous_auth_enabled: true and savedObjects.permission.enabled: false

Task 8: Update documentation

  • charts/observability-stack/README.md — document anonymousAuth.enabled value and usage
  • AGENTS.md — add Helm anonymous auth section under Configuration Patterns

Task Dependency Graph

Task 1 (values toggle) ─┬── Task 3 (init job env) ── depends on 1, 2
Task 2 (sync init script)┘
Task 1 ── Task 4 (OS security config)
Task 1 ── Task 5 (OSD config)
Task 1 ── Task 6 (terraform)
Tasks 3,4,5 ── Task 7 (tests)
All ── Task 8 (docs)

Tasks 1 and 2 can be done in parallel. Then 3, 4, 5, 6 in parallel. Then 7, then 8.

Acceptance Criteria

  • helm install with anonymousAuth.enabled=false (default) works identically to current behavior (login required)
  • helm install --set anonymousAuth.enabled=true allows accessing Dashboards without login
  • Anonymous users can browse data, create/modify saved objects, but cannot delete or perform admin operations
  • helm test passes for both enabled and disabled states
  • Terraform anonymous_auth = true correctly enables the feature on EKS deployments

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions