Summary
Port the existing anonymous authentication feature from docker-compose to the Helm chart so Kubernetes deployments can skip the OpenSearch Dashboards login page (useful for demos, workshops, shared dev environments).
Context
Docker Compose already supports anonymous auth via OPENSEARCH_ANONYMOUS_AUTH_ENABLED in .env. When enabled, it configures:
- OpenSearch security plugin — sets
anonymous_auth_enabled: true in config.yml, mounts custom roles.yml (defines opendistro_security_anonymous_role) and roles_mapping.yml
- OpenSearch Dashboards — sets
opensearch_security.auth.anonymous_auth_enabled: true and savedObjects.permission.enabled: false
- Init script — conditionally adds
opendistro_security_anonymous_role to workspace allowedRoles
The Helm chart (charts/observability-stack/) currently has zero anonymous auth support. The Terraform module defines variable "anonymous_auth" but it is not wired to anything.
Reference Files (docker-compose implementation)
.env — OPENSEARCH_ANONYMOUS_AUTH_ENABLED=false
docker-compose.local-opensearch.yml — mounts security config templates, runs sed to inject value
docker-compose.local-opensearch-dashboards.yml — injects anon auth + savedObjects.permission.enabled via sed
docker-compose/opensearch/opensearch-security/config.template.yml — security plugin config with anonymous_auth_enabled placeholder
docker-compose/opensearch/opensearch-security/roles.yml — defines opendistro_security_anonymous_role with read + limited write permissions
docker-compose/opensearch/opensearch-security/roles_mapping.yml — maps anonymous backend role
docker-compose/opensearch-dashboards/opensearch_dashboards.template.yml — dashboards config with anon auth placeholders
docker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py — reads OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var
Tasks
Task 1: Add anonymousAuth.enabled toggle to values.yaml
File: charts/observability-stack/values.yaml
Add a top-level value:
# -- Anonymous authentication (skip login page for demos/workshops)
anonymousAuth:
enabled: false
Task 2: Sync Helm init script with docker-compose version
File: charts/observability-stack/files/init-opensearch-dashboards.py
The docker-compose copy (docker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py) has anonymous auth logic:
- Line 18:
ANONYMOUS_AUTH_ENABLED = os.getenv("OPENSEARCH_ANONYMOUS_AUTH_ENABLED", "false").lower() == "true"
- Line 236: conditionally adds
opendistro_security_anonymous_role to workspace allowedRoles
The Helm copy (charts/observability-stack/files/init-opensearch-dashboards.py) does not have this logic. Diff and sync.
Task 3: Pass OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var to init-dashboards Job
File: charts/observability-stack/templates/init-dashboards-job.yaml
Add env var to the init container based on .Values.anonymousAuth.enabled:
- name: OPENSEARCH_ANONYMOUS_AUTH_ENABLED
value: {{ .Values.anonymousAuth.enabled | quote }}
Task 4: Add OpenSearch security config via securityConfig
New file: charts/observability-stack/templates/opensearch-security-config.yaml
Modified: charts/observability-stack/values.yaml
Create a custom Secret containing the 3 security files (config.yml, roles.yml, roles_mapping.yml) using Go templates to set anonymous_auth_enabled based on .Values.anonymousAuth.enabled. Point opensearch.securityConfig.config.securityConfigSecret to this Secret.
The anonymous role/mapping files are harmless when anonymous_auth_enabled: false (the role exists but is never assigned), so they can always be included.
Source content for the security files:
config.yml: see docker-compose/opensearch/opensearch-security/config.template.yml — replace OPENSEARCH_ANONYMOUS_AUTH_ENABLED placeholder with Go template {{ .Values.anonymousAuth.enabled }}
roles.yml: copy from docker-compose/opensearch/opensearch-security/roles.yml as-is
roles_mapping.yml: copy from docker-compose/opensearch/opensearch-security/roles_mapping.yml as-is
Task 5: Update OpenSearch Dashboards config for anonymous auth
Modified: charts/observability-stack/values.yaml (or new template)
Add to the dashboards opensearch_dashboards.yml config:
opensearch_security.auth.anonymous_auth_enabled: <value>
savedObjects.permission.enabled: <inverse of value>
Since the subchart takes config as a raw string, either:
- (a) Create a custom ConfigMap template that renders the full config with Go template conditionals, OR
- (b) Move the dashboards config out of
values.yaml into a template file
Task 6: Wire up Terraform variable
File: terraform/aws/observability-stack.tf
Add to the Helm release resource:
set {
name = "anonymousAuth.enabled"
value = var.anonymous_auth
}
Task 7: Add Helm chart tests
File: charts/observability-stack/tests/anonymous_auth_test.yaml (new)
Test cases:
- Default (
anonymousAuth.enabled: false): security config Secret has anonymous_auth_enabled: false, init job does NOT have OPENSEARCH_ANONYMOUS_AUTH_ENABLED=true
- Enabled (
anonymousAuth.enabled: true): security config Secret has anonymous_auth_enabled: true, init job has OPENSEARCH_ANONYMOUS_AUTH_ENABLED=true, dashboards config has anonymous_auth_enabled: true and savedObjects.permission.enabled: false
Task 8: Update documentation
charts/observability-stack/README.md — document anonymousAuth.enabled value and usage
AGENTS.md — add Helm anonymous auth section under Configuration Patterns
Task Dependency Graph
Task 1 (values toggle) ─┬── Task 3 (init job env) ── depends on 1, 2
Task 2 (sync init script)┘
Task 1 ── Task 4 (OS security config)
Task 1 ── Task 5 (OSD config)
Task 1 ── Task 6 (terraform)
Tasks 3,4,5 ── Task 7 (tests)
All ── Task 8 (docs)
Tasks 1 and 2 can be done in parallel. Then 3, 4, 5, 6 in parallel. Then 7, then 8.
Acceptance Criteria
Summary
Port the existing anonymous authentication feature from docker-compose to the Helm chart so Kubernetes deployments can skip the OpenSearch Dashboards login page (useful for demos, workshops, shared dev environments).
Context
Docker Compose already supports anonymous auth via
OPENSEARCH_ANONYMOUS_AUTH_ENABLEDin.env. When enabled, it configures:anonymous_auth_enabled: trueinconfig.yml, mounts customroles.yml(definesopendistro_security_anonymous_role) androles_mapping.ymlopensearch_security.auth.anonymous_auth_enabled: trueandsavedObjects.permission.enabled: falseopendistro_security_anonymous_roleto workspaceallowedRolesThe Helm chart (
charts/observability-stack/) currently has zero anonymous auth support. The Terraform module definesvariable "anonymous_auth"but it is not wired to anything.Reference Files (docker-compose implementation)
.env—OPENSEARCH_ANONYMOUS_AUTH_ENABLED=falsedocker-compose.local-opensearch.yml— mounts security config templates, runssedto inject valuedocker-compose.local-opensearch-dashboards.yml— injects anon auth +savedObjects.permission.enabledviaseddocker-compose/opensearch/opensearch-security/config.template.yml— security plugin config withanonymous_auth_enabledplaceholderdocker-compose/opensearch/opensearch-security/roles.yml— definesopendistro_security_anonymous_rolewith read + limited write permissionsdocker-compose/opensearch/opensearch-security/roles_mapping.yml— maps anonymous backend roledocker-compose/opensearch-dashboards/opensearch_dashboards.template.yml— dashboards config with anon auth placeholdersdocker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py— readsOPENSEARCH_ANONYMOUS_AUTH_ENABLEDenv varTasks
Task 1: Add
anonymousAuth.enabledtoggle tovalues.yamlFile:
charts/observability-stack/values.yamlAdd a top-level value:
Task 2: Sync Helm init script with docker-compose version
File:
charts/observability-stack/files/init-opensearch-dashboards.pyThe docker-compose copy (
docker-compose/opensearch-dashboards/init/init-opensearch-dashboards.py) has anonymous auth logic:ANONYMOUS_AUTH_ENABLED = os.getenv("OPENSEARCH_ANONYMOUS_AUTH_ENABLED", "false").lower() == "true"opendistro_security_anonymous_roleto workspaceallowedRolesThe Helm copy (
charts/observability-stack/files/init-opensearch-dashboards.py) does not have this logic. Diff and sync.Task 3: Pass
OPENSEARCH_ANONYMOUS_AUTH_ENABLEDenv var to init-dashboards JobFile:
charts/observability-stack/templates/init-dashboards-job.yamlAdd env var to the init container based on
.Values.anonymousAuth.enabled:Task 4: Add OpenSearch security config via
securityConfigNew file:
charts/observability-stack/templates/opensearch-security-config.yamlModified:
charts/observability-stack/values.yamlCreate a custom Secret containing the 3 security files (
config.yml,roles.yml,roles_mapping.yml) using Go templates to setanonymous_auth_enabledbased on.Values.anonymousAuth.enabled. Pointopensearch.securityConfig.config.securityConfigSecretto this Secret.The anonymous role/mapping files are harmless when
anonymous_auth_enabled: false(the role exists but is never assigned), so they can always be included.Source content for the security files:
config.yml: seedocker-compose/opensearch/opensearch-security/config.template.yml— replaceOPENSEARCH_ANONYMOUS_AUTH_ENABLEDplaceholder with Go template{{ .Values.anonymousAuth.enabled }}roles.yml: copy fromdocker-compose/opensearch/opensearch-security/roles.ymlas-isroles_mapping.yml: copy fromdocker-compose/opensearch/opensearch-security/roles_mapping.ymlas-isTask 5: Update OpenSearch Dashboards config for anonymous auth
Modified:
charts/observability-stack/values.yaml(or new template)Add to the dashboards
opensearch_dashboards.ymlconfig:opensearch_security.auth.anonymous_auth_enabled: <value>savedObjects.permission.enabled: <inverse of value>Since the subchart takes config as a raw string, either:
values.yamlinto a template fileTask 6: Wire up Terraform variable
File:
terraform/aws/observability-stack.tfAdd to the Helm release resource:
Task 7: Add Helm chart tests
File:
charts/observability-stack/tests/anonymous_auth_test.yaml(new)Test cases:
anonymousAuth.enabled: false): security config Secret hasanonymous_auth_enabled: false, init job does NOT haveOPENSEARCH_ANONYMOUS_AUTH_ENABLED=trueanonymousAuth.enabled: true): security config Secret hasanonymous_auth_enabled: true, init job hasOPENSEARCH_ANONYMOUS_AUTH_ENABLED=true, dashboards config hasanonymous_auth_enabled: trueandsavedObjects.permission.enabled: falseTask 8: Update documentation
charts/observability-stack/README.md— documentanonymousAuth.enabledvalue and usageAGENTS.md— add Helm anonymous auth section under Configuration PatternsTask Dependency Graph
Tasks 1 and 2 can be done in parallel. Then 3, 4, 5, 6 in parallel. Then 7, then 8.
Acceptance Criteria
helm installwithanonymousAuth.enabled=false(default) works identically to current behavior (login required)helm install --set anonymousAuth.enabled=trueallows accessing Dashboards without loginhelm testpasses for both enabled and disabled statesanonymous_auth = truecorrectly enables the feature on EKS deployments