feat: Allow the configuration of the security plugin

CHANGELOG.md

@@ -27,6 +27,7 @@ All notable changes to this project will be documented in this file.
   - Configuration parameter `spec.nodes.roleGroups.<role-group-name>.config.discoveryServiceExposed`
     added to expose a role-group via the discovery service.
 - Add support for OpenSearch 3.4.0 ([#108]).
+- Allow the configuration of the OpenSearch security plugin ([#117]).
 
 ### Changed
 
@@ -49,6 +50,7 @@ All notable changes to this project will be documented in this file.
 [#108]: https://github.com/stackabletech/opensearch-operator/pull/108
 [#110]: https://github.com/stackabletech/opensearch-operator/pull/110
 [#114]: https://github.com/stackabletech/opensearch-operator/pull/114
+[#117]: https://github.com/stackabletech/opensearch-operator/pull/117
 
 ## [25.11.0] - 2025-11-07
 

rust/operator-binary/src/controller.rs

@@ -31,14 +31,15 @@ use update_status::update_status;
 use validate::validate;
 
 use crate::{
+    controller::preprocess::preprocess,
     crd::{NodeRoles, v1alpha1},
     framework::{
         HasName, HasUid, NameIsValidLabelValue,
         product_logging::framework::{ValidatedContainerLogConfigChoice, VectorContainerLogConfig},
         role_utils::{GenericProductSpecificCommonConfig, RoleGroupConfig},
         types::{
             common::Port,
-            kubernetes::{Hostname, ListenerClassName, NamespaceName, Uid},
+            kubernetes::{Hostname, ListenerClassName, NamespaceName, SecretClassName, Uid},
             operator::{
                 ClusterName, ControllerName, OperatorName, ProductName, ProductVersion,
                 RoleGroupName, RoleName,
@@ -50,6 +51,7 @@ use crate::{
 mod apply;
 mod build;
 mod dereference;
+mod preprocess;
 mod update_status;
 mod validate;
 
@@ -176,6 +178,28 @@ impl ValidatedLogging {
     }
 }
 
+/// Validated security configuration
+#[derive(Clone, Debug, PartialEq)]
+pub enum ValidatedSecurity {
+    /// At least one security setting is managed by the operator
+    ManagedByOperator {
+        managing_role_group: RoleGroupName,
+        settings: v1alpha1::SecuritySettings,
+        tls_server_secret_class: SecretClassName,
+        tls_internal_secret_class: SecretClassName,
+    },
+
+    /// All security settings are managed by the API
+    ManagedByApi {
+        settings: v1alpha1::SecuritySettings,
+        tls_server_secret_class: Option<SecretClassName>,
+        tls_internal_secret_class: SecretClassName,
+    },
+
+    /// The OpenSearch security plugin is disabled.
+    Disabled,
+}
+
 #[derive(Clone, Debug, PartialEq)]
 pub struct ValidatedDiscoveryEndpoint {
     pub hostname: Hostname,
@@ -200,7 +224,7 @@ pub struct ValidatedCluster {
     pub uid: Uid,
     pub role_config: v1alpha1::OpenSearchRoleConfig,
     pub role_group_configs: BTreeMap<RoleGroupName, OpenSearchRoleGroupConfig>,
-    pub tls_config: v1alpha1::OpenSearchTls,
+    pub security: ValidatedSecurity,
     pub keystores: Vec<v1alpha1::OpenSearchKeystore>,
     pub discovery_endpoint: Option<ValidatedDiscoveryEndpoint>,
 }
@@ -215,7 +239,7 @@ impl ValidatedCluster {
         uid: impl Into<Uid>,
         role_config: v1alpha1::OpenSearchRoleConfig,
         role_group_configs: BTreeMap<RoleGroupName, OpenSearchRoleGroupConfig>,
-        tls_config: v1alpha1::OpenSearchTls,
+        security: ValidatedSecurity,
         keystores: Vec<v1alpha1::OpenSearchKeystore>,
         discovery_endpoint: Option<ValidatedDiscoveryEndpoint>,
     ) -> Self {
@@ -234,7 +258,7 @@ impl ValidatedCluster {
             uid,
             role_config,
             role_group_configs,
-            tls_config,
+            security,
             keystores,
             discovery_endpoint,
         }
@@ -269,6 +293,20 @@ impl ValidatedCluster {
             .filter(|c| c.1.config.node_roles.contains(node_role))
             .collect()
     }
+
+    /// Whether security is enabled and a server TLS class is defined or not.
+    pub fn is_server_tls_enabled(&self) -> bool {
+        matches!(
+            self.security,
+            ValidatedSecurity::ManagedByApi {
+                tls_server_secret_class: Some(_),
+                ..
+            } | ValidatedSecurity::ManagedByOperator {
+                tls_server_secret_class: _,
+                ..
+            }
+        )
+    }
 }
 
 impl HasName for ValidatedCluster {
@@ -355,10 +393,14 @@ pub fn error_policy(
 /// Reconcile function of the OpenSearchCluster controller
 ///
 /// The reconcile function performs the following steps:
-/// 1. Validate the given cluster specification and return a [`ValidatedCluster`] if successful.
-/// 2. Build Kubernetes resource specifications from the validated cluster.
-/// 3. Apply the Kubernetes resource specifications
-/// 4. Update the cluster status
+/// 1. Dereference objects which are referenced in the OpenSearchCluster.
+/// 2. Preprocess the OpenSearchCluster specification and add configurations that the user is
+///    allowed to leave out.
+/// 3. Validate the preprocessed cluster specification and the dereferenced objects and return a
+///    [`ValidatedCluster`] if successful.
+/// 4. Build Kubernetes resource specifications from the validated cluster.
+/// 5. Apply the Kubernetes resource specifications
+/// 6. Update the cluster status
 pub async fn reconcile(
     object: Arc<DeserializeGuard<v1alpha1::OpenSearchCluster>>,
     context: Arc<Context>,
@@ -369,30 +411,35 @@ pub async fn reconcile(
         .0
         .as_ref()
         .map_err(stackable_operator::kube::core::error_boundary::InvalidObject::clone)
-        .context(DeserializeClusterDefinitionSnafu)?;
+        .context(DeserializeClusterDefinitionSnafu)?
+        .clone();
 
     // dereference (client required)
-    let dereferenced_objects = dereference(&context.client, cluster)
+    let dereferenced_objects = dereference(&context.client, &cluster)
         .await
         .context(DereferenceSnafu)?;
 
+    // preprocess (no client required)
+    let preprocessed_cluster = preprocess(cluster);
+
     // validate (no client required)
-    let validated_cluster =
-        validate(&context.names, cluster, &dereferenced_objects).context(ValidateClusterSnafu)?;
+    let validated_cluster = validate(&context.names, &preprocessed_cluster, &dereferenced_objects)
+        .context(ValidateClusterSnafu)?;
 
     // build (no client required; infallible)
     let prepared_resources = build(&context.names, validated_cluster.clone());
 
     // apply (client required)
-    let apply_strategy = ClusterResourceApplyStrategy::from(&cluster.spec.cluster_operation);
+    let apply_strategy =
+        ClusterResourceApplyStrategy::from(&preprocessed_cluster.spec.cluster_operation);
     let applied_resources = Applier::new(
         &context.client,
         &context.names,
         &validated_cluster.name,
         &validated_cluster.namespace,
         &validated_cluster.uid,
         apply_strategy,
-        &cluster.spec.object_overrides,
+        &preprocessed_cluster.spec.object_overrides,
     )
     .apply(prepared_resources)
     .await
@@ -401,9 +448,14 @@ pub async fn reconcile(
     // not necessary in this controller: create discovery ConfigMap based on the applied resources (client required)
 
     // update status (client required)
-    update_status(&context.client, &context.names, cluster, applied_resources)
-        .await
-        .context(UpdateStatusSnafu)?;
+    update_status(
+        &context.client,
+        &context.names,
+        &preprocessed_cluster,
+        applied_resources,
+    )
+    .await
+    .context(UpdateStatusSnafu)?;
 
     Ok(Action::await_change())
 }
@@ -429,14 +481,14 @@ mod tests {
 
     use super::{Context, OpenSearchRoleGroupConfig, ValidatedCluster, ValidatedLogging};
     use crate::{
-        controller::{OpenSearchNodeResources, ValidatedOpenSearchConfig},
+        controller::{OpenSearchNodeResources, ValidatedOpenSearchConfig, ValidatedSecurity},
         crd::{NodeRoles, v1alpha1},
         framework::{
             builder::pod::container::EnvVarSet,
             product_logging::framework::ValidatedContainerLogConfigChoice,
             role_utils::GenericProductSpecificCommonConfig,
             types::{
-                kubernetes::{ListenerClassName, NamespaceName},
+                kubernetes::{ListenerClassName, NamespaceName, SecretClassName},
                 operator::{ClusterName, OperatorName, ProductVersion, RoleGroupName},
             },
         },
@@ -552,7 +604,11 @@ mod tests {
                 ),
             ]
             .into(),
-            v1alpha1::OpenSearchTls::default(),
+            ValidatedSecurity::ManagedByApi {
+                settings: v1alpha1::SecuritySettings::default(),
+                tls_server_secret_class: None,
+                tls_internal_secret_class: SecretClassName::from_str_unsafe("tls"),
+            },
             vec![],
             None,
         )

rust/operator-binary/src/controller/build.rs

@@ -82,7 +82,7 @@ mod tests {
         controller::{
             ContextNames, OpenSearchNodeResources, OpenSearchRoleGroupConfig, ValidatedCluster,
             ValidatedContainerLogConfigChoice, ValidatedDiscoveryEndpoint, ValidatedLogging,
-            ValidatedOpenSearchConfig,
+            ValidatedOpenSearchConfig, ValidatedSecurity,
         },
         crd::{NodeRoles, v1alpha1},
         framework::{
@@ -209,7 +209,7 @@ mod tests {
                 ),
             ]
             .into(),
-            v1alpha1::OpenSearchTls::default(),
+            ValidatedSecurity::Disabled,
             vec![],
             Some(ValidatedDiscoveryEndpoint {
                 hostname: Hostname::from_str_unsafe("1.2.3.4"),