[Enhancement][OpenSearch]

[josephteddick]

Is your feature request related to a problem? Please describe. Not a problem per say, but as described in the OpenSearch Security Documentation, when there are changes to any of the permissions (roles, users, role mappings, etc.), the securityadmin script must be executed from within OpenSearch after the pods are running. Doing this by hand every time after an installation is rather tedious. Adding the ability to automate would be very helpful.

Describe the solution you'd like A solution I thought of is simply just giving users the ability to add Lifecycle Hooks to the OpenSearch container. This way the user can run the securityadmin script as a postStart command. Lifecycle Hooks are a core functionality of Kubernetes and aren't really specific to my use case. Due to the nature of this being opensource, I think adding this would give users a lot of flexibility for different use cases. Also as a note, you actually use one already but in the graceful termination handler container.

However, this is how I would configure the Lifecycle hook to satisfy my use case:

lifecycle:
  postStart:
    exec:
      command: ["/bin/sh", "-c", "./plugins/opensearch-security/tools/securityadmin.sh -cd ./config/opensearch-security/ -cacert config/admin/admin-root-ca.pem -cert config/admin/admin-crt.pem -key config/admin/admin-key.pem -icl -nhnv --accept-red-cluster"]

Depending on how long it takes OpenSearch to come up, I may have to enhance the script slightly, but at the end of the day the structure of the above block of code should be part of the OpenSearch container in the StatefulSet

Describe alternatives you've considered I've thought about creating a sidecar container to do this, but it is much easier to run natively in the OpenSearch container.

Additional context N/A

[prudhvigodithi]

[Triage] Hey @josephteddick, thanks this is a good enhancement, I would like to get the PR merged. Thank you