Skip to content

feat: Add anonymous authentication support to Helm chart#8

Merged
kylehounslow merged 1 commit into
feat/helm-chartsfrom
feat/helm-anon-auth
Mar 20, 2026
Merged

feat: Add anonymous authentication support to Helm chart#8
kylehounslow merged 1 commit into
feat/helm-chartsfrom
feat/helm-anon-auth

Conversation

@kylehounslow

@kylehounslow kylehounslow commented Mar 20, 2026

Copy link
Copy Markdown
Owner

Summary

Ports the existing anonymous authentication feature from docker-compose to the Helm chart so Kubernetes deployments can skip the OpenSearch Dashboards login page (useful for demos, workshops, shared dev environments).

Closes #5

Changes

File Description
values.yaml Added anonymousAuth.enabled (default: false), global.anonymousAuth.enabled, securityConfig reference, dashboards anon auth config
templates/opensearch-security-config.yaml New — Secret with config.yml (templated anonymous_auth_enabled), roles.yml, roles_mapping.yml
templates/init-dashboards-job.yaml Added OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var
files/init-opensearch-dashboards.py Synced with docker-compose version — ANONYMOUS_AUTH_ENABLED env var + conditional anonymous role in workspace allowedRoles
tests/anonymous_auth_test.yaml New — 6 helm-unittest tests covering both enabled/disabled states
README.md Documented feature in Key Values + dedicated Anonymous Authentication section
terraform/aws/observability-stack.tf Wired var.anonymous_auth → Helm release

How it works

  1. OpenSearch security config — A custom Secret (opensearch-security-config) contains the 3 security plugin files. config.yml has anonymous_auth_enabled templated from .Values.anonymousAuth.enabled. The anonymous role/mapping files are always included (harmless when disabled — the role exists but is never assigned).

  2. OpenSearch Dashboards config — Uses the subchart's tpl() rendering to conditionally set opensearch_security.auth.anonymous_auth_enabled and savedObjects.permission.enabled via global.anonymousAuth.enabled.

  3. Init script — Reads OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var (passed from the Job template) and conditionally adds opendistro_security_anonymous_role to workspace allowedRoles.

  4. Terraformvar.anonymous_auth (already defined but unwired) now sets both anonymousAuth.enabled and global.anonymousAuth.enabled on the Helm release.

Usage

helm install obs-stack charts/observability-stack \
  --set anonymousAuth.enabled=true \
  --set global.anonymousAuth.enabled=true

Both values must be set: anonymousAuth.enabled controls umbrella chart templates (security Secret, init job), while global.anonymousAuth.enabled is needed by the dashboards subchart config which uses tpl() and can only access .Values.global.*.

Testing

  • helm lint — passes for both enabled/disabled
  • helm unittest — all 35 tests pass (7 suites, including 6 new anonymous auth tests)
  • helm template — verified correct rendering for both states:
    • Default: anonymous_auth_enabled: false, savedObjects.permission.enabled: true, env var "false"
    • Enabled: anonymous_auth_enabled: true, savedObjects.permission.enabled: false, env var "true"

Future improvement

The dual --set requirement is a UX friction point. Could be eliminated by moving the dashboards config into a custom umbrella chart ConfigMap template instead of relying on the subchart's tpl() rendering.

Kiro/claude on behalf of @kylehounslow

@kylehounslow
feat: add anonymous authentication support to Helm chart
43e2e98 
Port anonymous auth from docker-compose to Helm/K8s deployment.
Closes #5.

Changes:
- Add anonymousAuth.enabled toggle in values.yaml (default: false)
- Create opensearch-security-config Secret with config.yml, roles.yml,
  roles_mapping.yml — anonymous_auth_enabled templated from values
- Update OpenSearch Dashboards config with anonymous_auth_enabled and
  conditional savedObjects.permission.enabled via global values + tpl
- Sync init script with docker-compose version (ANONYMOUS_AUTH_ENABLED
  env var, conditional anonymous role in workspace allowedRoles)
- Pass OPENSEARCH_ANONYMOUS_AUTH_ENABLED env var to init-dashboards Job
- Wire up Terraform anonymous_auth variable to Helm release
- Add 6 helm-unittest tests covering both enabled/disabled states
- Document usage in chart README

Usage:
  helm install obs-stack charts/observability-stack \
    --set anonymousAuth.enabled=true \
    --set global.anonymousAuth.enabled=true

Kiro/claude on behalf of @kylehounslow
@kylehounslow kylehounslow merged commit 00169ec into feat/helm-charts Mar 20, 2026
kylehounslow added a commit that referenced this pull request Mar 21, 2026
@kylehounslow
Revert "Merge pull request #8 from kylehounslow/feat/helm-anon-auth"
86baf96 
This reverts commit 00169ec, reversing
changes made to d33c863.
kylehounslow added a commit that referenced this pull request Mar 30, 2026
@kylehounslow
Revert "Merge pull request #8 from kylehounslow/feat/helm-anon-auth"
698f291 
This reverts commit 00169ec, reversing
changes made to d33c863.
kylehounslow added a commit that referenced this pull request Apr 10, 2026
@kylehounslow
Revert "Merge pull request #8 from kylehounslow/feat/helm-anon-auth"
408a50a 
This reverts commit 00169ec, reversing
changes made to d33c863.
Signed-off-by: Kyle Hounslow <kylhouns@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add anonymous authentication support to Helm chart / Kubernetes deployment

1 participant

@kylehounslow