docs: added OpenSearch admin password guide

[chideat]

Summary by CodeRabbit

• Documentation
  • Added a comprehensive guide for setting and updating OpenSearch admin passwords across scenarios: initial custom-password setup, transitioning from built-in to custom credentials, and updating existing custom passwords.
  • Covers creating and configuring credential secrets, password hashing, applying security config changes, expected pod behavior (when pods roll vs remain running), built-in users, and security considerations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

New documentation added describing how to set and update the OpenSearch admin password: initial configuration with custom admin password, updating when a custom password already exists, and enabling/updating custom passwords on clusters without prior custom configuration. Includes appendix on built-in users and security considerations.

Changes

Cohort / File(s)

Summary

OpenSearch Admin Password Documentation docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md

Added a guide covering: creating an OpenSearchCluster with a custom admin password (secrets, hashing, securityconfig), updating passwords when a custom password exists (update secrets and securityconfig; Job applies config without pod restart), and enabling/updating custom passwords when none existed (create secrets, hash password, modify internal_users.yml, CR update; Job applies config and pods roll). Appendix on built-in users and security notes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 I hopped to the docs with a nibble and cheer,

I tucked in the secrets so logins are clear,
A hash and a secret, a Job to apply,
Now OpenSearch sleeps safe beneath moonlit sky,
🥕🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: added OpenSearch admin password guide' clearly and concisely describes the main change—adding documentation about OpenSearch admin password management. It is specific, relevant, and accurately reflects the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

🧹 Recent nitpick comments

docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md (3)

23-23: Consider using a placeholder instead of "admin123" for password examples.

The documentation uses "admin123" throughout as an example password. While warnings about production environments exist, users might copy these examples directly. Consider using placeholders like <your-secure-password> or adding an explicit note that "admin123" is only for demonstration and should never be used in any environment.

📝 Example with placeholder

-kubectl -n <namespace> create secret generic admin-credentials-secret --from-literal=username=admin --from-literal=password=admin123
+kubectl -n <namespace> create secret generic admin-credentials-secret --from-literal=username=admin --from-literal=password=<your-secure-password>

Also applies to: 74-74, 156-156

---

115-115: Clarify "0/1 status" terminology for better understanding.

The phrase "0/1 status" may be unclear to readers less familiar with Kubernetes. Consider expanding this to "0/1 status (pods not ready)" or "will show 0 out of 1 containers ready" for clarity.

📝 Proposed clarification

-> If you only modified `securityconfig-secret`, all pods in the instance will enter `0/1` status. In this case, revert the changes and wait for the instance to return to `green` status before trying again.
+> If you only modified `securityconfig-secret`, all pods in the instance will show `0/1` status (not ready). In this case, revert the changes and wait for the instance to return to `green` status before trying again.

---

172-172: Add guidance for clusters without masters node pool.

The command assumes a pod named <instance-name>-masters-0 exists. Some OpenSearch clusters may use different node types or naming conventions. Consider adding a note about how to identify the correct pod name or provide alternative commands.

💡 Suggested addition

Add a note before or after line 172:

> **Note**: Replace `<instance-name>-masters-0` with an appropriate pod from your cluster. You can list available pods with:
> ```bash
> kubectl -n <namespace> get pods -l opster.io/opensearch-cluster=<instance-name>
> ```

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 97026cf and c9e4c51.

📒 Files selected for processing (1)

• docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This pull request adds comprehensive documentation for setting and updating OpenSearch admin passwords. The guide covers three main scenarios: creating a cluster with custom passwords, updating passwords when custom passwords are already configured, and updating passwords when using default credentials.

Changes:

• Added a complete guide for managing OpenSearch admin passwords with step-by-step instructions
• Included Python commands for generating password hashes using bcrypt
• Documented security best practices and warnings about production password management

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md`:
- Around line 35-37: The Python bcrypt example currently uses prefix=b"2a" which
produces $2a$ hashes, while the YAML examples use $2y$; change the inline
command to use prefix=b"2y" (i.e., bcrypt.gensalt(12, prefix=b"2y")) so the
generated hash format matches the YAML examples, and verify the example bcrypt
output strings in the document match the new $2y$ prefix for consistency.

🧹 Nitpick comments (4)

docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md (4)

67-80: Clarify that kibanaserver should use a different password than admin.

While line 56 recommends a "separate complex password for kibanaserver," the example in line 74 uses the same admin123 password shown earlier for the admin user. The note on line 79 should explicitly state that the kibanaserver password should be different from the admin password to reinforce security best practices.

📝 Suggested clarification

 > **Note**:
 >
-> - Replace `admin123` with your new password.
+> - Replace `admin123` with a different password than the admin user (should match the kibanaserver password set in internal_users.yml).
 > - If you have already created `dashboards-credentials-secret`, skip this step.

---

118-125: Consider adding a reminder to generate the new password hash.

The instructions mention updating the hash in internal_users.yml (line 120) but don't explicitly remind users to generate the new hash using the Python bcrypt command shown in Section 1.2. Users might forget this step and try to manually edit the hash.

📝 Suggested addition

Add a reminder before step 1:

+   - First, generate the new password hash using the Python command from Section 1.2:
+     ```bash
+     python3 -c 'import bcrypt; print(bcrypt.hashpw("newpassword".encode("utf-8"), bcrypt.gensalt(12, prefix=b"2a")).decode("utf-8"))'
+     ```
+
 1. **Update `securityconfig-secret`**
    - Generate the new password hash.
    - Modify `internal_users.yml` in the Secret to update the `hash` field.

---

169-179: Add guidance for finding the correct pod name and reference security warnings.

Line 172 uses <instance-name>-masters-0 as a placeholder, but users might not know how to find their actual instance name. Additionally, the extracted internal_users.yml will contain all built-in users with default passwords (as noted in the Appendix), but there's no reminder to review and update those passwords.

📝 Suggested improvements

 Export the `internal_users.yml` file from a running OpenSearch instance Pod.

+First, find your OpenSearch master pod name:
+```bash
+kubectl -n <namespace> get pods -l opensearch.role=master
+```
+
+Then extract the internal_users.yml file (replace `<pod-name>` with the actual pod name):
+
 ```bash
-kubectl -n <namespace> exec <instance-name>-masters-0 -- cat config/opensearch-security/internal_users.yml > internal_users.yml
+kubectl -n <namespace> exec <pod-name> -- cat config/opensearch-security/internal_users.yml > internal_users.yml

-Modify the hash field in the internal_users.yml file to update the admin user's password. Then create the Secret:
+Modify the hash field in the internal_users.yml file to update the admin user's password. Important: Review the Appendix for security warnings about other built-in users and their default passwords. Then create the Secret:

</details>

---

`204-223`: **Excellent security guidance in the Appendix.**

The comprehensive table of built-in users and the strong security warnings are valuable additions to this documentation. The warnings about changing default passwords and disabling unused accounts follow security best practices.



**Optional enhancement**: Consider mentioning in Section 1.4 (around line 69) that `kibanaserver` is a service account that cannot be used for UI login, which is why the admin account is still needed for administrative access. This information from line 211 would help users understand why both accounts are necessary.

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between b739efb3937b5fbb82a9316860bb83126c14ce53 and 97026cf9f0040691237d62319a290d766150252b.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md`

</details>

<details>
<summary>⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)</summary>

* GitHub Check: Cleanup artifacts

</details>

<details>
<summary>🔇 Additional comments (1)</summary><blockquote>

<details>
<summary>docs/en/solutions/ecosystem/opensearch/How_to_update_opensearch_admin_password.md (1)</summary><blockquote>

`1-228`: **Well-structured and comprehensive documentation.**

This guide provides clear, step-by-step instructions for managing OpenSearch admin passwords across different scenarios. The warnings about operational impacts (such as pod restart behavior and the critical requirement to update both secrets simultaneously) are particularly valuable. The security warnings in the Appendix demonstrate good awareness of security best practices.

The documentation will help users avoid common pitfalls when managing OpenSearch credentials in Kubernetes environments.

</blockquote></details>

</blockquote></details>

<sub>✏️ Tip: You can disable this entire section by setting `review_details` to `false` in your review settings.</sub>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->