Deploy/security: added OIDC config for OpenSearch.

Author: vladd-bit

deploy/elasticsearch.env

@@ -112,6 +112,13 @@ ELASTICSEARCH_BOOTSTRAP_MEMORY_LOCK=true
 #  system_call_filter | https://en.wikipedia.org/wiki/Seccomp
 ELASTICSEARCH_SYSTEM_CALL_FILTER=false
 
+####### OpenID Connect (OpenSearch Security) #######
+# Values used by: security/es_roles/opensearch/config.yml (openid_auth_domain)
+ELASTICSEARCH_OPENID_CONNECT_URL="https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration"
+ELASTICSEARCH_OPENID_REQUIRED_AUDIENCE="your-openid-client-id"
+ELASTICSEARCH_OPENID_SUBJECT_KEY="preferred_username"
+ELASTICSEARCH_OPENID_ROLES_KEY="roles"
+
 ####### This section is for AD user authentication #######
 
 # example: network.xyz.uk

security/es_roles/opensearch/config.yml

@@ -85,6 +85,20 @@ config:
         ###### and here https://tools.ietf.org/html/rfc7239
         ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
     authc:
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration
+            required_audience: your-openid-client-id
+        authentication_backend:
+          type: noop
       kerberos_auth_domain:
         http_enabled: false
         transport_enabled: false