This message was deleted.

The next big feature we have is a unified Auth system. The intention is to support SSO and have Opni as an auth proxy for both Opensearch and Cortex.

Is the unified Auth feature expected to be compatible with the existing Auth and RBAC that is currently in place for Opni Monitoring?

We won't make any guarantees about that, but I believe it should sit over the top of that existing one.

While we wait for the unified Auth system, do you think its possible to manually configure OIDC in Opster/OpenSearch w/Keycloak to control Opni Cluster-level Logging Access? This would hopefully allow us to avoid creating MulticlusterUser manifests w/explicit passwords as described here: https://github.com/rancher/opni-docs/blob/v0.10/docs/logging/user-management.md.

I will take a look tomorrow. Currently we have a wrapper CRD that configures machine-machine cert auth for Opensearch as well as created the Opster CRDs so I'd need to check the best way to pass the settings through.

👍

The OpniOpensearch custom resource is what we use to manage all the Opensearch settings. It has a field for SecurityConfig so you should be able to pass everything through there.

Thanks for getting back to me. I will try and investigate.