stackabletech · labrenbe · Dec 11, 2025 · Nov 21, 2025 · Nov 28, 2025 · Dec 10, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,11 +6,13 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
-- Add the role group as a node attribute ([#63]).
 - Allow the configuration of TLS for the HTTP and TRANSPORT ports with the operator ([#55]).
+- Add the role group as a node attribute ([#63]).
+- Allow adding entries to the OpenSearch keystore ([#76]).
 
 [#55]: https://github.com/stackabletech/opensearch-operator/pull/55
 [#63]: https://github.com/stackabletech/opensearch-operator/pull/63
+[#76]: https://github.com/stackabletech/opensearch-operator/pull/76
 
 ## [25.11.0] - 2025-11-07
 

diff --git a/deploy/helm/opensearch-operator/crds/crds.yaml b/deploy/helm/opensearch-operator/crds/crds.yaml
@@ -30,11 +30,46 @@ spec:
               properties:
                 clusterConfig:
                   default:
+                    keystore: []
                     tls:
                       internalSecretClass: tls
                       serverSecretClass: tls
                   description: Configuration that applies to all roles and role groups
                   properties:
+                    keystore:
+                      default: []
+                      description: Entries to add to the OpenSearch keystore.
+                      items:
+                        properties:
+                          key:
+                            description: Key in the OpenSearch keystore
+                            minLength: 1
+                            pattern: ^[A-Za-z0-9_\-.]+$
+                            type: string
+                          secretKeyRef:
+                            description: Reference to the Secret containing the value which will be stored in the OpenSearch keystore
+                            properties:
+                              key:
+                                description: Key in the Secret that contains the value
+                                maxLength: 253
+                                minLength: 1
+                                pattern: ^[-._a-zA-Z0-9]+$
+                                type: string
+                              name:
+                                description: Name of the Secret
+                                maxLength: 253
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                type: string
+                            required:
+                              - key
+                              - name
+                            type: object
+                        required:
+                          - key
+                          - secretKeyRef
+                        type: object
+                      type: array
                     tls:
                       default:
                         internalSecretClass: tls

diff --git a/docs/modules/opensearch/pages/usage-guide/keystore.adoc b/docs/modules/opensearch/pages/usage-guide/keystore.adoc
@@ -0,0 +1,37 @@
+= Add entries to the OpenSearch Keystore
+:description: Add entries to the OpenSearch Keystore
+
+The OpenSearch keystore provides secure storage for sensitive configuration settings such as credentials and API keys.
+You can populate the keystore by referencing Secrets within your OpenSearch configuration.
+
+[source,yaml]
+----
+---
+apiVersion: opensearch.stackable.tech/v1alpha1
+kind: OpenSearchCluster
+metadata:
+  name: opensearch
+spec:
+  clusterConfig:
+    keystore:
+    - key: s3.client.default.access_key # <1>
+      secretKeyRef:
+        name: s3-credentials # <2>
+        key: accessKey # <3>
+    - key: s3.client.default.secret_key
+      secretKeyRef:
+        name: s3-credentials
+        key: secretKey
+...
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-credentials
+stringData:
+  accessKey: my-access-key
+  secretKey: my-secret-key
+----
+<1> The key in the OpenSearch keystore which corresponds to a setting in OpenSearch (e.g. `s3.client.default.access_key`).
+<2> The name of the Secret containing the value
+<3> The key within that Secret
diff --git a/docs/modules/opensearch/partials/nav.adoc b/docs/modules/opensearch/partials/nav.adoc
@@ -10,6 +10,7 @@
 ** xref:opensearch:usage-guide/logging.adoc[]
 ** xref:opensearch:usage-guide/opensearch-dashboards.adoc[]
 ** xref:opensearch:usage-guide/scaling.adoc[]
+** xref:opensearch:usage-guide/keystore.adoc[]
 ** xref:opensearch:usage-guide/security.adoc[]
 ** xref:opensearch:usage-guide/operations/index.adoc[]
 *** xref:opensearch:usage-guide/operations/cluster-operations.adoc[]

diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
@@ -171,6 +171,7 @@ pub struct ValidatedCluster {
     pub role_config: GenericRoleConfig,
     pub role_group_configs: BTreeMap<RoleGroupName, OpenSearchRoleGroupConfig>,
     pub tls_config: v1alpha1::OpenSearchTls,
+    pub keystores: Vec<v1alpha1::OpenSearchKeystore>,
 }
 
 impl ValidatedCluster {
@@ -184,6 +185,7 @@ impl ValidatedCluster {
         role_config: GenericRoleConfig,
         role_group_configs: BTreeMap<RoleGroupName, OpenSearchRoleGroupConfig>,
         tls_config: v1alpha1::OpenSearchTls,
+        keystores: Vec<v1alpha1::OpenSearchKeystore>,
     ) -> Self {
         let uid = uid.into();
         ValidatedCluster {
@@ -201,6 +203,7 @@ impl ValidatedCluster {
             role_config,
             role_group_configs,
             tls_config,
+            keystores,
         }
     }
 
@@ -507,6 +510,7 @@ mod tests {
             ]
             .into(),
             v1alpha1::OpenSearchTls::default(),
+            vec![],
         )
     }
 

diff --git a/rust/operator-binary/src/controller/build.rs b/rust/operator-binary/src/controller/build.rs
@@ -199,6 +199,7 @@ mod tests {
             ]
             .into(),
             v1alpha1::OpenSearchTls::default(),
+            vec![],
         )
     }
 

diff --git a/rust/operator-binary/src/controller/build/node_config.rs b/rust/operator-binary/src/controller/build/node_config.rs
@@ -502,6 +502,7 @@ mod tests {
             )]
             .into(),
             v1alpha1::OpenSearchTls::default(),
+            vec![],
         );
 
         NodeConfig::new(

diff --git a/rust/operator-binary/src/controller/build/role_builder.rs b/rust/operator-binary/src/controller/build/role_builder.rs
@@ -315,6 +315,7 @@ mod tests {
             )]
             .into(),
             v1alpha1::OpenSearchTls::default(),
+            vec![],
         );
 
         RoleBuilder::new(cluster, context_names)
-Original file line number
+Diff line change
@@ Expand Up / @@ -199,6 +199,7 @@ mod tests { @@
                 ]
                 .into(),
                 v1alpha1::OpenSearchTls::default(),
+                vec![],
             )
         }
@@ Expand Down @@