refactor: look up OpenSearch admin password from credentials secret

[rashadism]

Summary

• Remove openSearchCluster.adminPassword Helm value from both logs and tracing modules; use Helm lookup to read the password from the existing credentials secret at install time
• Remove RCA report index templates and ISM policies from the logs OpenSearch setup script
• Bump chart versions: logs 0.3.9 → 0.3.10, tracing 0.3.7 → 0.3.8

Summary by CodeRabbit

• Documentation

  • Updated installation and deployment documentation with credentials secret configuration guidance

• Chores

  • Helm chart versions bumped (observability-logs-opensearch to 0.3.10, observability-tracing-opensearch to 0.3.8)
  • Credential handling now retrieves OpenSearch admin passwords from external Kubernetes Secrets instead of direct chart configuration
  • Removed RCA reports index templates and automated setup lifecycle management from OpenSearch deployments

[coderabbitai]

Warning

Rate limit exceeded

@rashadism has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 15 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2c7b85af-5c88-403f-96bf-bfb33afc0447

📥 Commits

Reviewing files that changed from the base of the PR and between 6ae2dc4 and dc72872.

📒 Files selected for processing (10)

• observability-logs-opensearch/README.md
• observability-logs-opensearch/helm/Chart.yaml
• observability-logs-opensearch/helm/templates/opensearch-cluster/secrets.yaml
• observability-logs-opensearch/helm/templates/opensearch-setup-logs/job.yaml
• observability-logs-opensearch/helm/values.yaml
• observability-logs-opensearch/init/setup-opensearch.sh
• observability-tracing-opensearch/README.md
• observability-tracing-opensearch/helm/Chart.yaml
• observability-tracing-opensearch/helm/templates/opensearch-cluster/secrets.yaml
• observability-tracing-opensearch/helm/values.yaml

📝 Walkthrough

Walkthrough

The PR updates observability Helm charts across two modules by switching from inline admin passwords to referenced Kubernetes credentials secrets, bumps chart versions (logs: 0.3.9→0.3.10; tracing: 0.3.7→0.3.8), removes RCA report index templates and ISM policies from the logs module, and updates documentation to reflect these changes.

Changes

Cohort / File(s)	Summary
Chart Version Bumps observability-logs-opensearch/helm/Chart.yaml, observability-tracing-opensearch/helm/Chart.yaml	Updated version and appVersion fields to reflect new releases (logs: 0.3.9→0.3.10; tracing: 0.3.7→0.3.8).
Credentials Secret Refactoring observability-logs-opensearch/helm/templates/opensearch-cluster/secrets.yaml, observability-tracing-opensearch/helm/templates/opensearch-cluster/secrets.yaml	Replaced inline .Values.openSearchCluster.adminPassword with Kubernetes Secret lookup via .Values.openSearchCluster.credentialsSecretName. Added validation to fail installation if the referenced Secret is missing; extracts and base64-decodes the password field from the Secret for bcrypt hashing.
Configuration Value Cleanup observability-logs-opensearch/helm/values.yaml, observability-tracing-opensearch/helm/values.yaml	Removed openSearchCluster.adminPassword and (logs-only) openSearchSetup.dataRetentionTime.rcaReports configuration entries.
RCA Reports Removal observability-logs-opensearch/init/setup-opensearch.sh, observability-logs-opensearch/helm/templates/opensearch-setup-logs/job.yaml	Deleted RCA-report index template definition, ISM policy definition, and corresponding entries from their respective arrays; removed RCA_REPORTS_MIN_INDEX_AGE environment variable from the setup Job.
Documentation Updates observability-logs-opensearch/README.md, observability-tracing-opensearch/README.md	Updated Helm deployment examples to include openSearchCluster.credentialsSecretName="opensearch-admin-credentials" and clarified that admin password is sourced from the credentials Secret; bumped documented chart versions in all command examples.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add K8s Operator based OpenSearch deployment and use ESO based secret in openSearchSetup scripts #7 — Also refactors OpenSearch Helm charts to use credentialsSecretName instead of inline adminPassword.
• chore: update opensearch index template for RCA agent #13 — Modifies RCA reports index template and management in OpenSearch setup scripts.
• chore: upgrade helm chart dependencies #29 — Updates Helm Chart metadata versions for observability OpenSearch charts.

Suggested reviewers

• nilushancosta
• akila-i

Poem

🐰 Secrets whispered in a vault so deep,
No plain passwords for charts to keep!
RCA reports bound away with cheer,
Versions bumped—new charts are here! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main refactoring: switching from a chart-provided password value to dynamically looking up the password from an existing credentials secret.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@observability-logs-opensearch/helm/templates/opensearch-cluster/secrets.yaml`:
- Line 9: The template reads {{- $password := index $secret.data "password" |
b64dec }} without validating the key; change this to first capture the encoded
value (index $secret.data "password") and wrap it with Helm's required helper to
assert presence/non-empty, e.g. use required "clear error message" (index
$secret.data "password") and then b64dec the result to produce $password, and
apply the same pattern for the other password reference on line 18; this will
cause the install to fail fast with a clear message before generating
internal_users.yml.

In
`@observability-tracing-opensearch/helm/templates/opensearch-cluster/secrets.yaml`:
- Line 9: The template assumes the Secret key "password" exists and decodes it
directly; update the assignments that reference secret.data "password" (the
$password variables at the shown locations) to validate presence and
non-emptiness before b64dec so the template fails with a clear message instead
of producing an empty/invalid value—use Helm's required (or hasKey + required)
around the indexed value and only then pipe to b64dec, and apply the same change
to the other occurrence noted (line 18 equivalent).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6b1e871a-bdc5-4fac-b0c6-bc26a357907f

📥 Commits

Reviewing files that changed from the base of the PR and between 76b8903 and 6ae2dc4.

📒 Files selected for processing (10)

• observability-logs-opensearch/README.md
• observability-logs-opensearch/helm/Chart.yaml
• observability-logs-opensearch/helm/templates/opensearch-cluster/secrets.yaml
• observability-logs-opensearch/helm/templates/opensearch-setup-logs/job.yaml
• observability-logs-opensearch/helm/values.yaml
• observability-logs-opensearch/init/setup-opensearch.sh
• observability-tracing-opensearch/README.md
• observability-tracing-opensearch/helm/Chart.yaml
• observability-tracing-opensearch/helm/templates/opensearch-cluster/secrets.yaml
• observability-tracing-opensearch/helm/values.yaml

💤 Files with no reviewable changes (3)

• observability-tracing-opensearch/helm/values.yaml
• observability-logs-opensearch/helm/templates/opensearch-setup-logs/job.yaml
• observability-logs-opensearch/helm/values.yaml