fix: run OpenSearch security setup on every container start

[TejasQ]

Problem

setup-security.sh (which applies the OIDC config and role mappings via securityadmin) was only executed once — at initial container creation. On any docker compose restart or --force-recreate, it was never called again, leaving OpenSearch without the OIDC/JWT authentication config. This caused all JWT-authenticated requests (ingestion, search) to return 401 Unauthorized.

Root cause chain:

1. Container restart → setup-security.sh skipped → OIDC config not applied
2. If JWKS was previously empty (e.g. wrong JWT_SIGNING_KEY format), OpenSearch cached the empty key set and never re-fetched, making JWT
   auth permanently broken until a restart
3. After restart → same problem repeats

Fix

Override the OpenSearch container entrypoint in docker-compose.yml to run setup-security.sh on every start:

opensearch-docker-entrypoint.sh opensearch & setup-security.sh; wait

OpenSearch starts in the background, setup-security.sh waits for it to be ready then applies the OIDC config, and wait keeps the container alive. This is idempotent: re-applying the config has no side effects.

Also adds --build to the dev-cpu make target to ensure local image changes are picked up.

Test plan

• docker compose restart opensearch → JWT auth still works after restart
• docker compose up -d --force-recreate opensearch → JWT auth works on fresh container
• Ingestion of URLs and PDFs succeeds after restart

Summary by CodeRabbit

• Chores
  • Updated CPU-only development environment to rebuild Docker images on startup for consistency
  • OpenSearch service now automatically initializes security configuration during container startup

[coderabbitai]

Walkthrough

This PR updates the CPU-only development environment to rebuild Docker images on stack startup and configures OpenSearch to run security initialization during container startup. The Makefile adds the --build flag to Docker Compose invocation, while docker-compose.yml adds a custom entrypoint to the OpenSearch service that sets up security before the service is fully ready.

Changes

CPU Development Environment Setup

Layer / File(s)	Summary
CPU dev stack rebuild behavior Makefile	The dev-cpu target now invokes Docker Compose with the --build flag to ensure images are rebuilt when starting the stack.
OpenSearch security initialization docker-compose.yml	The OpenSearch service defines a custom entrypoint that runs the official entrypoint script in the background and executes setup-security.sh before waiting for process completion.

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding security setup execution on every OpenSearch container start, which is the core fix for the authentication issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-opensearch-auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.yml`:
- Line 17: The container startup currently ignores failures from
setup-security.sh because the command uses a semicolon and a trailing wait;
change the startup command so that a failure in
/usr/share/opensearch/setup-security.sh causes the container to exit (e.g.,
chain the scripts with && or enable exit-on-error before running them) so that
"/usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch" runs only if
setup-security.sh succeeds; update the invocation around
opensearch-docker-entrypoint.sh and setup-security.sh to use a failing-safe
chain (for example replace the semicolon with && or add set -e) so
setup-security.sh failures are not ignored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3af6438d-0a25-47ca-8f61-93b2a3c33cd9

📥 Commits

Reviewing files that changed from the base of the PR and between e9f1695 and 5befb0d.

📒 Files selected for processing (2)

• Makefile
• docker-compose.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail fast when setup-security.sh fails (currently failure is ignored).

At Line 17, setup-security.sh is followed by ; wait, so a failed security setup does not fail container startup. That can leave OpenSearch running without OIDC/JWT config while appearing up.

Suggested fix

-      - "/usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch & /usr/share/opensearch/setup-security.sh; wait"
+      - "/usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch & os_pid=$$!; /usr/share/opensearch/setup-security.sh || { kill $$os_pid; wait $$os_pid; exit 1; }; wait $$os_pid"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose.yml` at line 17, The container startup currently ignores
failures from setup-security.sh because the command uses a semicolon and a
trailing wait; change the startup command so that a failure in
/usr/share/opensearch/setup-security.sh causes the container to exit (e.g.,
chain the scripts with && or enable exit-on-error before running them) so that
"/usr/share/opensearch/opensearch-docker-entrypoint.sh opensearch" runs only if
setup-security.sh succeeds; update the invocation around
opensearch-docker-entrypoint.sh and setup-security.sh to use a failing-safe
chain (for example replace the semicolon with && or add set -e) so
setup-security.sh failures are not ignored.