stackabletech · siegfriedweber · Mar 27, 2026 · Mar 31, 2026 · Mar 31, 2026 · Mar 31, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Support hot-reloading of security configuration files ([#130]).
+
+[#130]: https://github.com/stackabletech/opensearch-operator/pull/130
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

diff --git a/docs/modules/opensearch/examples/getting_started/opensearch-security-config.yaml b/docs/modules/opensearch/examples/getting_started/opensearch-security-config.yaml
diff --git a/docs/modules/opensearch/pages/usage-guide/monitoring.adoc b/docs/modules/opensearch/pages/usage-guide/monitoring.adoc
@@ -29,10 +29,12 @@ To make the metrics accessible for all users, especially Prometheus, anonymous a
 ----
 ---
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
-  name: opensearch-security-config
-stringData:
+  name: custom-opensearch-security-config
+  annotations:
+    restarter.stackable.tech/ignore: "true"
+data:
   config.yml: |
     ---
     _meta:

diff --git a/docs/modules/opensearch/pages/usage-guide/security.adoc b/docs/modules/opensearch/pages/usage-guide/security.adoc
@@ -144,6 +144,31 @@ spec:
 
 If this role group is not defined, it will be created by the operator.
 
+[IMPORTANT]
+====
+Settings managed by the operator are hot-reloaded when changed, i.e. without pod restarts.
+However, if those settings are provided via ConfigMap or Secret, updates will normally trigger a restart.
+To prevent that restart, add the following annotation:
+
+[source,yaml]
+----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: security-config
+  annotations:
+    restarter.stackable.tech/ignore: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: security-config
+  annotations:
+    restarter.stackable.tech/ignore: "true"
+----
+====
+
 == TLS
 
 TLS is also managed by the OpenSearch security plugin, therefore TLS is only available if the security plugin was not disabled.

diff --git a/docs/modules/opensearch/pages/usage-guide/upgrade.adoc b/docs/modules/opensearch/pages/usage-guide/upgrade.adoc
@@ -1,6 +1,35 @@
 = SDP upgrade notes
 :description: Instructions for upgrading the SDP versions.
 
+== Upgrade from SDP 26.3 to 26.7
+
+=== Hot-reloading of security settings
+
+The security settings defined in the cluster specification are now stored in a separate ConfigMap named `<cluster-name>-security-config`.
+If you used this name for your custom security configuration, then you must rename it.
+Otherwise the operator will override it.
+
+The operator now supports hot-reloading of security settings.
+If those settings are provided via ConfigMap or Secret, then the annotation `restarter.stackable.tech/ignore: "true"` should be added to avoid restarts triggered by the restart controller:
+
+[source,yaml]
+----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: security-config
+  annotations:
+    restarter.stackable.tech/ignore: "true"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: security-config
+  annotations:
+    restarter.stackable.tech/ignore: "true"
+----
+
 == Upgrade from SDP 25.11 to 26.3
 
 When upgrading the OpenSearch operator from SDP 25.11 to 26.3, you may encounter several warnings and errors in the operator logs.

diff --git a/rust/operator-binary/src/controller/build.rs b/rust/operator-binary/src/controller/build.rs
@@ -33,9 +33,12 @@ pub fn build(names: &ContextNames, cluster: ValidatedCluster) -> KubernetesResou
         listeners.push(role_group_builder.build_listener());
     }
 
-    if let Some(discovery_config_map) = role_builder.build_discovery_config_map() {
+    if let Some(discovery_config_map) = role_builder.build_maybe_discovery_config_map() {
         config_maps.push(discovery_config_map);
     }
+    if let Some(security_config_map) = role_builder.build_maybe_security_config_map() {
+        config_maps.push(security_config_map);
+    }
     services.push(role_builder.build_seed_nodes_service());
     listeners.push(role_builder.build_discovery_service_listener());
 
@@ -90,7 +93,7 @@ mod tests {
             role_utils::GenericProductSpecificCommonConfig,
             types::{
                 common::Port,
-                kubernetes::{Hostname, ListenerClassName, NamespaceName},
+                kubernetes::{Hostname, ListenerClassName, NamespaceName, SecretClassName},
                 operator::{
                     ClusterName, ControllerName, OperatorName, ProductName, ProductVersion,
                     RoleGroupName,
@@ -134,7 +137,8 @@ mod tests {
                 "my-opensearch",
                 "my-opensearch-nodes-cluster-manager",
                 "my-opensearch-nodes-coordinating",
-                "my-opensearch-nodes-data"
+                "my-opensearch-nodes-data",
+                "my-opensearch-security-config"
             ],
             extract_resource_names(&resources.config_maps)
         );
@@ -209,7 +213,11 @@ mod tests {
                 ),
             ]
             .into(),
-            ValidatedSecurity::Disabled,
+            ValidatedSecurity::ManagedByApi {
+                settings: v1alpha1::SecuritySettings::default(),
+                tls_server_secret_class: None,
+                tls_internal_secret_class: SecretClassName::from_str_unsafe("tls"),
+            },
             vec![],
             Some(ValidatedDiscoveryEndpoint {
                 hostname: Hostname::from_str_unsafe("1.2.3.4"),