opensearch-project/opensearch-k8s-operator

[BUG] What are the ways to enable ssl hot reload?

Jerrimikkihvatai opened this issue · 1 comments

Jerrimikkihvatai commented

What is the bug?

Firstly, I appreciate the developers' work on this project.
However, certificate rotation is one of the most painful things about this operator

According to this issue there is an bug with configuring plugins.security.XXX
I am trying to set plugins.security.ssl_cert_reload_enabled: "true" but obviously to not avail.
There are several ways to configure opensearch:

  • via opensearch.conf (Seems that operator generates it itself, and settings from OpenSearchCluster.spec.general.additionalConfig are going into environment variables)
  • via envs (Here is a clear statement that plugins.security.XXX should be configured by opensearch.yml)
  • via api (if I try to execute
PUT _cluster/settings
{
  "persistent" : {
    "plugins.security.ssl_cert_reload_enabled": true
  }
}

i get this error

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
  },
  "status": 400
}

that says that I cant set this var via api)

How can one reproduce the bug?

Try to enable plugins.security.ssl_cert_reload_enabled: "true" in your deployment

What is the expected behavior?

I expect to successfully set ssl hot reload

Do you have any additional context?

Seems that such important settings should be available to be configured.
I see two ways of it:

  1. Create a field in the CRD that enables hot certificate reload
  2. Set OpenSearchCluster.spec.general.additionalConfig directly into opensearch.yml, not into the envs

Am I wrong or is there any way to enable cert reloading? If yes, it should be described in docs

prudhvigodithi commented

[Triage]
Thanks for opening the issue, there is a similar issue in past #308 on updating the additionalConfig to opensearch.yml, @Jerrimikkihvatai is it possible for you to contribute to fix bug?
Not add values part of opensearch.yml are supported via env, so there needs to be a way to load the additionalConfig to opensearch.yml.
Thank you
@swoehrl-mw @getsaurabh02