[BUG] What are the ways to enable ssl hot reload?
Jerrimikkihvatai opened this issue · 1 comments
What is the bug?
Firstly, I appreciate the developers' work on this project.
However, certificate rotation is one of the most painful things about this operator
According to this issue there is an bug with configuring plugins.security.XXX
I am trying to set plugins.security.ssl_cert_reload_enabled: "true"
but obviously to not avail.
There are several ways to configure opensearch:
- via opensearch.conf (Seems that operator generates it itself, and settings from OpenSearchCluster.spec.general.additionalConfig are going into environment variables)
- via envs (Here is a clear statement that plugins.security.XXX should be configured by opensearch.yml)
- via api (if I try to execute
PUT _cluster/settings
{
"persistent" : {
"plugins.security.ssl_cert_reload_enabled": true
}
}
i get this error
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
}
],
"type": "illegal_argument_exception",
"reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
},
"status": 400
}
that says that I cant set this var via api)
How can one reproduce the bug?
Try to enable plugins.security.ssl_cert_reload_enabled: "true" in your deployment
What is the expected behavior?
I expect to successfully set ssl hot reload
Do you have any additional context?
Seems that such important settings should be available to be configured.
I see two ways of it:
- Create a field in the CRD that enables hot certificate reload
- Set OpenSearchCluster.spec.general.additionalConfig directly into opensearch.yml, not into the envs
Am I wrong or is there any way to enable cert reloading? If yes, it should be described in docs
[Triage]
Thanks for opening the issue, there is a similar issue in past #308 on updating the additionalConfig
to opensearch.yml
, @Jerrimikkihvatai is it possible for you to contribute to fix bug?
Not add values part of opensearch.yml
are supported via env
, so there needs to be a way to load the additionalConfig
to opensearch.yml
.
Thank you
@swoehrl-mw @getsaurabh02