I am having problems logistically trying to understand the order of operation for locking down OpenSearch with my own supplied certificates (from a 3rd party).
This is where I need some conceptual help.
I have 4 pods running, master, data, client, dashboard.
I want to secure the dashboard with my own certificate.
Everything is deployed via Helm (branch: 1.0.0, https://github.com/opensearch-project/helm-charts.git)
I created a Kubernetes secret with my public certificate, intermediate chain and private key:
kubectl create secret generic iots-cert --from-file=sandbox.my.domain.chain --from-file=sandbox.my.domain.pub --from-file=sandbox.my.domain.key
This is where conceptually I need help.
If I enable TLS on the dashboard, do I need to do anything with the master, data and client pods?
- Technically, are they not only reachable from within the cluster?
- I don’t think I need to do anything outside of the default
- Do each of the master, data and client need ingresses?
- I don’t think so, as they are all on the same cluster
This is what I have done to enable TLS, but I get an error message when the dashboard starts up.
secretMounts:
- name: iots-cert
secretName: iots-cert
path: /usr/share/dashboards/certs
config:
## Default OpenSearch Dashboards configuration from docker image of Dashboards
opensearch_dashboards.yml:
server:
name: dashboards
host: 0.0.0.0
## Dashboards TLS Config (Ensure the cert files are present before enabling SSL
ssl:
enabled: true
key: /usr/share/dashboards/certs/sandbox.my.domain.key
certificate: /usr/share/dashboards/certs/sandbox.my.domain.pub
# determines how dashboards will verify certificates (needs to be none for default opensearch certificates to work)
opensearch:
ssl:
certificateAuthorities: /usr/share/dashboards/certs/sandbox.my.domain.chain
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
hosts:
- host: kibana.ingress.sandboxbsh-a.iotdevk8s.shoot.canary.k8s.domain.com
paths:
- path: /
backend:
serviceName: opensearch-cluster-client
servicePort: 9200
# servicePort: 80
tls:
- secretName: iots-cert
hosts:
- logs-test.sandbox.my.domain
Unfortunately, this yields this error:
{"type":"log","@timestamp":"2021-11-29T22:00:28Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: unable to verify the first certificate"}
If I comment out the config section, I can ssh into the box and verify the 3 sandbox files are present and accounted for.
I have also verified the contents of these files are correct.
For troubleshooting, I reversed the pub and the chain, I get a clear error starting, so I know I have those correct.
So I am not sure if this error is referring to the certs I have specified, or when it tries to use those certs to possibly access other components in the setup.
Give the error message indicates data, I wasn’t sure if it is an error trying to reach a data node.
Though, I thought Kibana (Dashboard) only accesses the master and never a data node directly.
Any suggestions?
Thank you,
David