Bring your own certificate using Helm (OpenSearch) with separate pods

I am having problems logistically trying to understand the order of operation for locking down OpenSearch with my own supplied certificates (from a 3rd party).

This is where I need some conceptual help.

I have 4 pods running, master, data, client, dashboard.
I want to secure the dashboard with my own certificate.

Everything is deployed via Helm (branch: 1.0.0,

I created a Kubernetes secret with my public certificate, intermediate chain and private key:
kubectl create secret generic iots-cert

This is where conceptually I need help.

If I enable TLS on the dashboard, do I need to do anything with the master, data and client pods?

  • Technically, are they not only reachable from within the cluster?
    • I don’t think I need to do anything outside of the default
  • Do each of the master, data and client need ingresses?
    • I don’t think so, as they are all on the same cluster

This is what I have done to enable TLS, but I get an error message when the dashboard starts up.

  - name: iots-cert
    secretName: iots-cert
    path: /usr/share/dashboards/certs

  ## Default OpenSearch Dashboards configuration from docker image of Dashboards
      name: dashboards

      ## Dashboards TLS Config (Ensure the cert files are present before enabling SSL
        enabled: true
        key: /usr/share/dashboards/certs/
        certificate: /usr/share/dashboards/certs/

    # determines how dashboards will verify certificates (needs to be none for default opensearch certificates to work)
        certificateAuthorities: /usr/share/dashboards/certs/

  enabled: true
  annotations: nginx "true"
    - host:
        - path: /
            serviceName: opensearch-cluster-client
            servicePort: 9200
            # servicePort: 80
    - secretName: iots-cert

Unfortunately, this yields this error:

{"type":"log","@timestamp":"2021-11-29T22:00:28Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: unable to verify the first certificate"}

If I comment out the config section, I can ssh into the box and verify the 3 sandbox files are present and accounted for.
I have also verified the contents of these files are correct.
For troubleshooting, I reversed the pub and the chain, I get a clear error starting, so I know I have those correct.

So I am not sure if this error is referring to the certs I have specified, or when it tries to use those certs to possibly access other components in the setup.
Give the error message indicates data, I wasn’t sure if it is an error trying to reach a data node.
Though, I thought Kibana (Dashboard) only accesses the master and never a data node directly.

Any suggestions?

Thank you,