Can Opensearch detect updates to TLS certificates?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.1

Describe the issue:
We run Opensearch and Opensearch-Dashboards in a Kubernetes environment using Docker containers. We are looking to integrate cert-manager service to handle automatic updates to TLS certificates within the environment. Are Opensearch and Dashboards setup in a way that it can detect these updates and apply the new certificate automatically or does a hard restart of the services need to happen? If a restart is neccesary, are there any considerations we would need to know about? Thanks

Hi @jpelletier_2023 ,

Yes, the restart is necessary as far as I am aware.

Some of the things to consider :

• Disable shard allocation.

cluster.routing.allocation.enable: "primaries"

Enables or disables allocation for specific kinds of shards:
– “all” – Allows shard allocation for all types of shards.
– “primaries” – Allows shard allocation for primary shards only.
– “new_primaries” – Allows shard allocation for primary shards for new indexes only.
– “none” – No shard allocations are allowed for any indexes.
– Default is “all”.
see options here: Cluster settings - OpenSearch Documentation

• Perform flush:
  See more details here: Indexes - OpenSearch Documentation

• if applicable:

Stop the tasks associated with active machine learning jobs and data-feeds

• Restart

Best,
mj

Hi @jpelletier_2023,

Have done some more research you should check here: https://opensearch.org/docs/latest/security/access-control/api/#reload-transport-certificates

Best,
mj

@Mantas Great thank you for your response and resources

Yes, Opensearch and opensearch dashboard can be set automatically by using cert manager without using hard reset.

Hi @raman004 ,
it would be really great if you share the steps you followed for this, i assume you have used kubernetes cronjob to trigger reloadcerts API.