Cannot set additionalConfig using opensearch-k8s-operator

Opensearch operator version: 2.6.1
Opensearch version: 2.14.0

I am attempting to set the parameter plugins.security.ssl_cert_reload_enabled: true on a test cluster. I’ve added the parameter under the general section

general:
    additionalConfig:
         plugins.security.ssl_cert_reload_enabled: "true"

However, when I shell into a running container, I do not see my change reflected in the /usr/share/opensearch/config/opensearch.yml file. Additionally I cannot perform the api call to hot reload certificates (which this parameter should have enabled).

curl -k -u admin:admin -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts

{"status":"FORBIDDEN","message":"Access denied"}

Do parameters added to the additionalConfig sections of general and nodePools get added directly to the opensearch.yml file? If not, how do I see what the settings are for each node (calling _node/settings also did not show me my parameter)?

So, I see my issue with connecting to the api. I needed to supply the admin certs like so

curl -k --cert ./tls.crt --key ./tls.key -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts

{"message":"updated transport certs"}

My question still stands howerver . . . When you set the additionConfig parameter, where is this change reflected if not in the opensearch.yml config file? How can I see my changes on my nodes?

Hi @k.rudolph,

judging from the response looks like your settings were updated successfully, have you tried checking opensearch.yml (cat /path/to/opensearch/config/opensearch.yml or grep "plugins.security.ssl_cert_reload_enabled" /path/to/opensearch/config/opensearch.yml)

Some of the settings you can check:

GET _cluster/settings
GET _nodes/[node_id]/settings

Best,
mj

I was able to find the additionalConfig parameters. They do not get stored in /usr/share/opensearch/config/opnesearch.yml file. The parameters are set as environment variables (i.e. path.security.ssl_cert_reload_enabled=true) and passed to the opensearch binary through the entrypoint script ~/opensearch-docker-entrypoint.sh

1 Like

If you use k8s-operator to deploy a cluster, you must have helm charts so it’s possible to add additionalConfig parameters using yaml files.