Cannot set additionalConfig using opensearch-k8s-operator

Opensearch operator version: 2.6.1
Opensearch version: 2.14.0

I am attempting to set the parameter plugins.security.ssl_cert_reload_enabled: true on a test cluster. I’ve added the parameter under the general section

general:
    additionalConfig:
         plugins.security.ssl_cert_reload_enabled: "true"

However, when I shell into a running container, I do not see my change reflected in the /usr/share/opensearch/config/opensearch.yml file. Additionally I cannot perform the api call to hot reload certificates (which this parameter should have enabled).

curl -k -u admin:admin -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts

{"status":"FORBIDDEN","message":"Access denied"}

Do parameters added to the additionalConfig sections of general and nodePools get added directly to the opensearch.yml file? If not, how do I see what the settings are for each node (calling _node/settings also did not show me my parameter)?

So, I see my issue with connecting to the api. I needed to supply the admin certs like so

curl -k --cert ./tls.crt --key ./tls.key -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts

{"message":"updated transport certs"}

My question still stands howerver . . . When you set the additionConfig parameter, where is this change reflected if not in the opensearch.yml config file? How can I see my changes on my nodes?

Hi @k.rudolph,

judging from the response looks like your settings were updated successfully, have you tried checking opensearch.yml (cat /path/to/opensearch/config/opensearch.yml or grep "plugins.security.ssl_cert_reload_enabled" /path/to/opensearch/config/opensearch.yml)

Some of the settings you can check:

GET _cluster/settings
GET _nodes/[node_id]/settings

Best,
mj

I was able to find the additionalConfig parameters. They do not get stored in /usr/share/opensearch/config/opnesearch.yml file. The parameters are set as environment variables (i.e. path.security.ssl_cert_reload_enabled=true) and passed to the opensearch binary through the entrypoint script ~/opensearch-docker-entrypoint.sh

1 Like

If you use k8s-operator to deploy a cluster, you must have helm charts so it’s possible to add additionalConfig parameters using yaml files.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.