Disable TLS on Opensearch with Opensearch Operator based setup

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.14.0
Server OS: Ubuntu 22.04.2 LTS
Cluster: Onprem 3 node

Describe the issue:
Setting up Opensearch on k8s environment with Opensearch-Operator approach.

  1. Setup of Operator via helm
  2. Setup of Opensearch-cluster by applying yaml file

I would need to disable TLS on opensearch as I am using Istio approach. I am able to disable Opensearch Dashboards, however not getting right configuration to be able to disable Opensearch anywhere. I tried with below configuration, however it failed with an unknown field error.

Error:

error: error validating "opensearch-cluster-extension-oidc.yaml": error validating data: [ValidationError(OpenSearchCluster.spec.security.config): unknown field "securityDisabled" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.config, ValidationError(OpenSearchCluster.spec.security.tls.http): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.http]; if you choose to ignore these errors, turn validation off with --validate=false

Configuration:

#Minimal configuration of a cluster with version 2.X of the operator.
#Note the replacement of 'master' role with 'cluster_manager' on line 49
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch
  namespace: cloudmonitor
spec:
  security:
    config:
      securityDisabled: true
    tls:
      http:
        generate: false
        enable: false
      transport:
        generate: false
        perNode: false
        enable: false
  general:
    setVMMaxMapCount: false
    httpPort: 9200
    serviceName: opensearch
    version: 2.14.0
    pluginsList: ["repository-s3"]
    drainDataNodes: true
  dashboards:
    annotations:
      traffic.sidecar.istio.io/includeInboundPorts: "*"
      traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
      traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    tls:
      enable: false
      generate: true
    version: 2.14.0
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: masters

Relevant Logs or Screenshots:

error: error validating "opensearch-cluster-extension-oidc.yaml": error validating data: [ValidationError(OpenSearchCluster.spec.security.config): unknown field "securityDisabled" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.config, ValidationError(OpenSearchCluster.spec.security.tls.http): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.http]; if you choose to ignore these errors, turn validation off with --validate=false
2

Hi @ar.shashikumar,

Why do you need to disable http and transport layers? Where did you find the enable: false option for transport and http layers?

According to your error message, the securityDisabled field is unknown. Could you please remove the securityDisabled field ?

3

@Eugene7
We are integrating Istio Service mesh, with tls enabled to false on Opensearch Dashboards, creating ingress on istio-system namespace, we were successful. However, when we browse Opensearch, it fails with an TLS error. Which is why I thought of disabling tls for opensearch and try it out.

I could not find anywhere with those options enable: false option for transport and http layers. I was trying with this approach similar to opensearch dashboards and it complains data: [ValidationError]

I tried removing both option one after the other,
With securityDisabled removal,

error: error validating "opensearch-cluster-extension-oidc.yaml": error validating data: [ValidationError(OpenSearchCluster.spec.security.tls.http): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.http, ValidationError(OpenSearchCluster.spec.security.tls.transport): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.transport]; if you choose to ignore these errors, turn validation off with --validate=false

With transport and http

error: error validating "opensearch-cluster-extension-oidc.yaml": error validating data: [ValidationError(OpenSearchCluster.spec.security.tls.http): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.http, ValidationError(OpenSearchCluster.spec.security.tls.transport): unknown field "enable" in io.opster.opensearch.v1.OpenSearchCluster.spec.security.tls.transport]; if you choose to ignore these errors, turn validation off with --validate=false

#Minimal configuration of a cluster with version 2.X of the operator.
#Note the replacement of 'master' role with 'cluster_manager' on line 49
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch
  namespace: default
spec:
  security:
    config:
    tls:
      http:
        generate: false
        enable: false
      transport:
        generate: false
        perNode: false
        enable: false
  general:
    setVMMaxMapCount: false
    httpPort: 9200
    serviceName: opensearch
    version: 2.14.0
    pluginsList: ["repository-s3"]
    drainDataNodes: true
  dashboards:
    annotations:
      traffic.sidecar.istio.io/includeInboundPorts: "*"
      traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
      traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    tls:
      enable: false
      generate: true
    version: 2.14.0
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: masters
      replicas: 3
      resources:
         requests:
            memory: "8Gi"
            cpu: "4000m"
         limits:
            memory: "12Gi"
            cpu: "6000m"
      roles:
        - "cluster_manager"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    - component: nodes
      replicas: 3
      resources:
         requests:
            memory: "8Gi"
            cpu: "4000m"
         limits:
            memory: "12Gi"
            cpu: "6000m"
      roles:
        - "data"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    - component: coordinators
      replicas: 3
      resources:
         requests:
            memory: "8Gi"
            cpu: "4000m"
         limits:
            memory: "12Gi"
            cpu: "6000m"
      roles:
        - "ingest"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
4

Just to close on the thread, I changed to TLS with true and able to access dashboard with basic auth.

5

@ar.shashikumar Can you please share your config as well. I also want to completely remove TLS.

6

I didnt have to disable TLS and it is not recommended. Here is the working opensearch.yml. Make changes as per your requirement

#Minimal configuration of a cluster with version 2.X of the operator.
#Note the replacement of 'master' role with 'cluster_manager' on line 49
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch
  namespace: demo
spec:
  security:
    config:
      adminCredentialsSecret:
        name: admin-credentials-secret  # The secret with the admin credentials for the operator to use
      securityConfigSecret:
       name: securityconfig-secret  # The secret containing your customized securityconfig
    tls:
      http:
        generate: true
      transport:
        generate: true
        perNode: true
  general:
    setVMMaxMapCount: false
    httpPort: 9200
    serviceName: opensearch
    version: 2.14.0
    pluginsList: ["repository-s3"]
    drainDataNodes: true
    podSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      runAsNonRoot: true
    securityContext:
      allowPrivilegeEscalation: false
      privileged: false
    additionalVolumes:
    - name: cachain
      path: /usr/share/opensearch/config/certs
      secret:
        defaultMode: 0700
        secretName: cachain
  dashboards:
    env:
      - name: CLIENT_ID
        valueFrom:
          secretKeyRef:
            name: os-client-id
            key: client-id
      - name: CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            name: os-client-secret
            key: client-secret
    additionalConfig:
      logging.verbose: "true"
      opensearch.username: admin
      opensearch.password: password
      opensearch_security.openid.client_id: "${CLIENT_ID}"
      opensearch_security.openid.client_secret: "${CLIENT_SECRET}"
      opensearch.ssl.verificationMode: none
      opensearch.requestHeadersWhitelist: |
        ["securitytenant","Authorization","x-forwarded-for","x-auth-request-access-token", "x-auth-request-email", "x-auth-request-groups","id_token"]
      opensearch_security.auth.multiple_auth_enabled: "true"
      opensearch_security.auth.type: |
        ["openid", "basicauth"]
      opensearch_security.openid.base_redirect_url: "https://domain.com"
      opensearch_security.openid.connect_url: "https://login.microsoftonline.com/4d/v2.0/.well-known/openid-configuration"
    podSecurityContext:
      fsGroup: 1000
      runAsNonRoot: true
    securityContext:
      capabilities:
        drop:
        - ALL
      privileged: false
    additionalVolumes:
    - name: cachain
      path: /usr/share/opensearch/config/certs
      secret:
        defaultMode: 0700
        secretName: cachain
    opensearchCredentialsSecret:
      name: dashboards-credentials  # This is the name of your secret that contains the credentials for Dashboards to use
    annotations:
      traffic.sidecar.istio.io/includeInboundPorts: "*"
      traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
      traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    tls:
      enable: true
      generate: true
    version: 2.14.0
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  confMgmt:
    smartScaler: true
  nodePools:
    - component: masters
      pdb:
        enable: true
        minAvailable: 2
      replicas: 3
      jvm: -Xmx2G -Xms2G
      diskSize: "30Gi"
      resources:
         requests:
            memory: "4Gi"
            cpu: "1000m"
         limits:
            memory: "4Gi"
            cpu: "1000m"
      roles:
        - "data"
        - "cluster_manager"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    - component: nodes
      replicas: 3
      jvm: -Xmx2G -Xms2G
      diskSize: "30Gi"
      resources:
         requests:
            memory: "4Gi"
            cpu: "2000m"
         limits:
            memory: "4Gi"
            cpu: "2000m"
      roles:
        - "data"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
    - component: coordinators
      replicas: 2
      jvm: -Xmx2G -Xms2G
      diskSize: "30Gi"
      resources:
         requests:
            memory: "4Gi"
            cpu: "2000m"
         limits:
            memory: "4Gi"
            cpu: "2000m"
      roles:
        - "ingest"
      annotations:
        traffic.sidecar.istio.io/includeInboundPorts: "*"
        traffic.sidecar.istio.io/excludeOutboundPorts: "9200,9300"
        traffic.sidecar.istio.io/excludeInboundPorts: "9200,9300"
2 Likes
7

Unlike cluster itself, dashboard doesn’t need to be encrypted by TLS. You can dispose
of https for it just setting bydashboards.tls.enable: false

1 Like