This is already the solution for the problem outlined in here.
Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: 2.15.0
Helm Chart: 2.21.0
Describe the issue:
Opensearch Helm chart provides the ability to configure the opensearch.yml that hold configuration values. See helm-charts/charts/opensearch/values.yaml at 4253842c1e4d3ac6d4aee294e905c1f20469adc2 · opensearch-project/helm-charts · GitHub
One would assume that mounting custom keys and certificates anywhere under config/ and changing the opensearch.yml accordingly would make OpenSearch use these files.
Like so
config:
opensearch.yml: |
plugins:
security:
ssl:
transport:
pemcert_filepath: certs/tls.crt
pemkey_filepath: certs/tls.key
pemtrustedcas_filepath: certs/ca.crt
enforce_hostname_verification: false
http:
enabled: true
pemcert_filepath: certs/tls.crt
pemkey_filepath: certs/tls.key
pemtrustedcas_filepath: certs/ca.crt
[...]
But looking at the /usr/share/opensearch/config/opensearch.yml inside the container it shows a demo configuration, that gets appended to the contents defined in the helm chart values above. Similar to
plugins:
security:
ssl:
transport:
pemcert_filepath: esnode.pem
pemkey_filepath: esnode-key.pem
pemtrustedcas_filepath: root-ca.pem
enforce_hostname_verification: false
http:
enabled: true
pemcert_filepath: esnode.pem
pemkey_filepath: esnode-key.pem
pemtrustedcas_filepath: root-ca.pem
This is effectively overwriting all efforts to make opensearch use the custom tls files.
But why?
There is an undocumented environment variable DISABLE_INSTALL_DEMO_CONFIG that is used in the entrypoint.sh of the docker image that appends this demo configuration.
Setting DISABLE_INSTALL_DEMO_CONFIG: true leaves opensearch.yml with only the data you set up in the chart values.
Please document this option! Ideally in the chart and in the image itself.
Configuration:
--
Relevant Logs or Screenshots:
--
