Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch 2.17.1 and opensearch-k8s-operator 2.3.0
Describe the issue:
-
When trying to deploy K8s Ingress API resource for OpenSearch’s service (port: 9200), it requires
metadata.annotations
to haveingress.kubernetes.io/backend-protocol: https
if we want to generate self-signed ca and its certificates for HTTP layer. -
I’ve already made it possible to implement the below flow and K8s Secrets:
User -(1)-> Ingress Controller(Nginx) -(2)-> Cluster
# (1) : client(for web browser) certificate
# (2) : backend certificate for HTTP layer created by cert-manager
$ kubectl get secret
NAME TYPE DATA AGE
admin-credentials-secret Opaque 2 29d
test-opensearch-cluster-admin-cert kubernetes.io/tls 3 29d
test-opensearch-cluster-admin-password Opaque 2 29d
test-opensearch-cluster-ca kubernetes.io/tls 3 29d
test-opensearch-cluster-http-cert kubernetes.io/tls 3 29d
test-opensearch-cluster-transport-cert kubernetes.io/tls 3 29d
client-tls kubernetes.io/tls 2 24h
securityconfig-secret Opaque 8 29d
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/backend-protocol: https
############################################################################################################################
# ingress.kubernetes.io/proxy-ssl-name: test-opensearch-cluster # CN for test-opensearch-cluster-http-cert
# ingress.kubernetes.io/proxy-ssl-secret: test-opensearch-cluster-ca # A Secret for CA which would verifies test-opensearch-cluster-http-cert
############################################################################################################################
name: test-opensearch-cluster-os
namespace: test-opensearch-cluster
spec:
ingressClassName: nginx
rules:
- host: test-opensearch-cluster-os.a.b.com
http:
paths:
- backend:
service:
name: test-opensearch-cluster
port:
number: 9200
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- test-opensearch-cluster-os.a.b.com
secretName: client-tls
- I was just wondering whether the ingress controller has self-signed CA certificates (created by cert-manager) and how it makes handshakes between the cluster itself without specifying
proxy-ssl-name
&proxy-ssl-secret
?
(Does opensearch-k8s-operator automatically achieve it?)