Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Operator 2.8 , Opensearch - 3.1
Describe the issue : I am using OpenSearch operator to configure opensearch cluster and see that operator is adding deprecated parameter plugins.security.ssl.transport.enforce_hostname_verfication to false in opensearch.yml file which is not working, when i try to add transport.ssl.enforce_hostname_verification through additionalConfig i get an error saying one of the settings could be specified but not both. My question is how can i remove the default deprecated setting from opensearch.yml file which is set by operator by default
Configuration :
Relevant Logs or Screenshots :
pablo
February 13, 2026, 4:32pm
2
@sandeepkaukab In the current OpenSearch Operator design, you can’t remove this option from opensearch.yml
As per GitHub, this option is set to true or false depending on whether certs are generated per node or not.
return err
}
// Tell cluster controller to mount secrets
volume := corev1.Volume{Name: "transport-cert", VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: nodeSecretName}}}
r.reconcilerContext.Volumes = append(r.reconcilerContext.Volumes, volume)
mount := corev1.VolumeMount{Name: "transport-cert", MountPath: "/usr/share/opensearch/config/tls-transport"}
r.reconcilerContext.VolumeMounts = append(r.reconcilerContext.VolumeMounts, mount)
// Extend opensearch.yml
if generatePerNode {
r.reconcilerContext.AddConfig("plugins.security.nodes_dn", fmt.Sprintf("[\"CN=%s-*,OU=%s\"]", clusterName, clusterName))
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemcert_filepath", "tls-transport/${HOSTNAME}.crt")
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemkey_filepath", "tls-transport/${HOSTNAME}.key")
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.enforce_hostname_verification", "true")
} else {
r.reconcilerContext.AddConfig("plugins.security.nodes_dn", fmt.Sprintf("[\"CN=%s,OU=%s\"]", clusterName, clusterName))
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemcert_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSCertKey))
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemkey_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSPrivateKeyKey))
r.reconcilerContext.AddConfig("plugins.security.ssl.transport.enforce_hostname_verification", "false")
}
I would suggest reporting it in the OpenSearch Operator GitHub .