Setting up a 3 node cluster with helm-charts from the community repo
I’ve been trying to setup AD/LDAP backend authentication to Opensearch.
I think I’ve seen a lot of people asking this same same question about whether or not we should create a node.pem for every node and if so where in my opensearch.yaml should I specify each individual node.pem. I’m just hoping someone can clarify that. The documentation suggests that the node certificates are optional (Generating self-signed certificates - OpenSearch documentation) but I’m confused if that’s in fact the case. One other question I have is where should I specify my truststore_filepath in that same yaml file.
@vmm-afonso I don’t know why this section is marked as optional. The node certificates are mandatory as transport layer communication between the nodes in the cluster must be always secured.
The optional were/are certificates for HTTP API endpoint (9200). However, starting with version 2.0 you need to secure HTTP API endpoint as Transport Client auth/auth has been deprecated and securityadmin.sh is using port 9200 instead of 9300. Securityadmin.sh uses certificate authentication which forces a secured connection.
When you disable demo configuration, you’ll have to provide your custom certificates. As far as I can see in the documentation, the custom cert can be presented with the secretMounts.