Opensearch v2.5.0
Setting up a 3 node cluster with helm-charts from the community repo
I’ve been trying to setup AD/LDAP backend authentication to Opensearch.
I think I’ve seen a lot of people asking this same same question about whether or not we should create a node.pem for every node and if so where in my opensearch.yaml should I specify each individual node.pem. I’m just hoping someone can clarify that. The documentation suggests that the node certificates are optional (Generating self-signed certificates - OpenSearch documentation) but I’m confused if that’s in fact the case. One other question I have is where should I specify my truststore_filepath in that same yaml file.
@vmm-afonso I don’t know why this section is marked as optional. The node certificates are mandatory as transport layer communication between the nodes in the cluster must be always secured.
The optional were/are certificates for HTTP API endpoint (9200). However, starting with version 2.0 you need to secure HTTP API endpoint as Transport Client auth/auth has been deprecated and securityadmin.sh is using port 9200 instead of 9300. Securityadmin.sh uses certificate authentication which forces a secured connection.
When you disable demo configuration, you’ll have to provide your custom certificates. As far as I can see in the documentation, the custom cert can be presented with the secretMounts.
Please be aware that the CN of the node certificate must match CN defined in the node_dn.
To use truststore you could try to replace all the pemcert entries with truststore in the config.opensearch.yml.plugins.security.ssl section of the values.yaml file.
