@Anthony: but how can the different nodes then accept the certificates of the others?
if each node creates its own certificate
- they either all need to have access to the private key of the (intermediate) CA (which would obviously be a bad design security-wise)
- or they’d have purely self-signed certificates where they couldn’t validate the certificates of the others
the only way i could see this working is if the nodes would then create a CSR (Certificate Signing Request) and send that to a CA which gives them back a signed certificate. but then you have the trust issue again as the CA can’t really know whether the CSR came from the real system or an impostor.
we’re currently looking at using cert-manager for the certificates.
however, i haven’t found out yet how we could get it to issue certificates for each node individually since you have to create a Certificate resource in k8s to get a Secret containing the certificate. if you’d use an initContainer for that you’d need API access to k8s (incl. authentication) in your pod which would also open up security issues again (IMHO pods shouldn’t have management-access to their PaaS).
of course, an operator for opensearch would solve most of these issues because it could then take care of creating the certificate requests for the nodes it spins up and also manage certificate renewals 
(e.g. the elastic ECK manages these things)