OpenSearch not creating admin-cert after removing http on tls block

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.16.0 and 2.17.0

Describe the issue:
I’ve been using OpenSearch with the security.tls.http.generate: true option enable, and everything its been working fine. However, when I remove that option to use TLS and self-generated certificates, the admin-cert secret is not being generated, others secrets (ca, transport-cert, admin-password) are being created successfully. As per the documentation on (opensearch-k8s-operator/docs/userguide/main.md at main · opensearch-project/opensearch-k8s-operator · GitHub) it should be enough by removing the http part and leave only security.tls.transport.generate and perNode.

I’m getting below errors.
1.- MountVolume.SetUp failed for volume “admin-cert” : secret “opensearch-admin-cert” not found.
2.- Unable to attach or mount volumes: unmounted volumes=[admin-cert], unattached volumes=, failed to process volumes=: timed out waiting for the condition

Configuration:

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch-latest
  namespace: opensearch                   
spec:
  bootstrap: {}
  confMgmt:
    smartScaler: false
  general:
    version: "2.17.0"
    httpPort: 9200
    vendor: opensearch
    image: opensearchproject/opensearch:2.17.0      
    serviceName: opensearch-latest
    monitoring:
      enable: false
    drainDataNodes: true
    setVMMaxMapCount: true
  dashboards:
    enable: true
    version: "2.17.0"            
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: managers
      replicas: 3
      diskSize: "30Gi"
      persistence:
        pvc:
          storageClass: managed
          accessModes:
            - ReadWriteOnce
      nodeSelector: {}
      resources:
        requests:
          memory: "2Gi"
		  cpu: "200m"
        limits:
          memory: "2Gi"
          cpu: "500m"
      roles:
        - "cluster_manager"
    - component: nodes
      replicas: 3
      diskSize: "100Gi"
      persistence:
        pvc:
          storageClass: managed
          accessModes:
            - ReadWriteOnce
      nodeSelector: {}
      resources:
        requests:
          memory: "2Gi"
          cpu: "500m"
        limits:
          memory: "2Gi"
          cpu: "1000m"
      roles:
        - data
        - ingest
  security:
    config: {}
      #adminCredentialsSecret:
      #name: admin-pwd
      #securityConfigSecret:
      #name: securityconfig
    tls:
      #http:
      #  generate: true
      transport:
        generate: true
          #perNode: true

Relevant Logs or Screenshots:

@GTGabaaron According to the Operator documentation you need to provide admin certs if you don’t generate them.

If you provide your own node certificates you must also provide an admin cert that the operator can use for managing the cluster:

spec:
  security:
    config:
      adminSecret:
        name: my-first-cluster-admin-cert # The secret must have keys tls.crt and tls.key

Hi @pablo , the thing is that I’m not providing any certificates at all, I just removed the tls.http block (which was working well, creating all secrets including the admin one ) and according to operator documentation a set of certificates should be created as well.

image952×497 29.1 KB

@GTGabaaron As per documentation, you either let the Operator generate the certificates or you provide your custom ones. There is no option to disable security at HTTP using Operator.

image1026×464 58.1 KB

Hi @pablo thanks for the clarification. The operator documentation is misleading on this aspect, it make you belief you can either select between TLS/HTTP under the security.tls block and that in both cases the operator will create all the secrets/certificates for you, but looks like is not the case. You cannot remove the security.tls.http.generate part.

@GTGabaaron Currently OpenSearch Operator doesn’t support disabling the security plugin or HTTP endpoint.

Hi @pablo, thanks for the help issue has been fixed and all seems to be working fine now.

I’ve got a side question, do you know if there is any support service/plan ($$) that can be acquired ? I looked for on the OpenSearch website but couldn’t find anything related to.

Hello @GTGabaaron - there are a number of solution providers who offer 24x7 support - I recommend looking through this page to find one in your region:

Thanks @kris I’ll take a look at it.

Wtih the below codes from link that has already given by @pablo, secret.name and caSecret.name will be valid only if generate: false

# ...
spec:
  security:
    tls:  # Everything related to TLS configuration
      http:  # Configuration of the HTTP endpoint
        generate: true  # Have the Operator generate and sign certificates
        secret:
          name:  # Name of the secret that contains the provided certificate
        caSecret:
          name:  # Name of the secret that contains a CA the Operator should use
# ...

Hi, @GTGabaaron @pablo
Did you define ConfigMap also?

Being true for security.tls.http.generate (and transport) makes ConfigMap named <cluster-name>-config. Also, it means that you have to mount certificates using additionalVolumes CRD already has prepared.

spec:
  general:
  additionalVolumes:
      - name: certificates
        path: /user/share/opensearch/config/tls-http # example path
        secret:
          secretName: tls # example secret

Let’s say <cluster-name> is “test-opensearch-cluster-2”, the below manifest will be applied to the Kubernetes.

apiVersion: v1
kind: ConfigMap
data:
  opensearch.yml: >
    plugins.security.audit.type: internal_opensearch
    plugins.security.authcz.admin_dn: ["CN=admin,OU=test-opensearch-cluster-2"]
    plugins.security.check_snapshot_restore_write_privileges: true
    plugins.security.enable_snapshot_restore_privilege: true
    plugins.security.nodes_dn:
    ["CN=test-opensearch-cluster-2,OU=test-opensearch-cluster-2"]
    plugins.security.restapi.roles_enabled: ["all_access",
    "security_rest_api_access"]
    plugins.security.ssl.http.enabled: true
    plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt
    plugins.security.ssl.http.pemkey_filepath: tls-http/tls.key
    plugins.security.ssl.http.pemtrustedcas_filepath: tls-http/ca.crt
    plugins.security.ssl.transport.enforce_hostname_verification: false
    plugins.security.ssl.transport.pemcert_filepath: tls-transport/tls.crt
    plugins.security.ssl.transport.pemkey_filepath: tls-transport/tls.key
    plugins.security.ssl.transport.pemtrustedcas_filepath: tls-transport/ca.crt
    plugins.security.system_indices.enabled: true
    plugins.security.system_indices.indices:
    [".opendistro-alerting-config",".opendistro-alerting-alert*",".opendistro-anomaly-results*",".opendistro-anomaly-detector*",".opendistro-anomaly-checkpoints",".opendistro-anomaly-detection-state",".opendistro-reports-*",".opendistro-notifications-*",".opendistro-notebooks",".opensearch-observability",".opendistro-asynchronous-search-response*",".replication-metadata-store"]