Hi, @GTGabaaron @pablo
Did you define ConfigMap also?
Being true for security.tls.http.generate (and transport) makes ConfigMap named <cluster-name>-config. Also, it means that you have to mount certificates using additionalVolumes CRD already has prepared.
spec:
general:
additionalVolumes:
- name: certificates
path: /user/share/opensearch/config/tls-http # example path
secret:
secretName: tls # example secret
Let’s say <cluster-name> is “test-opensearch-cluster-2”, the below manifest will be applied to the Kubernetes.
apiVersion: v1
kind: ConfigMap
data:
opensearch.yml: >
plugins.security.audit.type: internal_opensearch
plugins.security.authcz.admin_dn: ["CN=admin,OU=test-opensearch-cluster-2"]
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
["CN=test-opensearch-cluster-2,OU=test-opensearch-cluster-2"]
plugins.security.restapi.roles_enabled: ["all_access",
"security_rest_api_access"]
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: tls-http/tls.crt
plugins.security.ssl.http.pemkey_filepath: tls-http/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: tls-http/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.pemcert_filepath: tls-transport/tls.crt
plugins.security.ssl.transport.pemkey_filepath: tls-transport/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: tls-transport/ca.crt
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices:
[".opendistro-alerting-config",".opendistro-alerting-alert*",".opendistro-anomaly-results*",".opendistro-anomaly-detector*",".opendistro-anomaly-checkpoints",".opendistro-anomaly-detection-state",".opendistro-reports-*",".opendistro-notifications-*",".opendistro-notebooks",".opensearch-observability",".opendistro-asynchronous-search-response*",".replication-metadata-store"]