Security transport config for 2.0.0

Security
,
12

@pablo I thought so, but I haven’t managed to make it happen (yet). :smiley:
First I generated the certs as the page you linked mentions.
Then I created a generic k8s secret called opensearch-certs, where I passed in each of those 5 files: admin.pem, admin-key.pem, node.pem, node-key.pem, root-ca.pem (although I’m not sure if I need the admin* stuff?).
I then added that secret to the secretMounts section of the opensearch.yml file:

118 secretMounts:
119   - name: opensearch-certs
120     secretName: opensearch-certs
121     path: /usr/share/opensearch/config/ssl

Finally, here’s the SSL section of opensearch.yml:

 60         ssl:
 61           transport:
 62             pemcert_filepath: ssl/node1.pem
 63             pemkey_filepath: ssl/node1-key.pem
 64             pemtrustedcas_filepath: ssl/root-ca.pem
 65             enforce_hostname_verification: false
 66           http:
 67             enabled: true
 68             pemcert_filepath: ssl/node1.pem
 69             pemkey_filepath: ssl/node1-key.pem
 70             pemtrustedcas_filepath: ssl/root-ca.pem
 71         allow_unsafe_democertificates: true
 72         allow_default_init_securityindex: true
 73         authcz:
 74           admin_dn:
 75             - "CN=AB,OU=CDE,O=Something,L=Somewhere,C=GF"
 76         nodes_dn:
 77           - "CN=AB,OU=CDE,O=Something,L=Somewhere,C=GF"

When I start up the OpenSearch pods, I get the following:

[2022-12-12T15:35:28,556][ERROR][o.o.s.t.SecurityRequestHandler] 
[opensearch-cluster-master-0] OpenSearchException[Transport client 
authentication no longer supported.]

And I also get

[2022-12-12T15:35:28,551][WARN ][o.o.d.HandshakingTransportAddressConnector] 
[opensearch-cluster-master-0] handshake failed for 
[connectToRemoteMasterNode[<IP>:9300]]
org.opensearch.transport.RemoteTransportException: 
[opensearch-cluster-master-2][<IP>:9300][internal:transport/handshake]
Caused by: org.opensearch.OpenSearchException: Transport client 
authentication no longer supported.

If I remove the transport section, I get the following error on startup:

java.lang.IllegalStateException: failed to load plugin class 
[org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[
plugins.security.ssl.transport.keystore_filepath or 
plugins.security.ssl.transport.server.pemcert_filepath 
and plugins.security.ssl.transport.client.pemcert_filepath must be 
set if transport ssl is requested.]

I don’t know if this is important, but the pods are part of a k8s stateful set that’s running on a local kind cluster.