Support running with container-level security context in namespaces labeled as Pod Security: restricted in Opensearch operator

AshokPonna · November 11, 2025, 5:45am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue: Opensearch (operands) pods are not coming up while deploying opensearch operator in namespaces labeled as Pod Security: restricted

Configuration: labels for namespace: pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted

Relevant Logs or Screenshots:
4m13s Warning FailedCreate statefulset/opensearch-data create Pod opensearch-data-0 in StatefulSet opensearch-data failed error: pods “opensearch-data-0” is forbidden: violates PodSecurity “restricted:latest”: allowPrivilegeEscalation != false (container “data” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “data” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “data” must set securityContext.runAsNonRoot=true)
4m14s Warning FailedCreate statefulset/opensearch-ingest-tls create Pod opensearch-ingest-tls-0 in StatefulSet opensearch-ingest-tls failed error: pods “opensearch-ingest-tls-0” is forbidden: violates PodSecurity “restricted:latest”: allowPrivilegeEscalation != false (container “ingest” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “ingest” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “ingest” must set securityContext.runAsNonRoot=true)
59m Normal SuccessfulCreate statefulset/opensearch-master create Claim storage-opensearch-master-0 Pod opensearch-master-0 in StatefulSet opensearch-master success
4m14s Warning FailedCreate statefulset/opensearch-master create Pod opensearch-master-0 in StatefulSet opensearch-master failed error: pods “opensearch-master-0” is forbidden: violates PodSecurity “restricted:latest”: allowPrivilegeEscalation != false (container “master” must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container “master” must set securityContext.capabilities.drop=[“ALL”]), runAsNonRoot != true (pod or container “master” must set securityContext.runAsNonRoot=true)

We found some reference from Work towards being able to run with securityContext restrictions · Issue #611 · opensearch-project/opensearch-k8s-operator · GitHub but we are looking for the solution? is this is a container level security context? if yes is this supported by opensearch operator?

pablo · November 11, 2025, 10:13am

@AshokPonna Could you share the correct documentation links, as the ones you’ve shared are corrupted?

Please share your OpensearchCluster manifest.

AshokPonna · November 11, 2025, 10:22am

@pablo , please find the proper link Work towards being able to run with securityContext restrictions · Issue #611 · opensearch-project/opensearch-k8s-operator · GitHub

AshokPonna · November 11, 2025, 10:30am

Hi @pablo , below is the manifest
apiVersion: se.data.ericsson.com/v1alpha1
kind: SearchEngine
metadata:
annotations:
helm.sh/resource-policy: keep
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“se.data.ericsson.com/v1alpha1",“kind”:“SearchEngine”,“metadata”:{“annotations”:{},“labels”:{“app.kubernetes.io/created-by”:“frondend-operator”,“app.kubernetes.io/instance”:“searchengine-sample”,“app.kubernetes.io/managed-by”:“kustomize”,“app.kubernetes.io/name”:“searchengine”,“app.kubernetes.io/part-of”:“frondend-operator”},“name”:“opensearch”,“namespace”:“asktr”},“spec”:{“accessMgmt”:{“enabled”:false},“affinity”:{“podAntiAffinity”:“soft”,“topologyKey”:“kubernetes.io/hostname”},“backupRestore”:{“globalDataSet”:“test”},“clusterdomain”:“cluster.local”,“indexManagement”:{“enabled”:true},“instancename”:“opensearch”,“log”:{“level”:“info”,“streamingMethod”:“direct”},“metrics”:{“enabled”:true},“nodeSelector”:{“bragent”:{},“data”:{},“helmtest”:{},“hooklauncher”:{}},“opensearch”:{“plugins”:{“opensearchSQL”:{“enabled”:false}}},“podDisruptionBudget”:{“data”:{“maxUnavailable”:1},“ingest”:{“maxUnavailable”:1},“master”:{“maxUnavailable”:1}},“replicas”:{“data”:2,“ingest”:1,“master”:3},“resources”:{“flavor”:“typical”,“persistentStorage”:{“backup”:{“persistentVolumeClaim”:{“size”:“1Gi”,“storageClassName”:“network-file”}},“data”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“downgrade”:{“persistentVolumeClaim”:{“size”:“2Gi”}},“ingest”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“master”:{“persistentVolumeClaim”:{“size”:“64Mi”}}}},“securityEventLogs”:{“modificationAllowedIndices”:["test”]}}}
creationTimestamp: “2025-11-11T10:26:44Z”
generation: 2
labels:
app.kubernetes.io/created-by: frondend-operator
app.kubernetes.io/instance: searchengine-sample
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: searchengine
app.kubernetes.io/part-of: frondend-operator
name: opensearch
namespace: asktr
resourceVersion: “2118981888”
uid: 25aab6b6-2670-4968-9ebd-95d104faf801
spec:
accessMgmt: {}
affinity:
podAntiAffinity: soft
topologyKey: kubernetes.io/hostname
backupRestore:
globalDataSet: test
bandwidth:
bragent:
maxEgressRate: “”
data:
maxEgressRate: “”
ingest:
maxEgressRate: “”
master:
maxEgressRate: “”
clusterdomain: cluster.local
indexManagement:
enabled: true
instancename: opensearch
log:
level: info
streamingMethod: direct
metrics:
enabled: true
networkPolicy: {}
nodeSelector: {}
opensearch:
plugins:
opensearchKNN: {}
opensearchSQL:
enabled: false
podDisruptionBudget:
data:
maxUnavailable: 1
ingest:
maxUnavailable: 1
master:
maxUnavailable: 1
replicas:
data: 2
ingest: 1
master: 3
resources:
backupRestoreFlavorMultipliers:
limits: {}
requests: {}
flavor: typical
flavorMultipliers:
limits: {}
requests: {}
persistentStorage:
backup:
persistentVolumeClaim:
size: 1Gi
storageClassName: network-file
data:
persistentVolumeClaim:
size: 1Gi
downgrade:
persistentVolumeClaim:
size: 2Gi
ingest:
persistentVolumeClaim:
size: 1Gi
master:
persistentVolumeClaim:
size: 64Mi
securityEventLogs:
modificationAllowedIndices:

test
suspend: false
terminationGracePeriodSeconds: {}
tolerations: {}
topologySpreadConstraints: {}
status:
conditions:

lastTransitionTime: “2025-11-11T10:26:44Z”
message: Reconciliation is active.
reason: ReconciliationActive
status: “False”
type: ReconciliationPaused
observedGeneration: 0

AshokPonna · November 11, 2025, 10:33am

Hi @pablo , below is the securityContext conf using for all pods except init container
securityContext:

allowPrivilegeEscalation: false

privileged: false

readOnlyRootFilesystem: true

runAsNonRoot: true

capabilities:

  drop:

    - ALL

for init container : allowPrivilegeEscalation: true

pablo · November 11, 2025, 11:01am

I was looking for kind: OpenearchCluster

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster

Also, please share the labels of the restricted namespace.

AshokPonna · November 12, 2025, 5:37am

Hi @pablo,
I used “pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted” for namespace
below is the opensearchcluster manifest

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
annotations:
creator: operator
ericsson.com/product-name: opensearch Helm
ericsson.com/product-number: CXC 201 1191
ericsson.com/product-revision: 21.1.0
helm.sh/resource-policy: keep
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“com.test/v1alpha1”,“kind”:“SearchEngine”,“metadata”:{“annotations”:{},“labels”:{“app.kubernetes.io/created-by":“frondend-operator”,“app.kubernetes.io/instance”:“searchengine-sample”,“app.kubernetes.io/managed-by”:“kustomize”,“app.kubernetes.io/name”:“searchengine”,“app.kubernetes.io/part-of”:“frondend-operator”},“name”:“opensearch”,“namespace”:“asktr”},“spec”:{“accessMgmt”:{“enabled”:false},“affinity”:{“podAntiAffinity”:“soft”,“topologyKey”:“kubernetes.io/hostname”},“backupRestore”:{“globalDataSet”:“test”},“clusterdomain”:“cluster.local”,“indexManagement”:{“enabled”:true},“instancename”:“opensearch”,“log”:{“level”:“info”,“streamingMethod”:“direct”},“metrics”:{“enabled”:true},“nodeSelector”:{“bragent”:{},“data”:{},“helmtest”:{},“hooklauncher”:{}},“opensearch”:{“plugins”:{“opensearchSQL”:{“enabled”:false}}},“podDisruptionBudget”:{“data”:{“maxUnavailable”:1},“ingest”:{“maxUnavailable”:1},“master”:{“maxUnavailable”:1}},“replicas”:{“data”:2,“ingest”:1,“master”:3},“resources”:{“flavor”:“typical”,“persistentStorage”:{“backup”:{“persistentVolumeClaim”:{“size”:“1Gi”,“storageClassName”:“network-file”}},“data”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“downgrade”:{“persistentVolumeClaim”:{“size”:“2Gi”}},“ingest”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“master”:{“persistentVolumeClaim”:{“size”:“64Mi”}}}},“securityEventLogs”:{“modificationAllowedIndices”:["test”]}}}
creationTimestamp: “2025-11-11T10:27:03Z”
generation: 1
labels:
app.kubernetes.io/instance: se
app.kubernetes.io/name: opensearch
app.kubernetes.io/version: 21.1.0-5
chart: opensearch-21.1.0-5
heritage: Operator
release: se
name: opensearch
namespace: asktr
ownerReferences:

apiVersion: com.test/v1alpha1
kind: SearchEngine
name: opensearch
uid: 25aab6b6-2670-4968-9ebd-95d104faf801
resourceVersion: “2118981335”
uid: 31d45791-ab66-49e8-8ca7-296669a65082
spec:
bootstrap:
resources: {}
confMgmt: {}
dashboards:
opensearchCredentialsSecret:
name: “”
replicas: 0
resources: {}
service:
type: ClusterIP
version: “”
general:
additionalConfig:
cluster.initial_cluster_manager_nodes: opensearch-master-0
indices.query.bool.max_clause_count: “2048”
plugins.index_state_management.enabled: “true”
plugins.index_state_management.jitter: “0.9”
plugins.index_state_management.job_interval: “1”
plugins.security.cache.ttl_minutes: “10”
additionalVolumes:

configMap:
name: opensearch-cfg
name: config2
path: /etc/opensearch/cnf/read_only_config/log4j2.properties
subPath: log4j2.properties

configMap:
name: opensearch-cfg
name: config3
path: /etc/opensearch/cnf/read_only_config/jvm.options
subPath: jvm.options

configMap:
name: opensearch-cfg
name: config4
path: /etc/opensearch/cnf/read_only_config/java.policy
subPath: java.policy

configMap:
name: opensearch-config
name: config1
path: /etc/opensearch/cnf/read_only_config/opensearch.yml
subPath: opensearch.yml

name: config5
path: /etc/opensearch/cnf/read_only_config/opensearch-security/config.yml
secret:
secretName: opensearch-securityconfig-secret
subPath: config.yml

name: config6
path: /etc/opensearch/cnf/read_only_config/opensearch-security/roles.yml
secret:
secretName: opensearch-securityconfig-secret
subPath: roles.yml

name: config7
path: /etc/opensearch/cnf/read_only_config/opensearch-security/roles_mapping.yml
secret:
secretName: opensearch-securityconfig-secret
subPath: roles_mapping.yml

configMap:
defaultMode: 493
items:

key: template.sh
path: template.sh
name: opensearch-cfg
name: index-template-config
path: /etc/opensearch/template.sh
subPath: template.sh

configMap:
items:

key: internal-interfaces-ciphers.yaml
path: internal-interfaces-ciphers.yaml

key: internal-interfaces-ciphers.json
path: internal-interfaces-ciphers.json
name: eric-sec-cipher-configuration-internal-interfaces-ciphers
optional: true
name: ciphers
path: /etc/opensearch/cnf/ciphers

configMap:
name: opensearch-logctrl
optional: true
name: log-control-config
path: /opt/redirect/log-control-config

emptyDir: {}
name: os-tmp
path: /tmp

emptyDir: {}
name: os-conf
path: /etc/opensearch/

emptyDir: {}
name: os-ro-cnf
path: /etc/opensearch/cnf/read_only_config

emptyDir: {}
name: os-pc-cnf
path: /etc/opensearch/cnf/processed_config

emptyDir: {}
name: os-logs
path: /opt/opensearch/logs

emptyDir: {}
name: os-plugins
path: /opt/opensearch/plugins

emptyDir: {}
name: os-extensions
path: /opt/opensearch/extensions

configMap:
defaultMode: 493
name: opensearch-ism-cfg
optional: true
name: ism-config
path: /etc/opensearch/cnf/read_only_config/opensearch-ism

emptyDir: {}
name: os-http-server-cert
path: /run/secrets/http-certificates

emptyDir: {}
name: os-http-client-cert
path: /run/secrets/http-client-certificates

emptyDir: {}
name: os-http-ca-cert
path: /run/secrets/http-ca-certificates

name: http-client-cert
path: /run/secrets/opensearch-http-client-cert-internal
secret:
secretName: opensearch-http-client-cert-internal

emptyDir: {}
name: os-transport-cert
path: /run/secrets/transport-certificates

emptyDir: {}
name: os-transport-ca-cert
path: /run/secrets/transport-ca-certificates

name: sip-tls-trusted-root-cert
path: /run/secrets/eric-sec-sip-tls-trusted-root-cert
secret:
secretName: eric-sec-sip-tls-trusted-root-cert

name: pm-trusted-ca
path: /run/secrets/eric-pm-server-ca
secret:
secretName: eric-pm-server-ca

name: tlsproxy-server-cert
path: /run/secrets/opensearch-pm-server-cert
secret:
secretName: opensearch-pm-server-cert

name: tlsproxy-client-cert
path: /run/secrets/opensearch-tlsproxy-client
secret:
secretName: opensearch-tlsproxy-client
command: /opt/redirect/stdout-redirect -config=/opt/redirect/stdout-redirect-se-config.yaml
-format=json -service-id “opensearch” -redirect “stdout” -logcontrolconfig
/opt/redirect/log-control-config/logcontrol.json -run /init.sh
httpPort: 9200
image: armdocker.rnd.ericsson.se/proj-adp-log-dev/opensearch:21.1.0-2a3ff3a3
imagePullPolicy: IfNotPresent
imagePullSecrets:

name: armdocker
monitoring: {}
podSecurityContext:
fsGroup: 10000
supplementalGroups:

143743

232772
securityContext: {}
serviceAccount: opensearch-sa
serviceName: opensearch
vendor: opensearch
version: 3.2.0
initHelper:
image: armdocker.rnd.ericsson.se/proj-adp-log-dev/opensearch:21.1.0-2a3ff3a3
imagePullPolicy: IfNotPresent
imagePullSecrets:

name: armdocker
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 25m
memory: 64Mi
nodePools:

additionalConfig:
cluster.initial_cluster_manager_nodes: opensearch-master-0
plugins.security.audit.type: disabled
plugins.security.restapi.roles_enabled: all_access,security_rest_api_access,test
plugins.security.ssl.http.pemcert_filepath: /run/secrets/opensearch-http-cert/tls.crt
plugins.security.ssl.http.pemkey_filepath: /run/secrets/opensearch-http-cert/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: /run/secrets/opensearch-http-ca-cert/ca.crt
plugins.security.ssl.transport.pemcert_filepath: /run/secrets/opensearch-transport-cert/tls.crt
plugins.security.ssl.transport.pemkey_filepath: /run/secrets/opensearch-transport-cert/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /run/secrets/opensearch-transport-ca-cert/ca.crt
plugins.security.ssl_cert_reload_enabled: “true”
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- opensearch
- key: role
operator: In
values:
- master
topologyKey: kubernetes.io/hostname
weight: 100
annotations:
creator: operator
ericsson.com/product-name: opensearch Helm
ericsson.com/product-number: CXC 201 1191
ericsson.com/product-revision: 21.1.0
helm.sh/resource-policy: keep
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“com.test/v1alpha1”,“kind”:“SearchEngine”,“metadata”:{“annotations”:{},“labels”:{“app.kubernetes.io/created-by":“frondend-operator”,“app.kubernetes.io/instance”:“searchengine-sample”,“app.kubernetes.io/managed-by”:“kustomize”,“app.kubernetes.io/name”:“searchengine”,“app.kubernetes.io/part-of”:“frondend-operator”},“name”:“opensearch”,“namespace”:“asktr”},“spec”:{“accessMgmt”:{“enabled”:false},“affinity”:{“podAntiAffinity”:“soft”,“topologyKey”:“kubernetes.io/hostname”},“backupRestore”:{“globalDataSet”:“test”},“clusterdomain”:“cluster.local”,“indexManagement”:{“enabled”:true},“instancename”:“opensearch”,“log”:{“level”:“info”,“streamingMethod”:“direct”},“metrics”:{“enabled”:true},“nodeSelector”:{“bragent”:{},“data”:{},“helmtest”:{},“hooklauncher”:{}},“opensearch”:{“plugins”:{“opensearchSQL”:{“enabled”:false}}},“podDisruptionBudget”:{“data”:{“maxUnavailable”:1},“ingest”:{“maxUnavailable”:1},“master”:{“maxUnavailable”:1}},“replicas”:{“data”:2,“ingest”:1,“master”:3},“resources”:{“flavor”:“typical”,“persistentStorage”:{“backup”:{“persistentVolumeClaim”:{“size”:“1Gi”,“storageClassName”:“network-file”}},“data”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“downgrade”:{“persistentVolumeClaim”:{“size”:“2Gi”}},“ingest”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“master”:{“persistentVolumeClaim”:{“size”:“64Mi”}}}},“securityEventLogs”:{“modificationAllowedIndices”:["test”]}}}
meta.helm.sh/release-name: se
meta.helm.sh/release-namespace: asktr
prometheus.io/path: /metrics
prometheus.io/port: “9115”
prometheus.io/scrape-interval: 15s
prometheus.io/scrape-role: pod
component: master
diskSize: 64Mi
env:

name: OPENSEARCH_SQL_PLUGIN
value: “false”

name: KNN_PLUGIN_ENABLED
value: “false”

name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: SERVICE_ID
value: opensearch

name: VERSION
value: 1.2.0

name: OPENSEARCH_HOME
value: /opt/opensearch

name: CLUSTER_NAME
value: opensearch

name: OPENSEARCH_PATH_CONF
value: /etc/opensearch/config

name: OPERATOR_ENABLED
value: “true”

name: OPENSEARCH_CIPHERS
value: /etc/opensearch/cnf/ciphers

name: LOG_LEVEL
value: INFO

name: OS_INTERNODE_TLS
value: “true”

name: HTTP_PROBE_SERVICE_NAME
value: opensearch

name: HTTP_PROBE_CONTAINER_NAME
value: master

name: HTTP_PROBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: HTTP_PROBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: HTTP_TRANSPORT_CERT
value: /run/secrets/opensearch-transport-cert/tls.crt

name: HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/opensearch-transport-cert/tls.key

name: HTTP_TRANSPORT_CERT_PEM
value: /run/secrets/opensearch-transport-cert/srvcert.pem

name: HTTP_TRANSPORT_CERT_KEY_PEM
value: /run/secrets/opensearch-transport-cert/srvprivkey.pem

name: HTTP_TRANSPORT_CA
value: /run/secrets/opensearch-transport-ca-cert/ca.crt

name: HTTP_TRANSPORT_CA_PEM
value: /run/secrets/opensearch-transport-ca-cert/client-cacertbundle.pem

name: OS_HTTP_TRANSPORT_CERT
value: /run/secrets/transport-certificates/srvcert.pem

name: OS_HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/transport-certificates/srvprivkey.pem

name: OS_HTTP_TRANSPORT_CA
value: /run/secrets/transport-ca-certificates/client-cacertbundle.pem

name: HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/opensearch-transport-cert

name: HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/opensearch-transport-ca-cert

name: OS_HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/transport-certificates

name: OS_HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/transport-ca-certificates

name: OPENSEARCH_REST_TLS
value: “true”

name: HTTP_SERVER_CERT
value: /run/secrets/opensearch-http-cert/tls.crt

name: HTTP_SERVER_CERT_KEY
value: /run/secrets/opensearch-http-cert/tls.key

name: HTTP_SERVER_CERT_PEM
value: /run/secrets/opensearch-http-cert/srvcert.pem

name: HTTP_SERVER_CERT_KEY_PEM
value: /run/secrets/opensearch-http-cert/srvprivkey.pem

name: HTTP_CLIENT_CA
value: /run/secrets/opensearch-http-ca-cert/ca.crt

name: HTTP_CLIENT_CA_PEM
value: /run/secrets/opensearch-http-ca-cert/client-cacertbundle.pem

name: OS_HTTP_SERVER_CERT
value: /run/secrets/http-certificates/srvcert.pem

name: OS_HTTP_SERVER_CERT_KEY
value: /run/secrets/http-certificates/srvprivkey.pem

name: OS_HTTP_CLIENT_CA
value: /run/secrets/http-ca-certificates/client-cacertbundle.pem

name: HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/opensearch-http-cert

name: HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/opensearch-http-ca-cert

name: OS_HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/http-certificates

name: OS_HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/http-ca-certificates

name: OS_HTTP_CLIENT_CERT
value: /run/secrets/http-client-certificates/clicert.pem

name: OS_HTTP_CLIENT_CERT_KEY
value: /run/secrets/http-client-certificates/cliprivkey.pem

name: RO_OPENSEARCH_CNF_PATH
value: /etc/opensearch/cnf/read_only_config

name: RO_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-security

name: PROCESSED_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/processed_config/opensearch-security

name: DELAYED_TIMEOUT
value: 3m

name: INDEX_MANAGEMENT_ENABLED
value: “true”

name: RO_OPENSEARCH_ISM_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-ism

name: ACCESS_MANAGEMENT_ENABLED
value: “true”

name: TERMINATION_GRACE_PERIOD
value: “30”

name: SHARD_PARTIAL_VALIDATION
value: “false”

name: IS_FAST_BUT_UNSAFE_UPGRADE_ENABLED
value: “false”

name: SLEEP
value: “5”

name: OS_ENV_NODE_ROLE
value: node.roles=cluster_manager,remote_cluster_client

name: OS_ENV_HTTP_COMPRESSION
value: http.compression=true

name: OS_ENV_HTTP_HOST
value: http.host=0.0.0.0

name: OS_ENV_TRANSPORT_HOST
value: transport.host=0.0.0.0

name: OS_ENV_CLUSTER_INITIAL_MASTER
value: cluster.initial_master_nodes=opensearch-master-0

name: OS_ENV_DISCOVERY_SEED
value: discovery.seed_hosts=opensearch-discovery

name: OS_ENV_CLUSTER_NAME
value: cluster.name=opensearch

name: OS_ENV_REPO_PATH
value: path.repo=repository

name: CONTAINER_NAME
value: master

name: HTTP_PROBE_CONTAINER_NAME
value: master

name: HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_CLIENT_CERT
value: /run/secrets/opensearch-http-client-cert-internal/tls.crt

name: HTTP_CLIENT_CERT_KEY
value: /run/secrets/opensearch-http-client-cert-internal/tls.key

name: HTTP_CLIENT_CERT_PEM
value: /run/secrets/opensearch-http-client-cert-internal/clicert.pem

name: HTTP_CLIENT_CERT_KEY_PEM
value: /run/secrets/opensearch-http-client-cert-internal/cliprivkey.pem

name: HTTP_SERVER_CA
value: /run/secrets/eric-sec-sip-tls-trusted-root-cert/ca.crt

name: OS_PORT
value: “9200”
labels:
app: opensearch
app.kubernetes.io/instance: se
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: opensearch
app.kubernetes.io/version: 21.1.0-5
component: opensearch
role: master
sidecar.istio.io/inject: “false”
pdb:
enable: true
maxUnavailable: 1
probes:
liveness:
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
startup:
failureThreshold: 100
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
replicas: 3
resources:
limits:
cpu: “1”
memory: 2Gi
requests:
cpu: “1”
memory: 2Gi
roles:

cluster_manager

remote_cluster_client

additionalConfig:
cluster.initial_cluster_manager_nodes: opensearch-master-0
plugins.security.audit.type: disabled
plugins.security.restapi.roles_enabled: all_access,security_rest_api_access,test
plugins.security.ssl.http.pemcert_filepath: /run/secrets/opensearch-http-cert/tls.crt
plugins.security.ssl.http.pemkey_filepath: /run/secrets/opensearch-http-cert/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: /run/secrets/opensearch-http-ca-cert/ca.crt
plugins.security.ssl.transport.pemcert_filepath: /run/secrets/opensearch-transport-cert/tls.crt
plugins.security.ssl.transport.pemkey_filepath: /run/secrets/opensearch-transport-cert/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /run/secrets/opensearch-transport-ca-cert/ca.crt
plugins.security.ssl_cert_reload_enabled: “true”
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- opensearch
- key: role
operator: In
values:
- data
topologyKey: kubernetes.io/hostname
weight: 100
annotations:
creator: operator
ericsson.com/product-name: opensearch Helm
ericsson.com/product-number: CXC 201 1191
ericsson.com/product-revision: 21.1.0
helm.sh/resource-policy: keep
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“com.test/v1alpha1”,“kind”:“SearchEngine”,“metadata”:{“annotations”:{},“labels”:{“app.kubernetes.io/created-by":“frondend-operator”,“app.kubernetes.io/instance”:“searchengine-sample”,“app.kubernetes.io/managed-by”:“kustomize”,“app.kubernetes.io/name”:“searchengine”,“app.kubernetes.io/part-of”:“frondend-operator”},“name”:“opensearch”,“namespace”:“asktr”},“spec”:{“accessMgmt”:{“enabled”:false},“affinity”:{“podAntiAffinity”:“soft”,“topologyKey”:“kubernetes.io/hostname”},“backupRestore”:{“globalDataSet”:“test”},“clusterdomain”:“cluster.local”,“indexManagement”:{“enabled”:true},“instancename”:“opensearch”,“log”:{“level”:“info”,“streamingMethod”:“direct”},“metrics”:{“enabled”:true},“nodeSelector”:{“bragent”:{},“data”:{},“helmtest”:{},“hooklauncher”:{}},“opensearch”:{“plugins”:{“opensearchSQL”:{“enabled”:false}}},“podDisruptionBudget”:{“data”:{“maxUnavailable”:1},“ingest”:{“maxUnavailable”:1},“master”:{“maxUnavailable”:1}},“replicas”:{“data”:2,“ingest”:1,“master”:3},“resources”:{“flavor”:“typical”,“persistentStorage”:{“backup”:{“persistentVolumeClaim”:{“size”:“1Gi”,“storageClassName”:“network-file”}},“data”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“downgrade”:{“persistentVolumeClaim”:{“size”:“2Gi”}},“ingest”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“master”:{“persistentVolumeClaim”:{“size”:“64Mi”}}}},“securityEventLogs”:{“modificationAllowedIndices”:["test”]}}}
meta.helm.sh/release-name: se
meta.helm.sh/release-namespace: asktr
prometheus.io/path: /metrics
prometheus.io/port: “9115”
prometheus.io/scrape-interval: 15s
prometheus.io/scrape-role: pod
component: data
diskSize: 1Gi
env:

name: OPENSEARCH_SQL_PLUGIN
value: “false”

name: KNN_PLUGIN_ENABLED
value: “false”

name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: SERVICE_ID
value: opensearch

name: VERSION
value: 1.2.0

name: OPENSEARCH_HOME
value: /opt/opensearch

name: CLUSTER_NAME
value: opensearch

name: OPENSEARCH_PATH_CONF
value: /etc/opensearch/config

name: OPENSEARCH_CIPHERS
value: /etc/opensearch/cnf/ciphers

name: OPERATOR_ENABLED
value: “true”

name: LOG_LEVEL
value: INFO

name: OS_INTERNODE_TLS
value: “true”

name: HTTP_PROBE_SERVICE_NAME
value: opensearch

name: HTTP_PROBE_CONTAINER_NAME
value: data

name: HTTP_PROBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: HTTP_PROBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: HTTP_TRANSPORT_CERT
value: /run/secrets/opensearch-transport-cert/tls.crt

name: HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/opensearch-transport-cert/tls.key

name: HTTP_TRANSPORT_CERT_PEM
value: /run/secrets/opensearch-transport-cert/srvcert.pem

name: HTTP_TRANSPORT_CERT_KEY_PEM
value: /run/secrets/opensearch-transport-cert/srvprivkey.pem

name: HTTP_TRANSPORT_CA
value: /run/secrets/opensearch-transport-ca-cert/ca.crt

name: HTTP_TRANSPORT_CA_PEM
value: /run/secrets/opensearch-transport-ca-cert/client-cacertbundle.pem

name: OS_HTTP_TRANSPORT_CERT
value: /run/secrets/transport-certificates/srvcert.pem

name: OS_HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/transport-certificates/srvprivkey.pem

name: OS_HTTP_TRANSPORT_CA
value: /run/secrets/transport-ca-certificates/client-cacertbundle.pem

name: HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/opensearch-transport-cert

name: HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/opensearch-transport-ca-cert

name: OS_HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/transport-certificates

name: OS_HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/transport-ca-certificates

name: OPENSEARCH_REST_TLS
value: “true”

name: HTTP_SERVER_CERT
value: /run/secrets/opensearch-http-cert/tls.crt

name: HTTP_SERVER_CERT_KEY
value: /run/secrets/opensearch-http-cert/tls.key

name: HTTP_SERVER_CERT_PEM
value: /run/secrets/opensearch-http-cert/srvcert.pem

name: HTTP_SERVER_CERT_KEY_PEM
value: /run/secrets/opensearch-http-cert/srvprivkey.pem

name: HTTP_CLIENT_CA
value: /run/secrets/opensearch-http-ca-cert/ca.crt

name: HTTP_CLIENT_CA_PEM
value: /run/secrets/opensearch-http-ca-cert/client-cacertbundle.pem

name: OS_HTTP_SERVER_CERT
value: /run/secrets/http-certificates/srvcert.pem

name: OS_HTTP_SERVER_CERT_KEY
value: /run/secrets/http-certificates/srvprivkey.pem

name: OS_HTTP_CLIENT_CA
value: /run/secrets/http-ca-certificates/client-cacertbundle.pem

name: HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/opensearch-http-cert

name: HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/opensearch-http-ca-cert

name: OS_HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/http-certificates

name: OS_HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/http-ca-certificates

name: OS_HTTP_CLIENT_CERT
value: /run/secrets/http-client-certificates/clicert.pem

name: OS_HTTP_CLIENT_CERT_KEY
value: /run/secrets/http-client-certificates/cliprivkey.pem

name: RO_OPENSEARCH_CNF_PATH
value: /etc/opensearch/cnf/read_only_config

name: RO_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-security

name: PROCESSED_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/processed_config/opensearch-security

name: OPENSEARCH_PATH_CONF
value: /etc/opensearch/config

name: DELAYED_TIMEOUT
value: 3m

name: INDEX_MANAGEMENT_ENABLED
value: “true”

name: RO_OPENSEARCH_ISM_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-ism

name: ACCESS_MANAGEMENT_ENABLED
value: “true”

name: OS_ENV_NODE_ROLE
value: node.roles=data,remote_cluster_client

name: OS_ENV_HTTP_COMPRESSION
value: http.compression=true

name: OS_ENV_HTTP_HOST
value: http.host=0.0.0.0

name: OS_ENV_TRANSPORT_HOST
value: transport.host=0.0.0.0

name: OS_ENV_CLUSTER_INITIAL_MASTER
value: cluster.initial_master_nodes=opensearch-master-0

name: OS_ENV_DISCOVERY_SEED
value: discovery.seed_hosts=opensearch-discovery

name: OS_ENV_CLUSTER_NAME
value: cluster.name=opensearch

name: OS_ENV_REPO_PATH
value: path.repo=repository

name: SHARD_PARTIAL_VALIDATION
value: “false”

name: IS_FAST_BUT_UNSAFE_UPGRADE_ENABLED
value: “false”

name: TERMINATION_GRACE_PERIOD
value: “480”

name: SLEEP
value: “5”

name: CONTAINER_NAME
value: data

name: HTTP_PROBE_CONTAINER_NAME
value: data

name: HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_CLIENT_CERT
value: /run/secrets/opensearch-http-client-cert-internal/tls.crt

name: HTTP_CLIENT_CERT_KEY
value: /run/secrets/opensearch-http-client-cert-internal/tls.key

name: HTTP_CLIENT_CERT_PEM
value: /run/secrets/opensearch-http-client-cert-internal/clicert.pem

name: HTTP_CLIENT_CERT_KEY_PEM
value: /run/secrets/opensearch-http-client-cert-internal/cliprivkey.pem

name: HTTP_SERVER_CA
value: /run/secrets/eric-sec-sip-tls-trusted-root-cert/ca.crt

name: OS_PORT
value: “9200”
labels:
app: opensearch
app.kubernetes.io/instance: se
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: opensearch
app.kubernetes.io/version: 21.1.0-5
component: opensearch
role: data
sidecar.istio.io/inject: “false”
pdb:
enable: true
maxUnavailable: 1
probes:
liveness:
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
startup:
failureThreshold: 3000
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
replicas: 2
resources:
limits:
cpu: “1”
memory: 4Gi
requests:
cpu: “1”
memory: 4Gi
roles:

data

remote_cluster_client

additionalConfig:
cluster.initial_cluster_manager_nodes: opensearch-master-0
plugins.security.audit.type: disabled
plugins.security.restapi.roles_enabled: all_access,security_rest_api_access,test
plugins.security.ssl.http.pemcert_filepath: /run/secrets/opensearch-http-cert/tls.crt
plugins.security.ssl.http.pemkey_filepath: /run/secrets/opensearch-http-cert/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: /run/secrets/opensearch-http-ca-cert/ca.crt
plugins.security.ssl.transport.pemcert_filepath: /run/secrets/opensearch-transport-cert/tls.crt
plugins.security.ssl.transport.pemkey_filepath: /run/secrets/opensearch-transport-cert/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /run/secrets/opensearch-transport-ca-cert/ca.crt
plugins.security.ssl_cert_reload_enabled: “true”
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- opensearch
- key: role
operator: In
values:
- ingest
topologyKey: kubernetes.io/hostname
weight: 100
annotations:
creator: operator
ericsson.com/product-name: opensearch Helm
ericsson.com/product-number: CXC 201 1191
ericsson.com/product-revision: 21.1.0
helm.sh/resource-policy: keep
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“com.test/v1alpha1”,“kind”:“SearchEngine”,“metadata”:{“annotations”:{},“labels”:{“app.kubernetes.io/created-by":“frondend-operator”,“app.kubernetes.io/instance”:“searchengine-sample”,“app.kubernetes.io/managed-by”:“kustomize”,“app.kubernetes.io/name”:“searchengine”,“app.kubernetes.io/part-of”:“frondend-operator”},“name”:“opensearch”,“namespace”:“asktr”},“spec”:{“accessMgmt”:{“enabled”:false},“affinity”:{“podAntiAffinity”:“soft”,“topologyKey”:“kubernetes.io/hostname”},“backupRestore”:{“globalDataSet”:“test”},“clusterdomain”:“cluster.local”,“indexManagement”:{“enabled”:true},“instancename”:“opensearch”,“log”:{“level”:“info”,“streamingMethod”:“direct”},“metrics”:{“enabled”:true},“nodeSelector”:{“bragent”:{},“data”:{},“helmtest”:{},“hooklauncher”:{}},“opensearch”:{“plugins”:{“opensearchSQL”:{“enabled”:false}}},“podDisruptionBudget”:{“data”:{“maxUnavailable”:1},“ingest”:{“maxUnavailable”:1},“master”:{“maxUnavailable”:1}},“replicas”:{“data”:2,“ingest”:1,“master”:3},“resources”:{“flavor”:“typical”,“persistentStorage”:{“backup”:{“persistentVolumeClaim”:{“size”:“1Gi”,“storageClassName”:“network-file”}},“data”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“downgrade”:{“persistentVolumeClaim”:{“size”:“2Gi”}},“ingest”:{“persistentVolumeClaim”:{“size”:“1Gi”}},“master”:{“persistentVolumeClaim”:{“size”:“64Mi”}}}},“securityEventLogs”:{“modificationAllowedIndices”:["test”]}}}
meta.helm.sh/release-name: se
meta.helm.sh/release-namespace: asktr
prometheus.io/path: /metrics
prometheus.io/port: “9115”
prometheus.io/scrape-interval: 15s
prometheus.io/scrape-role: pod
component: ingest-tls
env:

name: OPENSEARCH_SQL_PLUGIN
value: “false”

name: KNN_PLUGIN_ENABLED
value: “false”

name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: SERVICE_ID
value: opensearch

name: VERSION
value: 1.2.0

name: OPENSEARCH_HOME
value: /opt/opensearch

name: CLUSTER_NAME
value: opensearch

name: OPERATOR_ENABLED
value: “true”

name: OPENSEARCH_CIPHERS
value: /etc/opensearch/cnf/ciphers

name: LOG_LEVEL
value: INFO

name: OS_INTERNODE_TLS
value: “true”

name: HTTP_PROBE_SERVICE_NAME
value: opensearch

name: HTTP_PROBE_CONTAINER_NAME
value: ingest

name: HTTP_PROBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: HTTP_PROBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: HTTP_TRANSPORT_CERT
value: /run/secrets/opensearch-transport-cert/tls.crt

name: HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/opensearch-transport-cert/tls.key

name: HTTP_TRANSPORT_CERT_PEM
value: /run/secrets/opensearch-transport-cert/srvcert.pem

name: HTTP_TRANSPORT_CERT_KEY_PEM
value: /run/secrets/opensearch-transport-cert/srvprivkey.pem

name: HTTP_TRANSPORT_CA
value: /run/secrets/opensearch-transport-ca-cert/ca.crt

name: HTTP_TRANSPORT_CA_PEM
value: /run/secrets/opensearch-transport-ca-cert/client-cacertbundle.pem

name: OS_HTTP_TRANSPORT_CERT
value: /run/secrets/transport-certificates/srvcert.pem

name: OS_HTTP_TRANSPORT_CERT_KEY
value: /run/secrets/transport-certificates/srvprivkey.pem

name: OS_HTTP_TRANSPORT_CA
value: /run/secrets/transport-ca-certificates/client-cacertbundle.pem

name: HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/opensearch-transport-cert

name: HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/opensearch-transport-ca-cert

name: OS_HTTP_TRANSPORT_CERT_MOUNT_PATH
value: /run/secrets/transport-certificates

name: OS_HTTP_TRANSPORT_CA_MOUNT_PATH
value: /run/secrets/transport-ca-certificates

name: OPENSEARCH_REST_TLS
value: “true”

name: HTTP_SERVER_CERT
value: /run/secrets/opensearch-http-cert/tls.crt

name: HTTP_SERVER_CERT_KEY
value: /run/secrets/opensearch-http-cert/tls.key

name: HTTP_SERVER_CERT_PEM
value: /run/secrets/opensearch-http-cert/srvcert.pem

name: HTTP_SERVER_CERT_KEY_PEM
value: /run/secrets/opensearch-http-cert/srvprivkey.pem

name: HTTP_CLIENT_CA
value: /run/secrets/opensearch-http-ca-cert/ca.crt

name: HTTP_CLIENT_CA_PEM
value: /run/secrets/opensearch-http-ca-cert/client-cacertbundle.pem

name: OS_HTTP_SERVER_CERT
value: /run/secrets/http-certificates/srvcert.pem

name: OS_HTTP_SERVER_CERT_KEY
value: /run/secrets/http-certificates/srvprivkey.pem

name: OS_HTTP_CLIENT_CA
value: /run/secrets/http-ca-certificates/client-cacertbundle.pem

name: HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/opensearch-http-cert

name: HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/opensearch-http-ca-cert

name: OS_HTTP_SERVER_CERT_MOUNT_PATH
value: /run/secrets/http-certificates

name: OS_HTTP_CLIENT_CA_MOUNT_PATH
value: /run/secrets/http-ca-certificates

name: OS_HTTP_CLIENT_CERT
value: /run/secrets/http-client-certificates/clicert.pem

name: OS_HTTP_CLIENT_CERT_KEY
value: /run/secrets/http-client-certificates/cliprivkey.pem

name: RO_OPENSEARCH_CNF_PATH
value: /etc/opensearch/cnf/read_only_config

name: RO_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-security

name: PROCESSED_OPENSEARCH_SEC_CNF_PATH
value: /etc/opensearch/cnf/processed_config/opensearch-security

name: DELAYED_TIMEOUT
value: 3m

name: INDEX_MANAGEMENT_ENABLED
value: “true”

name: RO_OPENSEARCH_ISM_PATH
value: /etc/opensearch/cnf/read_only_config/opensearch-ism

name: ACCESS_MANAGEMENT_ENABLED
value: “true”

name: SHARD_PARTIAL_VALIDATION
value: “false”

name: IS_FAST_BUT_UNSAFE_UPGRADE_ENABLED
value: “false”

name: SLEEP
value: “5”

name: OS_ENV_NODE_ROLE
value: node.roles=ingest,remote_cluster_client

name: OS_ENV_HTTP_COMPRESSION
value: http.compression=true

name: OS_ENV_HTTP_HOST
value: http.host=0.0.0.0

name: OS_ENV_TRANSPORT_HOST
value: transport.host=0.0.0.0

name: OS_ENV_CLUSTER_INITIAL_MASTER
value: cluster.initial_master_nodes=opensearch-master-0

name: OS_ENV_DISCOVERY_SEED
value: discovery.seed_hosts=opensearch-discovery

name: OS_ENV_CLUSTER_NAME
value: cluster.name=opensearch

name: OS_ENV_REPO_PATH
value: path.repo=repository

name: TERMINATION_GRACE_PERIOD
value: “40”

name: CONTAINER_NAME
value: ingest

name: HTTP_PROBE_CONTAINER_NAME
value: ingest

name: HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_CLIENT_CERT
value: /run/secrets/opensearch-http-client-cert-internal/tls.crt

name: HTTP_CLIENT_CERT_KEY
value: /run/secrets/opensearch-http-client-cert-internal/tls.key

name: HTTP_CLIENT_CERT_PEM
value: /run/secrets/opensearch-http-client-cert-internal/clicert.pem

name: HTTP_CLIENT_CERT_KEY_PEM
value: /run/secrets/opensearch-http-client-cert-internal/cliprivkey.pem

name: HTTP_SERVER_CA
value: /run/secrets/eric-sec-sip-tls-trusted-root-cert/ca.crt

name: OS_PORT
value: “9200”
labels:
app: opensearch
app.kubernetes.io/instance: se
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: opensearch
app.kubernetes.io/version: 21.1.0-5
component: opensearch
release: se
role: ingest-tls
sidecar.istio.io/inject: “false”
pdb:
enable: true
maxUnavailable: 1
persistence:
emptyDir: {}
probes:
liveness:
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
startup:
failureThreshold: 100
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
replicas: 1
resources:
limits:
cpu: “1”
memory: 2Gi
requests:
cpu: “1”
memory: 2Gi
roles:

ingest

remote_cluster_client
security:
config:
adminCredentialsSecret:
name: “”
adminSecret:
name: opensearch-http-client-cert-internal
securityConfigSecret:
name: opensearch-securityconfig-secret
updateJob:
resources: {}
tls:
http:
caSecret:
name: opensearch-http-ca-cert
secret:
name: opensearch-http-cert
transport:
adminDn:

CN=opensearch-internal-client

CN=opensearch-bragent
caSecret:
name: opensearch-transport-ca-cert
nodesDn:

CN=opensearch-discovery
secret:
name: opensearch-transport-cert
sidecarHelper:

args:

/opt/redirect/stdout-redirect

-config=/opt/redirect/stdout-redirect-metrics-config.yaml

-format=json

-service-id

opensearch

-redirect

stdout

-run

/metrics.sh
env:

name: HTTP_PROBE_PORT
value: “9002”

name: HTTP_PROBE_CMD_DIR
value: /

name: HTTP_PROBE_LOG_LEVEL
value: info

name: HTTP_PROBE_SERVICE_NAME
value: opensearch

name: HTTP_PROBE_CONTAINER_NAME
value: metrics

name: HTTP_PROBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: HTTP_PROBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC
value: “15”

name: TZ

name: OS_PORT
value: “9200”

name: SLEEP
value: “5”

name: LOG_LEVEL
value: INFO

name: SERVICE_ID
value: opensearch

name: ADP_LOG_VERSION
value: 1.2.0

name: VERSION
value: 1.2.0

name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: CONTAINER_NAME
value: metrics

name: OS_TLS
value: “true”

name: OS_CLIENT_CERT_TLS
value: /run/secrets/opensearch-http-client-cert-internal/tls.crt

name: OS_CLIENT_CERT_PEM
value: /run/secrets/opensearch-http-client-cert-internal/clicert.pem

name: OS_CLIENT_KEY_TLS
value: /run/secrets/opensearch-http-client-cert-internal/tls.key

name: OS_CLIENT_KEY_PEM
value: /run/secrets/opensearch-http-client-cert-internal/cliprivkey.pem

name: OS_SERVER_CA
value: /run/secrets/eric-sec-sip-tls-trusted-root-cert/ca.crt
image: armdocker.rnd.ericsson.se/proj-adp-log-dev/opensearch-pm-metrics:21.1.0-2a3ff3a3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 9114
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
name: metrics
ports:

containerPort: 9114
name: http-metrics
protocol: TCP
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:

ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
startupProbe:
failureThreshold: 300
httpGet:
path: /health/startup
port: 9002
initialDelaySeconds: 20
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
volumeMounts:

mountPath: /tmp
name: os-tmp

mountPath: /run/secrets/eric-sec-sip-tls-trusted-root-cert
name: sip-tls-trusted-root-cert
readOnly: true

mountPath: /run/secrets/opensearch-http-client-cert-internal
name: http-client-cert
readOnly: true

args:

/opt/redirect/stdout-redirect

-config=/opt/redirect/stdout-redirect-tls-config.yaml

-format=json

-service-id

opensearch

-redirect

stdout

-run

/tls-proxy.sh
env:

name: HTTP_PROBE_PORT
value: “9003”

name: HTTP_PROBE_CMD_DIR
value: /

name: HTTP_PROBE_LOG_LEVEL
value: info

name: HTTP_PROBE_SERVICE_NAME
value: opensearch

name: HTTP_PROBE_CONTAINER_NAME
value: tlsproxy

name: HTTP_PROBE_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: HTTP_PROBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: HTTP_PROBE_STARTUP_CMD_TIMEOUT_SEC
value: “15”

name: HTTP_PROBE_LIVENESS_CMD_TIMEOUT_SEC
value: “15”

name: TZ

name: OS_PORT

name: LOGLEVEL
value: INFO

name: LOG_LEVEL
value: INFO

name: TARGET
value: http://localhost:9114

name: PORT
value: “9115”

name: CERT_TLS
value: /run/secrets/opensearch-pm-server-cert/tls.crt

name: CERT_PEM
value: /run/secrets/opensearch-pm-server-cert/srvcert.pem

name: KEY_TLS
value: /run/secrets/opensearch-pm-server-cert/tls.key

name: KEY_PEM
value: /run/secrets/opensearch-pm-server-cert/srvprivkey.pem

name: CLIENT_CA_TLS
value: /run/secrets/eric-pm-server-ca/ca.crt

name: CLIENT_CA_PEM
value: /run/secrets/eric-pm-server-ca/client-cacertbundle.pem

name: TLS_PROXY_CLIENT_CERT
value: /run/secrets/opensearch-tlsproxy-client/tls.crt

name: TLS_PROXY_CLIENT_CERT_PEM
value: /run/secrets/opensearch-tlsproxy-client/clicert.pem

name: TLS_PROXY_CLIENT_KEY
value: /run/secrets/opensearch-tlsproxy-client/tls.key

name: TLS_PROXY_CLIENT_KEY_PEM
value: /run/secrets/opensearch-tlsproxy-client/cliprivkey.pem

name: TLS_PROXY_CA
value: /run/secrets/eric-sec-sip-tls-trusted-root-cert/ca.crt

name: SERVICE_ID
value: opensearch

name: ADP_LOG_VERSION
value: 1.2.0

name: VERSION
value: 1.2.0

name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name

name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace

name: CONTAINER_NAME
value: tlsproxy

name: SLEEP
value: “5”
image: armdocker.rnd.ericsson.se/proj-adp-log-dev/opensearch-tls-proxy:21.1.0-2a3ff3a3
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /health/liveness
port: 9003
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
name: tlsproxy
ports:

containerPort: 9115
name: https-metrics
protocol: TCP
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:

ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
startupProbe:
failureThreshold: 300
httpGet:
path: /health/startup
port: 9003
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
volumeMounts:

mountPath: /tmp
name: os-tmp

mountPath: /run/secrets/eric-sec-sip-tls-trusted-root-cert
name: sip-tls-trusted-root-cert
readOnly: true

mountPath: /run/secrets/opensearch-pm-server-cert
name: tlsproxy-server-cert
readOnly: true

mountPath: /run/secrets/eric-pm-server-ca
name: pm-trusted-ca
readOnly: true

mountPath: /run/secrets/opensearch-tlsproxy-client
name: tlsproxy-client-cert
readOnly: true
status:
componentsStatus: 

health: unknown
phase: RUNNING
version: 3.2.0

Topic		Replies	Views
Opensearch Exception: No SSL configuration found Security troubleshoot , configure , install	5	1055	March 5, 2025
Opensearch configure using helm char OpenSearch	16	194	September 19, 2025
Unauthorized 401 Security troubleshoot	3	711	July 9, 2024
Using Helm chart, demo install with default certs fails to start OpenSearch install	9	2850	July 2, 2024
Opensearch cluster pod crash OpenSearch	7	187	September 23, 2025

Support running with container-level security context in namespaces labeled as Pod Security: restricted in Opensearch operator

Related topics