Unable to apply SSL certificate

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.1

Describe the issue:
I have created selef signed admin and root ca certificate to configure opensearch ssl.
I updated opensearch-cluster-master-config with below plugins configuration for opensearch.yml

apiVersion: v1
data:
  opensearch.yml: |
    cluster.name: opensearch-cluster
    network.host: 0.0.0.0


     19     plugins:
 20       security:
 21         ssl:
 22           transport:
 23             pemcert_filepath: esnode.pem
 24             pemkey_filepath: esnode-key.pem
 25             pemtrustedcas_filepath: root-ca.pem
 26             enforce_hostname_verification: false
 27           http:
 28             enabled: true
 29             pemcert_filepath: admin.pem
 30             pemkey_filepath: admin-key.pem
 31             pemtrustedcas_filepath: root-ca.pem
 32         allow_unsafe_democertificates: true
 33         allow_default_init_securityindex: true

However this is not picked up by opensearch.
What I found out there is duplicate configuration which is also getting added below my configmap configurations in opensearch.yml
below

######## Start OpenSearch Security Demo Configuration ########
# WARNING: revise all the lines below before you go into production
plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".plugins-ml-conversation-meta", ".plugins-ml-conversation-interactions", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models", ".geospatial-ip2geo-data*"]
node.max_local_storage_nodes: 3
######## End OpenSearch Security Demo Configuration ########

Who is adding this duplicate configuration.

Configuration:
Helm based kubectl installation

Relevant Logs or Screenshots:

2

@opensearch1 Did you use official OpenSearch helm charts?

3

Hi @pablo ,

Yes. I installed from official helm chart. I think accessing configMap is not viable solution here. I need to mount certificates, private keys and my custom opensearch.yml in opensearch-cluster-master pod. Docker based deployment working using this approach.

Using configMap is adding my custom plugin configurations to existing default opensearch.yml file. As default configurations are below confimap based configurations, default configs overwrites and hence my certificates never work.

4

@opensearch1 Helm charts are different than docker. You can mount certificates either through configmap or secret. For certificates you should use secret.

In this scenario both are used. Config map is used for opensearch.yml and secret for certificates.
You can find both by running the following commands.

kubectl get secret -n <namespace>
kubectl get configmap -n <namespace>

I would recommend getting more familiar with Kubernetes as that will help you better navigate helm charts.

If you’d like to use custom certificates, you can use helm charts and define secrets with your certs.

Also you could replace certificates in the nodes cert secrets and then recreate OpenSearch pods.

5

Hi @pablo ,
The problem was default opensearch demo configuration will always append to existing opensearch.yml no matter whether you provide opensearch.yml through helm or dont give.
I had to stop it by passing DISABLE_INSTALL_DEMO_CONFIG as true in helm values. Now only one set of cert configurations are there which are of yaml synax.

This causes another problem of configuring OPENSEARCH_INITIAL_ADMIN_PASSWORD. With DISABLE_INSTALL_DEMO_CONFIG as true, OPENSEARCH_INITIAL_ADMIN_PASSWORD is always admin no matter what you give.

Any idea how that can be done.

6

@opensearch1 I’ve just deployed the cluster and I’ve also got duplicated configuration in opensearch.yml.

I’ve reported this as a bug in GitHub.

I’ll test the password issue.