Why does auto-generated tls.crt include DNS for discovery in SAN?

yeonghyeonKo · November 4, 2024, 5:11am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch : 2.15.0
Deployment : OpenSearch K8s Operator (2.5.1)

At the time investigating how do auto-generated certificates look like, I found that their is a difference between transport-cert and http-cert information. (openssl x509)

k get secret test-opensearch-cluster-1-http-cert -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -text -noout

ㄴ I used the above command.

# transport-cert
X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:E3:D8:6E:F3:39:00:82:43:59:E4:3C:11:33:4F:29:EC:7E:9D:5C:AA

            X509v3 Subject Alternative Name: critical
                Registered ID:1.2.3.4.5.5, DNS:test-opensearch-cluster-1, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1.svc, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1.svc.cluster.local

# http-cert
X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                keyid:E3:D8:6E:F3:39:00:82:43:59:E4:3C:11:33:4F:29:EC:7E:9D:5C:AA

            X509v3 Subject Alternative Name: critical
                Registered ID:1.2.3.4.5.5, DNS:test-opensearch-cluster-1, DNS:test-opensearch-cluster-1, DNS:test-opensearch-cluster-1-discovery, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1.svc, DNS:test-opensearch-cluster-1.test-opensearch-cluster-1.svc.cluster.local

Does anyone can explain to me why does http-cert have two more DNSs in its certificate?
DNS:test-opensearch-cluster-1, DNS:test-opensearch-cluster-1-discovery

Is there any need to include Discovery service(k8s resource) in http-cert? It goes against my intuition because one of Services(discovery) in the namespace, in which OpenSearch resources are located, has 9300(transport) port.

apiVersion: v1
kind: Service
metadata:
  ...
  name: test-opensearch-cluster-1-discovery
  namespace: test-opensearch-cluster-1
  ownerReferences:
  - apiVersion: opensearch.opster.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: OpenSearchCluster
    name: test-opensearch-cluster-1
spec:
  clusterIP: None
  clusterIPs:
  - None
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: transport
    port: 9300
    protocol: TCP
    targetPort: 9300
  publishNotReadyAddresses: true
  selector:
    opster.io/opensearch-cluster: test-opensearch-cluster-1
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

Topic		Replies	Views
OpenSearch TLS creating CSR and after that creat a SAM, What us SAM? Security security-issue	1	514	May 4, 2023
Admin Certificate Generation in K8s Security configure	2	608	April 7, 2023
OpenSearch not creating admin-cert after removing http on tls block Security security-issue	10	96	October 10, 2024
Client Certificates with TLS Security	2	453	September 3, 2021
(CA) TLS Certificates in Kubernetes, how do you generate/maintain them Kubernetes	1	429	December 16, 2023

Why does auto-generated tls.crt include DNS for discovery in SAN?

Related topics