Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG}Change Admin Password don't work when use custom securityConfig #519

Open
mabahre opened this issue Feb 23, 2024 · 12 comments
Open

[BUG}Change Admin Password don't work when use custom securityConfig #519

mabahre opened this issue Feb 23, 2024 · 12 comments
Labels
bug Something isn't working

Comments

@mabahre
Copy link

mabahre commented Feb 23, 2024

Describe the bug
When deploying the helm Chart to a Kubernetes Cluster with setting the default Admin Password via the Environment Variable "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and setting a custom securityConfig the Deployment fails with the following Error:

No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

Deploying the Chart without setting a custom securityConfig works fine, but is not the desired Goal because I need to Deploy a LDAP Connection via that config.

To Reproduce
Steps to reproduce the behavior:

  1. Deploy the Chart with "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and custom securityConfig set

Expected behavior
The Deployment should be able to set the Admin Password even if a custom securityConfig is provided-

Chart Name
opensearch
Version 2.18.0

Host/Environment (please complete the following information):

  • Helm Version: 3.12.3
  • Kubernetes Version: 1.27.6

Complete Logs

Enabling OpenSearch Security Plugin
Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
2024-02-23T09:50:15.120459229Z Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
2024-02-23T09:50:15.120465861Z If a password is not provided, the setup will quit. 
 For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
2024-02-23T09:50:15.332680350Z ### OpenSearch Security Demo Installer
2024-02-23T09:50:15.332727237Z ### ** Warning: Do not use on production or public reachable systems **
OpenSearch install type: rpm/deb on Linux 5.14.21-150500.55.36-default amd64
2024-02-23T09:50:15.350568914Z OpenSearch config dir: /usr/share/opensearch/config/
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
2024-02-23T09:50:15.350758789Z OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
2024-02-23T09:50:15.351000640Z OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 2.12.0
2024-02-23T09:50:15.351213196Z Detected OpenSearch Security Version: 2.12.0.0
2024-02-23T09:50:16.218995287Z No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.
@mabahre mabahre added bug Something isn't working untriaged Issues that have not yet been triaged labels Feb 23, 2024
@mike858585
Copy link

mike858585 commented Feb 26, 2024
edited
Loading

Hi! The same problem:

Detected OpenSearch Version: 2.12.0
Detected OpenSearch Security Version: 2.12.0.0
Admin password set successfully.
Exception updating the admin password : Unable to update the internal users file with the hashed password.

In libsonnet:
securityConfig+: {
enabled: true,
path: "/usr/share/opensearch/config/opensearch-security",
config+:{
securityConfigSecret: "",
dataComplete: true,
data+:{
'internal_users.yml': |||

@smlx
Copy link
Contributor

smlx commented Feb 26, 2024

I think you need to set DISABLE_INSTALL_DEMO_CONFIG=true to use a custom security config.

@mike858585
Copy link

Thank you, maybe it is the right way. But the env application of DISABLE_INSTALL_DEMO_CONFIG=true itself resulted in another problem:

Defaulted container "opensearch" out of: opensearch, fsgroup-volume (init), configfile (init), sysctl (init)
Enabling OpenSearch Security Plugin
Disabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
WARNING: Using incubator modules: jdk.incubator.vector
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.12.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
Feb 26, 2024 1:51:24 PM sun.util.locale.provider.LocaleProviderAdapter
WARNING: COMPAT locale provider will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.12.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
[2024-02-26T13:51:24,872][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] version[2.12.0], pid[10], build[], OS[], JVM[]
[2024-02-26T13:51:24,874][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] JVM home [/usr/share/opensearch/jdk], using bundled JDK/JRE [true]
[2024-02-26T13:51:24,874][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.security.manager=allow, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-13868736376094782822, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.security.manager=allow, --add-modules=jdk.incubator.vector, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/config/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dopensearch.cgroups.hierarchy.override=/, -Xmx512M, -Xms512M, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2024-02-26T13:51:26,048][INFO ][o.o.s.s.t.SSLConfig ] [opensearch-cluster-master-0] SSL dual mode is disabled
[2024-02-26T13:51:26,048][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] OpenSearch Config path is /usr/share/opensearch/config
[2024-02-26T13:51:26,288][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] JVM supports TLSv1.3
[2024-02-26T13:51:26,290][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively
[2024-02-26T13:51:26,302][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-cluster-master-0] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:185) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.12.0.jar:2.12.0]
at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-2.12.0.jar:2.12.0]
Caused by: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
uncaught exception in thread [main]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:792) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0]
... 6 more
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0]
... 6 more
Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:484) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204) ~[?:?]
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235) ~[?:?]
at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295) ~[?:?]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0]
... 6 more
Caused by: org.opensearch.OpenSearchException: Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath
at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1135) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:276) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:454) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204) ~[?:?]
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235) ~[?:?]
at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295) ~[?:?]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0]
... 6 more
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1135)
at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:276)
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:454)
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298)
at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204)
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235)
at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783)
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732)
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533)
at org.opensearch.plugins.PluginsService.(PluginsService.java:195)
at org.opensearch.node.Node.(Node.java:486)
at org.opensearch.node.Node.(Node.java:413)
at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242)
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
For complete error details, refer to the log at /usr/share/opensearch/logs/opensearch-cluster.log

@mabahre
Copy link
Author

mabahre commented Feb 26, 2024

I can cofirm the Problem of @mike858585:
After setting the env "DISABLE_INSTALL_DEMO_CONFIG", I get the same Error

@shree1999
Copy link

Hi Team, any update or workaround for this issue
it seems when setting up the "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and securityConfig together leads to error.

for example if I setup an internal_users.yml under the securityConfig it gives the error
exception updating the admin password : /usr/share/opensearch/config/opensearch-security/internal_users.yml: device or resource busy

@smlx
Copy link
Contributor

smlx commented Feb 27, 2024

Did you mount the cert into the pod as per the error message?

 Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]

@mike858585
Copy link

@smlx the same configuration works, just set the appVersion: "2.11.0" and the certificates are mounted correctly,
for version 2.12.0 I have to set
securityConfig+: {
enabled: false,

Next, I will control it via API.

If I wanted to mount something manually, I don't have to use the helm-charts, but only the manifests :-)

@mabahre
Copy link
Author

mabahre commented Feb 27, 2024
edited
Loading

@smlx I never mounted the mentioned Certificate and it works fine in Previous Versions.
I only mount the root CA for LDAP

@mabahre mabahre closed this as completed Feb 27, 2024
@mabahre mabahre reopened this Feb 27, 2024
@mike858585
Copy link

mike858585 commented Feb 29, 2024
edited
Loading

@smlx Thank you very much!

      name: 'DISABLE_INSTALL_DEMO_CONFIG',
      value: 'true',
      
      and 
      
      using default cert settings helped me :-) https://opensearch.org/docs/2.12/security/configuration/generate-certificates/

$ kubectl exec -it opensearch-cluster-master-0 -n opensearch -- /bin/bash -c "./plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert /usr/share/opensearch/config/certificates/root-ca.pem -cert /usr/share/opensearch/config/certificates/client.pem -key /usr/share/opensearch/config/certificates/client-key.pem"

Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=client.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"
OpenSearch Version: 2.12.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security
Will update '/config' with config/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with config/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with config/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with config/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with config/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with config/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with config/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with config/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

@mabahre
Copy link
Author

mabahre commented Feb 29, 2024

But this seems not like a valid Solution to me, because I don't need a Certificate Inside the Containers, as I use a Ingress.

@mike858585
Copy link

@mabahre I will not test with ingress in the near future, I use it in internal network. However, you should still use certificates to secure transport layer communication between OpenSearch cluster nodes I think. Hard to say.

@DarshitChanpura DarshitChanpura mentioned this issue Mar 6, 2024
Closed
@rishabh6788 rishabh6788 removed the untriaged Issues that have not yet been triaged label Apr 1, 2024
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Engineering Effectiveness Board Jul 18, 2024
@Bjohnson131
Copy link

Hello, I'm seeing this as well when I install using this command helm install opensearch opensearch/opensearch --namespace opensearch

K8s version: v1.30.2
Charts: v2.23.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Engineering Effectiveness Board
Status: 📦 Backlog
Milestone
No milestone
Development

No branches or pull requests
6 participants
@smlx @Bjohnson131 @rishabh6788 @mike858585 @shree1999 @mabahre