Clarify mongodb vs rest communication between datanode and Graylog server)

[todvora]

The node registration via node service provides an information that there exists a datanode and what's its REST api. But this is not enough information to let Graylog generate a certificates package for the datanode. Additional information has to be obtained via the REST API. Is this OK? Or should the datanode provide graylog more information directly via mongodb?

[bernd]

The node registration via node service provides an information that there exists a datanode and what's its REST api. But this is not enough information to let Graylog generate a certificates package for the datanode. Additional information has to be obtained via the REST API. Is this OK? Or should the datanode provide graylog more information directly via mongodb?

@todvora I think we should put enough information into the database to generate the certificate package for the data nodes. The REST API information in the node registration was built for the server nodes because some cluster requests are distributed to other server nodes. (e.g., metrics requests) Those requests are only done for user-initiated requests, the server nodes don't communicate with each other from background jobs.

[todvora]

OK, thanks! I suggest that the datanode writes its information into a collection in mongodb. It should at least provide the node name and subject alternative names. This could be in a form of certificate signing request or only a simple object holding this information if we decide that CSR is overkill for our usage.

Currently datanode accepts two packages of certificates - one for the transport communication inside opensearch cluster and one for securing the rest/http interface of the node. We should be able to handle both.

Ping @janheise