[BUG]OpenSearch - http asking for tls keys.

[Greeley]

Describe the bug Documentation seems incomplete, quite a few things are missing, like why vm.max_map_count causes issues. Almost all of the options in the documentation are left for the user to guess how to set them up, or how they are formatted.

To Reproduce Steps to reproduce the behavior:

1. clone this repository
2. navigate to opensearch charts.
3. modify these values in values.yaml

   
   sysctl:
   enabled: false

Set optimal sysctl's through privileged initContainer.

sysctlInit: enabled: false

4. uncomment and modify ingress

ingress: enabled: true

For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName

See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress

ingressClassName: alb

annotations: alb.ingress.kubernetes.io/ip-address-type: dualstack alb.ingress.kubernetes.io/target-type: instance alb.ingress.kubernetes.io/scheme: internal alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 9200}]' path: / hosts:

• opensearch-data.local

  5. add toleration for your node-group

• key: "opensearch" operator: "Exists" effect: "NoSchedule"

  6. add the initContainer

  • name: sysctl image: docker.io/bitnami/bitnami-shell:10-debian-10-r199 imagePullPolicy: "IfNotPresent" command:
    • /bin/bash
    • -ec
    • | CURRENT=sysctl -n vm.max_map_count; DESIRED="262144"; if [ "$DESIRED" -gt "$CURRENT" ]; then sysctl -w vm.max_map_count=262144; fi; CURRENT=sysctl -n fs.file-max; DESIRED="65536"; if [ "$DESIRED" -gt "$CURRENT" ]; then sysctl -w fs.file-max=65536; fi; securityContext: runAsUser: 0 privileged: true

      7. set protocol to http instead of https

      protocol: http httpPort: 9200 transportPort: 9300 metricsPort: 9600 httpHostPort: "" transportHostPort: ""

Expected behavior opensearch starts and runs with http and is only internal to the vpc

Chart Name opensearch

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• Helm Version: [e.g. 3.12.0]
• Kubernetes Version: [v1.27.1-eks-2f008fe]

Additional context the error that is given:

uncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
    at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:983)
    at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:235)
    at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:394)
    at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:256)
    at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:177)
    at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:218)
    at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:266)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
    at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
    at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782)
    at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731)
    at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533)
    at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195)
    at org.opensearch.node.Node.<init>(Node.java:454)
    at org.opensearch.node.Node.<init>(Node.java:381)
    at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
    at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
    at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
    at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
    at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
    at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
    at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
    at org.opensearch.cli.Command.main(Command.java:101)
    at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
    at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)

I see the error and that it's asking for a pem but there's two things.

1. I don't know how to add my certificates, the documentation seems to be missing this bit of information.
2. I want http because regardless it's only accessible through a vpn and won't be public facing, so to me, the error seems irrelevant.

[gaiksaya]

Hi @Greeley ,

Here is some documentation on how to add TLS certificates https://opensearch.org/docs/latest/security/configuration/tls/ You can disable security plugin as mentioned here https://opensearch.org/docs/latest/security/configuration/disable/

@prudhvigodithi Can add more from helm side of things! Thanks!

[campidelli-wcq]

I am facing the same issue, I want to disable HTTPS and keep the authentication (I am using this chart for local development and local testing). I can't find that information anywhere.

[prudhvigodithi]

Hey @Greeley and @campidelli-wcq did you explore the environment value"plugins.security.ssl.http.enabled=false"?, this should disable https but still should have the authentication, example http://admin:admin@127.0.0.1:9200. Is this what you are looking for? Please test and let me know. Thank you

[sfisli]

@prudhvigodithi Here is my config but i still cant access with http, only https works

    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
            enforce_hostname_verification: false
          http:
            enabled: false
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt

[c3-davidtran]

@prudhvigodithi I am also facing the same issue. When using Opensearch 2.13.0 with

plugins.security.http.enabled: false

The application still won't accept http requests. Logs :

[o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-manager-0] Enabled TLS protocols for HTTP layer

When using any version < 2.12.1 this does not happen.