[BUG}Change Admin Password don't work when use custom securityConfig

[mabahre]

Describe the bug When deploying the helm Chart to a Kubernetes Cluster with setting the default Admin Password via the Environment Variable "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and setting a custom securityConfig the Deployment fails with the following Error:

No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

Deploying the Chart without setting a custom securityConfig works fine, but is not the desired Goal because I need to Deploy a LDAP Connection via that config.

To Reproduce Steps to reproduce the behavior:

1. Deploy the Chart with "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and custom securityConfig set

Expected behavior The Deployment should be able to set the Admin Password even if a custom securityConfig is provided-

Chart Name opensearch Version 2.18.0

Host/Environment (please complete the following information):

• Helm Version: 3.12.3
• Kubernetes Version: 1.27.6

Complete Logs

Enabling OpenSearch Security Plugin
Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin 
OpenSearch 2.12.0 onwards, the OpenSearch Security Plugin a change that requires an initial password for 'admin' user. 
2024-02-23T09:50:15.120459229Z Please define an environment variable 'OPENSEARCH_INITIAL_ADMIN_PASSWORD' with a strong password string. 
2024-02-23T09:50:15.120465861Z If a password is not provided, the setup will quit. 
 For more details, please visit: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
2024-02-23T09:50:15.332680350Z ### OpenSearch Security Demo Installer
2024-02-23T09:50:15.332727237Z ### ** Warning: Do not use on production or public reachable systems **
OpenSearch install type: rpm/deb on Linux 5.14.21-150500.55.36-default amd64
2024-02-23T09:50:15.350568914Z OpenSearch config dir: /usr/share/opensearch/config/
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
2024-02-23T09:50:15.350758789Z OpenSearch bin dir: /usr/share/opensearch/bin/
OpenSearch plugins dir: /usr/share/opensearch/plugins/
2024-02-23T09:50:15.351000640Z OpenSearch lib dir: /usr/share/opensearch/lib/
Detected OpenSearch Version: 2.12.0
2024-02-23T09:50:15.351213196Z Detected OpenSearch Security Version: 2.12.0.0
2024-02-23T09:50:16.218995287Z No custom admin password found. Please provide a password via the environment variable OPENSEARCH_INITIAL_ADMIN_PASSWORD.

[mike858585]

Hi! The same problem:

Detected OpenSearch Version: 2.12.0 Detected OpenSearch Security Version: 2.12.0.0 Admin password set successfully. Exception updating the admin password : Unable to update the internal users file with the hashed password.

In libsonnet: securityConfig+: { enabled: true, path: "/usr/share/opensearch/config/opensearch-security", config+:{ securityConfigSecret: "", dataComplete: true, data+:{ 'internal_users.yml': |||

[smlx]

I think you need to set DISABLE_INSTALL_DEMO_CONFIG=true to use a custom security config.

[mike858585]

Thank you, maybe it is the right way. But the env application of DISABLE_INSTALL_DEMO_CONFIG=true itself resulted in another problem:

Defaulted container "opensearch" out of: opensearch, fsgroup-volume (init), configfile (init), sysctl (init) Enabling OpenSearch Security Plugin Disabling execution of install_demo_configuration.sh for OpenSearch Security Plugin Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin WARNING: Using incubator modules: jdk.incubator.vector WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.12.0.jar) WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch WARNING: System::setSecurityManager will be removed in a future release Feb 26, 2024 1:51:24 PM sun.util.locale.provider.LocaleProviderAdapter WARNING: COMPAT locale provider will be removed in a future release WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.12.0.jar) WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security WARNING: System::setSecurityManager will be removed in a future release [2024-02-26T13:51:24,872][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] version[2.12.0], pid[10], build[], OS[], JVM[] [2024-02-26T13:51:24,874][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] JVM home [/usr/share/opensearch/jdk], using bundled JDK/JRE [true] [2024-02-26T13:51:24,874][INFO ][o.o.n.Node ] [opensearch-cluster-master-0] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.security.manager=allow, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-13868736376094782822, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.security.manager=allow, --add-modules=jdk.incubator.vector, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/config/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dopensearch.cgroups.hierarchy.override=/, -Xmx512M, -Xms512M, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true] [2024-02-26T13:51:26,048][INFO ][o.o.s.s.t.SSLConfig ] [opensearch-cluster-master-0] SSL dual mode is disabled [2024-02-26T13:51:26,048][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] OpenSearch Config path is /usr/share/opensearch/config [2024-02-26T13:51:26,288][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] JVM supports TLSv1.3 [2024-02-26T13:51:26,290][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively [2024-02-26T13:51:26,302][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [opensearch-cluster-master-0] uncaught exception in thread [main] org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:185) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.12.0.jar:2.12.0] at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-2.12.0.jar:2.12.0] Caused by: java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin] uncaught exception in thread [main] at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:792) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0] ... 6 more Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0] ... 6 more Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath] at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:484) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204) ~[?:?] at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235) ~[?:?] at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295) ~[?:?] at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0] ... 6 more Caused by: org.opensearch.OpenSearchException: Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1135) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:276) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:454) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) ~[?:?] at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204) ~[?:?] at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235) ~[?:?] at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295) ~[?:?] at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.plugins.PluginsService.(PluginsService.java:195) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:486) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.node.Node.(Node.java:413) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.12.0.jar:2.12.0] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.12.0.jar:2.12.0] ... 6 more java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin] Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath] at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:1135) at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:276) at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:454) at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) at org.opensearch.security.ssl.DefaultSecurityKeyStore.(DefaultSecurityKeyStore.java:204) at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.(OpenSearchSecuritySSLPlugin.java:235) at org.opensearch.security.OpenSearchSecurityPlugin.(OpenSearchSecurityPlugin.java:295) at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:783) at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:732) at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) at org.opensearch.plugins.PluginsService.(PluginsService.java:195) at org.opensearch.node.Node.(Node.java:486) at org.opensearch.node.Node.(Node.java:413) at org.opensearch.bootstrap.Bootstrap$5.(Bootstrap.java:242) at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) at org.opensearch.cli.Command.main(Command.java:101) at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) For complete error details, refer to the log at /usr/share/opensearch/logs/opensearch-cluster.log

[mabahre]

I can cofirm the Problem of @mike858585: After setting the env "DISABLE_INSTALL_DEMO_CONFIG", I get the same Error

[shree1999]

Hi Team, any update or workaround for this issue it seems when setting up the "OPENSEARCH_INITIAL_ADMIN_PASSWORD" and securityConfig together leads to error.

for example if I setup an internal_users.yml under the securityConfig it gives the error exception updating the admin password : /usr/share/opensearch/config/opensearch-security/internal_users.yml: device or resource busy

[smlx]

Did you mount the cert into the pod as per the error message?

 Caused by: org.opensearch.OpenSearchSecurityException: Error while initializing transport SSL layer from PEM: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]

[mike858585]

@smlx the same configuration works, just set the appVersion: "2.11.0" and the certificates are mounted correctly, for version 2.12.0 I have to set securityConfig+: { enabled: false,

Next, I will control it via API.

If I wanted to mount something manually, I don't have to use the helm-charts, but only the manifests :-)

[mabahre]

@smlx I never mounted the mentioned Certificate and it works fine in Previous Versions. I only mount the root CA for LDAP

[mike858585]

@smlx Thank you very much!

      name: 'DISABLE_INSTALL_DEMO_CONFIG',
      value: 'true',

      and 

      using default cert settings helped me :-) https://opensearch.org/docs/2.12/security/configuration/generate-certificates/

$ kubectl exec -it opensearch-cluster-master-0 -n opensearch -- /bin/bash -c "./plugins/opensearch-security/tools/securityadmin.sh -cd config/opensearch-security -icl -nhnv -cacert /usr/share/opensearch/config/certificates/root-ca.pem -cert /usr/share/opensearch/config/certificates/client.pem -key /usr/share/opensearch/config/certificates/client-key.pem"

Security Admin v7
Will connect to localhost:9200 ... done
Connected as "CN=client.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA"
OpenSearch Version: 2.12.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security
Will update '/config' with config/opensearch-security/config.yml 
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with config/opensearch-security/roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with config/opensearch-security/roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with config/opensearch-security/internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with config/opensearch-security/action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with config/opensearch-security/tenants.yml 
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with config/opensearch-security/nodes_dn.yml 
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with config/opensearch-security/whitelist.yml 
   SUCC: Configuration for 'whitelist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

[mabahre]

But this seems not like a valid Solution to me, because I don't need a Certificate Inside the Containers, as I use a Ingress.

[mike858585]

@mabahre I will not test with ingress in the near future, I use it in internal network. However, you should still use certificates to secure transport layer communication between OpenSearch cluster nodes I think. Hard to say.

[Bjohnson131]

Hello, I'm seeing this as well when I install using this command helm install opensearch opensearch/opensearch --namespace opensearch

K8s version: v1.30.2 Charts: v2.23.0