search

opensearch-project / opensearch-k8s-operator

OpenSearch Kubernetes Operator
Apache License 2.0
387 stars 202 forks source link

How-to Trust internal CA through Operator ? #791

Open piellick opened 5 months ago

piellick commented 5 months ago

Hi team, When using internal services with TLS authentication, we are facing problems with integrating of our root certificate. What would be the best solution?

1st case where this is a problem, using an internal smtp with TLS for email notifications on Opensearch Dashboard:

EmailException javax.mail.MessagingException: Could not convert socket to TLS;                                                             │
│   nested exception is:                                                                                                                                                                                                                     │
│     javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We tried the use general.keystore with our CA Cert inside a secret without conclusive result:

 general:
    # ...
    keystore:
    - secret:
        name: internal-root-ca
      keyMappings:
        ca.crt: ca.crt

Using initContainer would be the solution?

Thanks a lot

prudhvigodithi commented 3 months ago

[Triage] Hey @piellick if I'm not wrong you trying to connect to an smtp server through dashboards pod and you end up this PKIX error? If so you can try add the root CA cert, by the way did you try with keytool manually inside the pod to update the cacerts? https://docs.microfocus.com/SM/9.41/Classic/Content/security/tasks/update_the_cacerts_keystore_file.htm