[BUG] What are the ways to enable ssl hot reload?

What is the bug?

Firstly, I appreciate the developers' work on this project. However, certificate rotation is one of the most painful things about this operator

According to this issue there is an bug with configuring plugins.security.XXX I am trying to set plugins.security.ssl_cert_reload_enabled: "true" but obviously to not avail. There are several ways to configure opensearch:

via opensearch.conf (Seems that operator generates it itself, and settings from OpenSearchCluster.spec.general.additionalConfig are going into environment variables)
via envs (Here is a clear statement that plugins.security.XXX should be configured by opensearch.yml)

via api (if I try to execute

PUT _cluster/settings
{
"persistent" : {
"plugins.security.ssl_cert_reload_enabled": true
}
}

i get this error

{
"error": {
"root_cause": [
  {
    "type": "illegal_argument_exception",
    "reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
  }
],
"type": "illegal_argument_exception",
"reason": "persistent setting [plugins.security.ssl_cert_reload_enabled], not dynamically updateable"
},
"status": 400
}

that says that I cant set this var via api)

How can one reproduce the bug?

Try to enable plugins.security.ssl_cert_reload_enabled: "true" in your deployment

What is the expected behavior?

I expect to successfully set ssl hot reload

Do you have any additional context?

Seems that such important settings should be available to be configured. I see two ways of it: 1) Create a field in the CRD that enables hot certificate reload 2) Set OpenSearchCluster.spec.general.additionalConfig directly into opensearch.yml, not into the envs

Am I wrong or is there any way to enable cert reloading? If yes, it should be described in docs

opensearch-project / opensearch-k8s-operator