helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG]OpenSearch - http asking for tls keys.

Open Greeley opened this issue 1 year ago • 5 comments

Describe the bug Documentation seems incomplete, quite a few things are missing, like why vm.max_map_count causes issues. Almost all of the options in the documentation are left for the user to guess how to set them up, or how they are formatted.

To Reproduce Steps to reproduce the behavior:

  1. clone this repository
  2. navigate to opensearch charts.
  3. modify these values in values.yaml
sysctl:
  enabled: false

## Set optimal sysctl's through privileged initContainer.
sysctlInit:
  enabled: false
  1. uncomment and modify ingress
ingress:
  enabled: true
  # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
  # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
  ingressClassName: alb

  annotations:
    alb.ingress.kubernetes.io/ip-address-type: dualstack
    alb.ingress.kubernetes.io/target-type: instance
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 9200}]'
  path: /
  hosts:
    - opensearch-data.local
  1. add toleration for your node-group
    - key: "opensearch"
      operator: "Exists"
      effect: "NoSchedule"
  1. add the initContainer
  - name: sysctl
    image: docker.io/bitnami/bitnami-shell:10-debian-10-r199
    imagePullPolicy: "IfNotPresent"
    command:
      - /bin/bash
      - -ec
      - |
        CURRENT=`sysctl -n vm.max_map_count`;
        DESIRED="262144";
        if [ "$DESIRED" -gt "$CURRENT" ]; then
            sysctl -w vm.max_map_count=262144;
        fi;
        CURRENT=`sysctl -n fs.file-max`;
        DESIRED="65536";
        if [ "$DESIRED" -gt "$CURRENT" ]; then
            sysctl -w fs.file-max=65536;
        fi;
    securityContext:
      runAsUser: 0
      privileged: true
  1. set protocol to http instead of https
protocol: http
httpPort: 9200
transportPort: 9300
metricsPort: 9600
httpHostPort: ""
transportHostPort: ""

Expected behavior opensearch starts and runs with http and is only internal to the vpc

Chart Name opensearch

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • Helm Version: [e.g. 3.12.0]
  • Kubernetes Version: [v1.27.1-eks-2f008fe]

Additional context the error that is given:

uncaught exception in thread [main]
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/esnode.pem (/usr/share/opensearch/config/esnode.pem). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemcert_filepath]
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.checkPath(DefaultSecurityKeyStore.java:983)
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.resolve(DefaultSecurityKeyStore.java:235)
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:394)
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:256)
	at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:177)
	at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:218)
	at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:266)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
	at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782)
	at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731)
	at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533)
	at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195)
	at org.opensearch.node.Node.<init>(Node.java:454)
	at org.opensearch.node.Node.<init>(Node.java:381)
	at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
	at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
	at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
	at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
	at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
	at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
	at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
	at org.opensearch.cli.Command.main(Command.java:101)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
	at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)

I see the error and that it's asking for a pem but there's two things.

  1. I don't know how to add my certificates, the documentation seems to be missing this bit of information.
  2. I want http because regardless it's only accessible through a vpn and won't be public facing, so to me, the error seems irrelevant.

Greeley avatar Jun 15 '23 17:06 Greeley

Hi @Greeley ,

Here is some documentation on how to add TLS certificates https://opensearch.org/docs/latest/security/configuration/tls/ You can disable security plugin as mentioned here https://opensearch.org/docs/latest/security/configuration/disable/

@prudhvigodithi Can add more from helm side of things! Thanks!

gaiksaya avatar Jun 20 '23 19:06 gaiksaya

I am facing the same issue, I want to disable HTTPS and keep the authentication (I am using this chart for local development and local testing). I can't find that information anywhere.

campidelli-wcq avatar Sep 14 '23 00:09 campidelli-wcq

Hey @Greeley and @campidelli-wcq did you explore the environment value"plugins.security.ssl.http.enabled=false"?, this should disable https but still should have the authentication, example http://admin:[email protected]:9200. Is this what you are looking for? Please test and let me know. Thank you

prudhvigodithi avatar Sep 14 '23 16:09 prudhvigodithi

@prudhvigodithi Here is my config but i still cant access with http, only https works

    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt
            enforce_hostname_verification: false
          http:
            enabled: false
            pemcert_filepath: certs/tls.crt
            pemkey_filepath: certs/tls.key
            pemtrustedcas_filepath: certs/tls.crt

sfisli avatar Apr 05 '24 09:04 sfisli

@prudhvigodithi I am also facing the same issue. When using Opensearch 2.13.0 with

plugins.security.http.enabled: false

The application still won't accept http requests. Logs :

[o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-manager-0] Enabled TLS protocols for HTTP layer

When using any version < 2.12.1 this does not happen.

c3-davidtran avatar May 14 '24 18:05 c3-davidtran