Security

TLS

The internal and client communication at the REST API can be encrypted with TLS. This requires the Secret Operator to be running in the Kubernetes cluster providing certificates. The used certificates can be changed in a cluster-wide config and are configured using SecretClasses. TLS encryption on the REST API may be disabled, while it is always enabled for the internal communication between nodes using the transport port.

---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
metadata:
  name: opensearch
spec:
  image:
    productVersion: 3.1.0
  clusterConfig:
    tls:
      serverSecretClass: tls (1)
      internalSecretClass: opensearch-internal-tls (2)
  nodes:
    config:
      requestedSecretLifetime: 7d (3)
    roleGroups:
      default:
        replicas: 3

1	The `spec.clusterConfig.tls.serverSecretClass` refers to the client-to-server encryption at the REST API. Defaults to the `tls` SecretClass and can be disabled by setting `serverSecretClass` to `null`.
2	The `spec.clusterConfig.tls.internalSecretClass` refers to the internal encryption between OpenSearch nodes using mTLS (transport). Defaults to the `tls` SecretClass and can’t be disabled.
3	The lifetime for autoTls certificates generated by the secret operator. Only a lifetime up to the `maxCertificateLifetime` setting in the SecretClass is applied.

Important: The operator sets the configuration plugins.security.nodes_dn to ["CN=generated certificate for pod"] which provides weak authentication between nodes. If you want to increase security and use certificates which identify the OpenSearch nodes specifically, you must also adapt the plugins.security.nodes_dn setting via configOverrides.