Skip to content

Decision: TLS Support #69

@labrenbe

Description

@labrenbe

Description

The security plugin for OpenSearch allows configuring TLS on internal communication (transport) and on the REST API (http).
TLS for the internal communication should always be enabled as this enables mTLS between OpenSearch nodes and increases security significantly. TLS on the REST API can be made optional.

Part of #55.

Option 1: Follow the naming in other operators (e.g. Kafka, NiFi)

spec:
  clusterConfig:
    tls:
      serverSecretClass: tls # optional
      internalSecretClass: opensearch-internal-tls

The actual CRD would look like this:

clusterConfig:
  default:
    tls:
      serverSecretClass: tls
      internalSecretClass: tls
  properties:
    tls:
      default:
        serverSecretClass: tls
        internalSecretClass: tls
      properties:
        serverSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          nullable: true
          type: string
        internalSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          type: string
      type: object

Option 2: Follow the OpenSearch naming for exposed ports

spec:
  clusterConfig:
    tls:
      httpSecretClass: tls # optional
      transportSecretClass: opensearch-transport-tls

The actual CRD would look like this:

clusterConfig:
  default:
    tls:
      httpSecretClass: tls
      transportSecretClass: tls
  properties:
    tls:
      default:
        httpSecretClass: tls
        transportSecretClass: tls
      properties:
        httpSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          nullable: true
          type: string
        transportSecretClass:
          default: tls
          maxLength: 253
          minLength: 1
          type: string
      type: object

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions