Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] TLS CONFIGURATION FAILS: Failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin] #782

Open
Siradjedd opened this issue Apr 8, 2024 · 0 comments
Open

[BUG] TLS CONFIGURATION FAILS: Failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin] #782

Siradjedd opened this issue Apr 8, 2024 · 0 comments
Labels
bug Something isn't working untriaged Issues that have not yet been triaged

Comments

@Siradjedd
Copy link

What is the bug?

logs :

`java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[Unable to read /usr/share/opensearch/config/tls-transport/ca.crt (/usr/share/opensearch/config/tls-transport/ca.crt). Please make sure this files exists and is readable regarding to permissions. Property: plugins.security.ssl.transport.pemtrustedcas_filepath]`

Configuration files

i'am using cert-manager and let'sencrypt for the certs generation
Certifications:

`
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ca-certificate
  namespace: default
spec:
  secretName: ca-cert
  duration: 9000h # ~1year
  renewBefore: 360h # 15d
  isCA: true
  privateKey:
    size: 2048
  dnsNames:
    - '*.{{.Values.domain}}.adeiz.com'
  usages:
    - digital signature
    - key encipherment
  issuerRef:
    name: letsencrypt-{{.Release.Namespace}}-prod
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: opensearch-certs
  namespace: default
spec:
  secretName: opensearch-certs
  duration: 9000h # ~1year
  renewBefore: 360h # 15d
  isCA: false
  privateKey:
    size: 2048
    algorithm: RSA
    encoding: PKCS8
  dnsNames:
    - '*.{{.Values.domain}}.adeiz.com'
  usages:
    - signing
    - key encipherment
    - server auth
    - client auth
  issuerRef:
    name: letsencrypt-{{.Release.Namespace}}-prod
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: opensearch-admin-certs
  namespace: default
spec:
  secretName: opensearch-admin-certs
  duration: 9000h # ~1year
  renewBefore: 360h # 15d
  isCA: false
  privateKey:
    size: 2048
    algorithm: RSA
    encoding: PKCS8
  dnsNames:
    - '*.{{.Values.domain}}.adeiz.com'
  usages:
    - signing
    - key encipherment
    - server auth
    - client auth
  issuerRef:
    name: letsencrypt-{{.Release.Namespace}}-prod
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: opensearch-dashboards-certs
  namespace: default
spec:
  secretName: opensearch-dashboards-certs
  duration: 9000h # ~1year
  renewBefore: 360h # 15d
  isCA: false
  privateKey:
    size: 2048
    algorithm: RSA
    encoding: PKCS8
  dnsNames:
    - '*.labadeiz.adeiz.com'
  usages:
    - signing
    - key encipherment
    - server auth
    - client auth
  issuerRef:
    name: letsencrypt-{{.Release.Namespace}}-prod
    kind: ClusterIssuer`

ClusterIssuer:

`apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-{{.Release.Namespace}}-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: contact@adeiz.com
    privateKeySecretRef:
      name: letsencrypt-{{.Values.domain}}-prod-account-key
    solvers:
    - selector:
        dnsNames:
        - '*.{{.Values.domain}}.adeiz.com'
      dns01:
        webhook:
          config:
            apiKeySecretRef:
              name: godaddy-api-key-prod
              key: key
              secret: secret
            production: true
            ttl: 600
          groupName: acme.mycompany.com
          solverName: godaddy`

Opensearch-cluster.yaml:

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: my-first-cluster
  namespace: default
spec:
  general:
    serviceName: my-first-cluster
    version: 2.3.0
    setVMMaxMapCount: true
  dashboards:
    enable: true
    version: 2.3.0
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
    tls:
      enable: true
      generate: false
      secret:
        name: opensearch-dashboards-certs
  security:
    config:
      adminSecret:
        name: opensearch-admin-certs
    tls:
      transport:
        generate: false
        perNode: false
        secret:
          name:  opensearch-certs
        nodesDn: [CN="'*.{{.Values.domain}}.adeiz.com'", ] 
        adminDn: ["CN='*.{{.Values.domain}}.adeiz.com'", ]
      http:
        generate: false
        secret:
          name: opensearch-certs
  nodePools:
    - component: masters
      replicas: 2
      diskSize: "3Gi"
      resources:
         requests:
            memory: "2Gi"
            cpu: "500m"
         limits:
            memory: "2Gi"
            cpu: "500m"
      roles:
        - "data"
        - "master"

What is the expected behavior?

OpenSearch works normally with the generated certifications.
@Siradjedd Siradjedd added bug Something isn't working untriaged Issues that have not yet been triaged labels Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged Issues that have not yet been triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Siradjedd