adding spec > security > tls > http > will cause the operator to do nothing?

[elimumford]

Just adding the CRD spec will cause the operator to generate no resources... no error, nothing. I paired it all back down to simply supplying a generate: true... kubectl apply the following very simple config and kubectl will report that the resource opensearchcluster.opensearch.opster.io/test-opensearch created was created, but if you kubectl get all -l opster.io/opensearch-cluster=test-opensearch -A will result in 'No resources found' . Poking at the logs from the pod/opensearch-operator-controller-manager-* returns nothing helpful, I do not see any other part of the operator to query for information...

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: test-opensearch
  namespace: default
spec:
  security:
    tls:
      http:
        generate: true
  #       secret:
  #         name: test-opensearch-http-cert
  #       caSecret:
  #         name: opensearch-ca-cert
  general:
    serviceName: test-opensearch
    version: 1.3.2
    setVMMaxMapCount: true
  dashboards:
    enable: true
    version: 1.3.2
    replicas: 1
    resources:
      requests:
        memory: '512Mi'
      limits:
        memory: '512Mi'
  nodePools:
    - component: masters
# Note, had to add these to get a single node cluster to run, otherwise it ends up in a no master elected state when the bootstrap shuts down
      additionalConfig:
        discovery.seed_hosts: test-opensearch-masters-0
        cluster.initial_master_nodes: test-opensearch-masters-0
      replicas: 1
      diskSize: '2Gi'
      resources:
        requests:
          memory: '2Gi'
        limits:
          memory: '2Gi'
      roles:
        - 'data'
        - 'master'

Note, if you do remove the security: portion, it will indeed start up a single node cluster... I am trying to get external certs in place to test more realistic connection scenarios where the CA info is needed for a correct trust setup... went through many iterations on secret types (generic, vs tls), ca.crt in secret as generic, caSecret as generic or tls... thinking I was doing something wrong there. The docs could use some work in this regards... a TLS secret, as far as I am aware can only come with 2 fields, generated from the cert and key files... don't know how you would add a ca.crt key to them... the CRD def docs refer to them as TLS secret... but anyway, none of that matters if the operator does nothing (apparently) when given just the defaults, let alone more.

If anything else is needed, reply and I will do my best to provide more. Really looking forward to leveraging this!

[swoehrl-mw]

Hi @elimumford . I managed to reproduce your problem, with custom secrets for TLS set the operator runs into an error and does not create the cluster. For reference, the error from the operator log is:

1.652079845327363e+09	ERROR	controller.opensearchcluster	Not all secrets for http provided	{"reconciler group": "opensearch.opster.io", "reconciler kind": "OpenSearchCluster", "name": "test-opensearch", "namespace": "default", "error": "missing secret in spec"}
opensearch.opster.io/pkg/reconcilers.(*TLSReconciler).Reconcile
	/home/swoehrl/projects/opensource/opensearch-k8s-operator/opensearch-operator/pkg/reconcilers/tls.go:70
opensearch.opster.io/controllers.(*OpenSearchClusterReconciler).reconcilePhaseRunning
	/home/swoehrl/projects/opensource/opensearch-k8s-operator/opensearch-operator/controllers/opensearchController.go:326
opensearch.opster.io/controllers.(*OpenSearchClusterReconciler).Reconcile
	/home/swoehrl/projects/opensource/opensearch-k8s-operator/opensearch-operator/controllers/opensearchController.go:141
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
	/home/swoehrl/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/home/swoehrl/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/swoehrl/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/home/swoehrl/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227

This seems to have the same underlying bug as #116, the operator loses some parts of the supplied cluster spec (in the case of #116 the imagePullSecret, in this case the secret names for TLS).

Regarding your question on the structure of the TLS secrets: For example if you create a certificate using cert-manager you will get the three fields (ca.crt, tls.key, tls.crt). But yes, if you create a TLS secret using kubectl you do not have the option to add a ca.crt. Might need to make this more clear in the docs.

[elimumford]

Thanks @swoehrl-mw