Allow adding trust anchors #60
Description
Users should be able to add trust anchors. This is required, if e.g. OpenSearch should connect to a self-hosted S3 instance which is signed by a corporate certificate authority, see e.g. #56.
The CRD could be extended as follows:
---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
spec:
nodes:
config:
extraTrustAnchors:
- value: <string>
- valueFrom:
configMapKeyRef:
name: <string>
key: <string>
- valueFrom:
secretKeyRef:
name: <string>
key: <string>Workaround
It is already possible to add trust anchors via podOverrides:
---
apiVersion: opensearch.stackable.tech/v1alpha1
kind: OpenSearchCluster
spec:
nodes:
podOverrides:
spec:
initContainers:
- name: init-system-keystore
image: oci.stackable.tech/sdp/opensearch:3.1.0-stackable0.0.0-dev
command:
- update-ca-trust
args:
- extract
- --output
- /stackable/ca-trust
volumeMounts:
- name: system-trust-store
mountPath: /stackable/ca-trust
readOnly: false
- name: custom-trust-anchors
mountPath: /etc/pki/ca-trust/source/anchors/custom-tls.crt
subPath: tls.crt
readOnly: true
containers:
- name: opensearch
volumeMounts:
- name: system-trust-store
mountPath: /etc/pki/java/cacerts
subPath: java/cacerts
readOnly: true
volumes:
- name: custom-trust-anchors
secret:
secretName: secret-with-trust-anchors
defaultMode: 0o660
- name: system-trust-store
emptyDir:
sizeLimit: 10Mi