Support hot-reloading TLS certificates

Signed-off-by: josedev-union <[email protected]>

Author: synhershko

charts/opensearch-cluster/templates/cluster.yaml

@@ -56,6 +56,9 @@ spec:
         {{- with .tls.transport.secret }}
         secret: {{ . | toYaml | nindent 10 }}
         {{- end }}
+        {{- if .tls.transport.enableHotReload }}
+        enableHotReload: {{ .tls.transport.enableHotReload }}
+        {{- end }}
       http:
         {{- if .tls.http.generate }}
         generate: {{ .tls.http.generate }}
@@ -66,6 +69,9 @@ spec:
         {{- with .tls.http.caSecret }}
         caSecret: {{ . | toYaml | nindent 10 }}
         {{- end }}
+        {{- if .tls.http.enableHotReload }}
+        enableHotReload: {{ .tls.http.enableHotReload }}
+        {{- end }}
     {{- with .config }}
     config: {{ . | toYaml | nindent 6 }}
     {{- end }}

charts/opensearch-cluster/values.yaml

@@ -326,6 +326,9 @@ cluster:
         secret: {}
 #            name: "secret-name"
 
+        # -- Enable hot reloading of TLS certificates.
+        enableHotReload: false
+
       transport:
         # -- DNs of certificates that should have admin access, mainly used for securityconfig updates via securityadmin.sh,
         # only used when existing certificates are provided
@@ -351,6 +354,8 @@ cluster:
         secret: {}
 #            name: "secret-name"
 
+        # -- Enable hot reloading of TLS certificates.
+        enableHotReload: false
 
   # Opensearch Ingress configuration
   ingress:

charts/opensearch-operator/files/opensearch.opster.io_opensearchclusters.yaml

@@ -3341,6 +3341,12 @@ spec:
                       enable:
                         description: Enable HTTPS for Dashboards
                         type: boolean
+                      enableHotReload:
+                        description: Enable hot reloading of TLS certificates. When
+                          enabled, certificates are mounted as directories instead
+                          of using subPath, allowing Kubernetes to update certificate
+                          files when secrets are updated.
+                        type: boolean
                       generate:
                         description: Generate certificate, if false secret must be
                           provided
@@ -6264,6 +6270,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+                          enableHotReload:
+                            description: Enable hot reloading of TLS certificates.
+                              When enabled, certificates are mounted as directories
+                              instead of using subPath, allowing Kubernetes to update
+                              certificate files when secrets are updated.
+                            type: boolean
                           generate:
                             description: If set to true the operator will generate
                               a CA and certificates for the cluster to use, if false
@@ -6317,6 +6329,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+                          enableHotReload:
+                            description: Enable hot reloading of TLS certificates.
+                              When enabled, certificates are mounted as directories
+                              instead of using subPath, allowing Kubernetes to update
+                              certificate files when secrets are updated.
+                            type: boolean
                           generate:
                             description: If set to true the operator will generate
                               a CA and certificates for the cluster to use, if false

go.work.sum

@@ -778,6 +778,7 @@ golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
@@ -858,6 +859,7 @@ gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 helm.sh/helm/v3 v3.12.0 h1:rOq2TPVzg5jt4q5ermAZGZFxNW2uQhKjRhBneAutMEM=
 helm.sh/helm/v3 v3.12.0/go.mod h1:8K/469yxjUMu6BaD2EagCitkPjELUL/l2AgCO142G94=

opensearch-operator/api/v1/opensearch_types.go

@@ -275,6 +275,8 @@ type TlsCertificateConfig struct {
 	Secret corev1.LocalObjectReference `json:"secret,omitempty"`
 	// Optional, secret that contains the ca certificate as ca.crt. If this and generate=true is set the existing CA cert from that secret is used to generate the node certs. In this case must contain ca.crt and ca.key fields
 	CaSecret corev1.LocalObjectReference `json:"caSecret,omitempty"`
+	// Enable hot reloading of TLS certificates. When enabled, certificates are mounted as directories instead of using subPath, allowing Kubernetes to update certificate files when secrets are updated.
+	EnableHotReload bool `json:"enableHotReload,omitempty"`
 }
 
 // Reference to a secret

opensearch-operator/config/crd/bases/opensearch.opster.io_opensearchclusters.yaml

@@ -3341,6 +3341,12 @@ spec:
                       enable:
                         description: Enable HTTPS for Dashboards
                         type: boolean
+                      enableHotReload:
+                        description: Enable hot reloading of TLS certificates. When
+                          enabled, certificates are mounted as directories instead
+                          of using subPath, allowing Kubernetes to update certificate
+                          files when secrets are updated.
+                        type: boolean
                       generate:
                         description: Generate certificate, if false secret must be
                           provided
@@ -6264,6 +6270,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+                          enableHotReload:
+                            description: Enable hot reloading of TLS certificates.
+                              When enabled, certificates are mounted as directories
+                              instead of using subPath, allowing Kubernetes to update
+                              certificate files when secrets are updated.
+                            type: boolean
                           generate:
                             description: If set to true the operator will generate
                               a CA and certificates for the cluster to use, if false
@@ -6317,6 +6329,12 @@ spec:
                                 type: string
                             type: object
                             x-kubernetes-map-type: atomic
+                          enableHotReload:
+                            description: Enable hot reloading of TLS certificates.
+                              When enabled, certificates are mounted as directories
+                              instead of using subPath, allowing Kubernetes to update
+                              certificate files when secrets are updated.
+                            type: boolean
                           generate:
                             description: If set to true the operator will generate
                               a CA and certificates for the cluster to use, if false

opensearch-operator/pkg/reconcilers/tls.go

@@ -129,18 +129,34 @@ func (r *TLSReconciler) handleAdminCertificate() (*ctrl.Result, error) {
 	return res, nil
 }
 
-func (r *TLSReconciler) securityChangeVersion() bool {
-	newVersionConstraint, err := semver.NewConstraint(">=2.0.0")
+func (r *TLSReconciler) checkVersionConstraint(constraint string, defaultOnError bool, errMsg string) bool {
+	versionConstraint, err := semver.NewConstraint(constraint)
 	if err != nil {
 		panic(err)
 	}
 
 	version, err := semver.NewVersion(r.instance.Spec.General.Version)
 	if err != nil {
-		r.logger.Error(err, "unable to parse version, assuming >= 2.0.0")
-		return true
+		r.logger.Error(err, errMsg)
+		return defaultOnError
 	}
-	return newVersionConstraint.Check(version)
+	return versionConstraint.Check(version)
+}
+
+func (r *TLSReconciler) securityChangeVersion() bool {
+	return r.checkVersionConstraint(
+		">=2.0.0",
+		true,
+		"unable to parse version, assuming >= 2.0.0",
+	)
+}
+
+func (r *TLSReconciler) supportsHotReload() bool {
+	return r.checkVersionConstraint(
+		">=2.19.1",
+		false,
+		"unable to parse version for hot reload check, assuming not supported",
+	)
 }
 
 func (r *TLSReconciler) adminCAName() string {
@@ -488,19 +504,42 @@ func (r *TLSReconciler) handleTransportExistingCerts() error {
 			//		r.recorder.Event(r.instance, "Warning", "Security", "Notice - Not all secrets for transport provided")
 			return err
 		}
-		if tlsConfig.CaSecret.Name == "" {
+
+		// Implement new mounting logic based on CaSecret.Name configuration
+		switch name := tlsConfig.CaSecret.Name; name {
+		case "":
+			// If CaSecret.Name is empty, mount Secret.Name as a directory
 			mountFolder("transport", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
+		case tlsConfig.Secret.Name:
+			// If CaSecret.Name is same as Secret.Name, mount only Secret.Name as a directory
+			mountFolder("transport", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
+		default:
+			// If CaSecret.Name is different from Secret.Name, mount both secrets as directories
+			// Mount Secret.Name as tls-transport/
+			mountFolder("transport", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
+			// Mount CaSecret.Name as tls-transport-ca/
+			mountFolder("transport", "ca", tlsConfig.CaSecret.Name, r.reconcilerContext)
+		}
+
+		// Extend opensearch.yml with appropriate file paths based on mounting logic
+		if tlsConfig.CaSecret.Name == "" || tlsConfig.CaSecret.Name == tlsConfig.Secret.Name {
+			// Single secret mounted as directory
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemcert_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSCertKey))
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemkey_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSPrivateKeyKey))
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemtrustedcas_filepath", fmt.Sprintf("tls-transport/%s", CaCertKey))
 		} else {
-			mount("transport", "ca", CaCertKey, tlsConfig.CaSecret.Name, r.reconcilerContext)
-			mount("transport", "key", corev1.TLSPrivateKeyKey, tlsConfig.Secret.Name, r.reconcilerContext)
-			mount("transport", "cert", corev1.TLSCertKey, tlsConfig.Secret.Name, r.reconcilerContext)
+			// Separate secrets mounted as directories
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemcert_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSCertKey))
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemkey_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSPrivateKeyKey))
+			r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemtrustedcas_filepath", fmt.Sprintf("tls-transport-ca/%s", CaCertKey))
 		}
-		// Extend opensearch.yml
-		r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemcert_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSCertKey))
-		r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemkey_filepath", fmt.Sprintf("tls-transport/%s", corev1.TLSPrivateKeyKey))
 		r.reconcilerContext.AddConfig("plugins.security.ssl.transport.enforce_hostname_verification", "false")
+
+		// Enable hot reload if configured and version supports it
+		if tlsConfig.EnableHotReload && r.supportsHotReload() {
+			r.reconcilerContext.AddConfig("plugins.security.ssl.certificates_hot_reload.enabled", "true")
+		}
 	}
-	r.reconcilerContext.AddConfig("plugins.security.ssl.transport.pemtrustedcas_filepath", fmt.Sprintf("tls-transport/%s", CaCertKey))
 	dnList := strings.Join(tlsConfig.NodesDn, "\",\"")
 	r.reconcilerContext.AddConfig("plugins.security.nodes_dn", fmt.Sprintf("[\"%s\"]", dnList))
 	return nil
@@ -592,19 +631,43 @@ func (r *TLSReconciler) handleHttp() error {
 			//		r.recorder.Event(r.instance, "Warning", "Security", "Notice - Not all secrets for http provided")
 			return err
 		}
-		if tlsConfig.CaSecret.Name == "" {
+
+		// Implement new mounting logic based on CaSecret.Name configuration
+		switch name := tlsConfig.CaSecret.Name; name {
+		case "":
+			// If CaSecret.Name is empty, mount Secret.Name as a directory
 			mountFolder("http", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
-		} else {
-			mount("http", "ca", CaCertKey, tlsConfig.CaSecret.Name, r.reconcilerContext)
-			mount("http", "key", corev1.TLSPrivateKeyKey, tlsConfig.Secret.Name, r.reconcilerContext)
-			mount("http", "cert", corev1.TLSCertKey, tlsConfig.Secret.Name, r.reconcilerContext)
+		case tlsConfig.Secret.Name:
+			// If CaSecret.Name is same as Secret.Name, mount only Secret.Name as a directory
+			mountFolder("http", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
+		default:
+			// If CaSecret.Name is different from Secret.Name, mount both secrets as directories
+			// Mount Secret.Name as tls-http/
+			mountFolder("http", "certs", tlsConfig.Secret.Name, r.reconcilerContext)
+			// Mount CaSecret.Name as tls-http-ca/
+			mountFolder("http", "ca", tlsConfig.CaSecret.Name, r.reconcilerContext)
 		}
 	}
-	// Extend opensearch.yml
+	// Extend opensearch.yml with appropriate file paths based on mounting logic
 	r.reconcilerContext.AddConfig("plugins.security.ssl.http.enabled", "true")
-	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemcert_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSCertKey))
-	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemkey_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSPrivateKeyKey))
-	r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemtrustedcas_filepath", fmt.Sprintf("tls-http/%s", CaCertKey))
+
+	// Set certificate file paths based on mounting configuration
+	if tlsConfig.CaSecret.Name == "" || tlsConfig.CaSecret.Name == tlsConfig.Secret.Name {
+		// Single secret mounted as directory
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemcert_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSCertKey))
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemkey_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSPrivateKeyKey))
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemtrustedcas_filepath", fmt.Sprintf("tls-http/%s", CaCertKey))
+	} else {
+		// Separate secrets mounted as directories
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemcert_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSCertKey))
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemkey_filepath", fmt.Sprintf("tls-http/%s", corev1.TLSPrivateKeyKey))
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.pemtrustedcas_filepath", fmt.Sprintf("tls-http-ca/%s", CaCertKey))
+	}
+
+	// Enable hot reload if configured and version supports it
+	if tlsConfig.EnableHotReload && r.supportsHotReload() {
+		r.reconcilerContext.AddConfig("plugins.security.ssl.certificates_hot_reload.enabled", "true")
+	}
 	return nil
 }
 
@@ -625,17 +688,18 @@ func (r *TLSReconciler) providedCaCert(secretName string, namespace string) (tls
 	return ca, nil
 }
 
-func mount(interfaceName string, name string, filename string, secretName string, reconcilerContext *ReconcilerContext) {
-	volume := corev1.Volume{Name: interfaceName + "-" + name, VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: secretName}}}
-	reconcilerContext.Volumes = append(reconcilerContext.Volumes, volume)
-	mount := corev1.VolumeMount{Name: interfaceName + "-" + name, MountPath: fmt.Sprintf("/usr/share/opensearch/config/tls-%s/%s", interfaceName, filename), SubPath: filename}
-	reconcilerContext.VolumeMounts = append(reconcilerContext.VolumeMounts, mount)
-}
-
 func mountFolder(interfaceName string, name string, secretName string, reconcilerContext *ReconcilerContext) {
 	volume := corev1.Volume{Name: interfaceName + "-" + name, VolumeSource: corev1.VolumeSource{Secret: &corev1.SecretVolumeSource{SecretName: secretName}}}
 	reconcilerContext.Volumes = append(reconcilerContext.Volumes, volume)
-	mount := corev1.VolumeMount{Name: interfaceName + "-" + name, MountPath: fmt.Sprintf("/usr/share/opensearch/config/tls-%s", interfaceName)}
+
+	var mountPath string
+	if name == "ca" {
+		mountPath = fmt.Sprintf("/usr/share/opensearch/config/tls-%s-ca", interfaceName)
+	} else {
+		mountPath = fmt.Sprintf("/usr/share/opensearch/config/tls-%s", interfaceName)
+	}
+
+	mount := corev1.VolumeMount{Name: interfaceName + "-" + name, MountPath: mountPath}
 	reconcilerContext.VolumeMounts = append(reconcilerContext.VolumeMounts, mount)
 }