[FEATURE] Document behavior of live TLS certificate refresh #1877
Comments
patcable
added
enhancement
|
Also, Just noticed this which gets in the way of me having an internal user run the refresh command. This could be it's own permissions group, potentially. |
|
Thanks for filing @patcable, documentation is managed in another repository and there is an issue tracking the missing documentation for the
Thanks for drawing attention to this, being unable to delegate actions to other accounts is a gap in the current design. |
|
Filed a separate bug on that permissions design issue, so it can be tracked after this one is closed out. |
|
hmm. So, there's a documentation issue for sure that's captured well in opensearch-project/documentation-website#530. With that, @peternied do you think it'd be worth opening a feature ticket to allow other roles the ability to reload certs? |
|
oh, just saw you captured that in #1878. Thanks! |
Is your feature request related to a problem?
Sort of. There is functionality in opensearch-security to reload TLS certificates in opensearch-security. It's not really documented, though.
What solution would you like?
Let folks know about the
plugins.security.ssl_cert_reload_enabledflag, and that certificate reloads can be triggered with aPUTto/_opendistro/_security/api/ssl/{http,transport}/reloadcerts. Also let folks know what API access is required to make that happen.What alternatives have you considered?
I could restart Opensearch i suppose, but, would like to avoid that if I can.
Do you have any additional context?
We issue short-ish (weeks) lived PKI certificates using Hashicorp Vault. They work well, but I'd like to avoid having to restart OS if possible. Code for the SSLReloadCertsAction is available here.
The text was updated successfully, but these errors were encountered: