From f747050ab023ccccce4913471208d5fd2b184fd4 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Wed, 22 Apr 2026 17:55:41 +0200 Subject: [PATCH 1/7] feat: Add node domains to nodes_dn --- Cargo.lock | 9 --- Cargo.nix | 63 +++---------------- Cargo.toml | 1 + crate-hashes.json | 9 --- .../src/controller/build/node_config.rs | 32 +++++++++- .../controller/build/role_group_builder.rs | 6 +- tests/templates/kuttl/smoke/10-assert.yaml.j2 | 4 +- 7 files changed, 46 insertions(+), 78 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1243c7c6..d8d560a8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1517,7 +1517,6 @@ dependencies = [ [[package]] name = "k8s-version" version = "0.1.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "darling", "regex", @@ -2887,7 +2886,6 @@ checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" [[package]] name = "stackable-certs" version = "0.4.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "const-oid", "ecdsa", @@ -2931,7 +2929,6 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.108.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "clap", "const_format", @@ -2970,7 +2967,6 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "darling", "proc-macro2", @@ -2981,7 +2977,6 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.1.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "jiff", "k8s-openapi", @@ -2998,7 +2993,6 @@ dependencies = [ [[package]] name = "stackable-telemetry" version = "0.6.2" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "axum", "clap", @@ -3022,7 +3016,6 @@ dependencies = [ [[package]] name = "stackable-versioned" version = "0.8.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "schemars", "serde", @@ -3035,7 +3028,6 @@ dependencies = [ [[package]] name = "stackable-versioned-macros" version = "0.8.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "convert_case", "convert_case_extras", @@ -3053,7 +3045,6 @@ dependencies = [ [[package]] name = "stackable-webhook" version = "0.9.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#7486017f60827d1d769d7bf17bf56adb21f8bb02" dependencies = [ "arc-swap", "async-trait", diff --git a/Cargo.nix b/Cargo.nix index 827dc703..4e2b2170 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4821,12 +4821,7 @@ rec { crateName = "k8s-version"; version = "0.1.3"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/k8s-version; }; libName = "k8s_version"; authors = [ "Stackable GmbH " @@ -9532,12 +9527,7 @@ rec { crateName = "stackable-certs"; version = "0.4.0"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-certs; }; libName = "stackable_certs"; authors = [ "Stackable GmbH " @@ -9721,12 +9711,7 @@ rec { crateName = "stackable-operator"; version = "0.108.0"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator; }; libName = "stackable_operator"; authors = [ "Stackable GmbH " @@ -9893,12 +9878,7 @@ rec { crateName = "stackable-operator-derive"; version = "0.3.1"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator-derive; }; procMacro = true; libName = "stackable_operator_derive"; authors = [ @@ -9928,12 +9908,7 @@ rec { crateName = "stackable-shared"; version = "0.1.0"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-shared; }; libName = "stackable_shared"; authors = [ "Stackable GmbH " @@ -10009,12 +9984,7 @@ rec { crateName = "stackable-telemetry"; version = "0.6.2"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-telemetry; }; libName = "stackable_telemetry"; authors = [ "Stackable GmbH " @@ -10119,12 +10089,7 @@ rec { crateName = "stackable-versioned"; version = "0.8.3"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-versioned; }; libName = "stackable_versioned"; authors = [ "Stackable GmbH " @@ -10163,12 +10128,7 @@ rec { crateName = "stackable-versioned-macros"; version = "0.8.3"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-versioned-macros; }; procMacro = true; libName = "stackable_versioned_macros"; authors = [ @@ -10231,12 +10191,7 @@ rec { crateName = "stackable-webhook"; version = "0.9.0"; edition = "2024"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-webhook; }; libName = "stackable_webhook"; authors = [ "Stackable GmbH " diff --git a/Cargo.toml b/Cargo.toml index e3804e78..1af2cdfb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,3 +28,4 @@ uuid = "1.18" [patch."https://github.com/stackabletech/operator-rs"] # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +stackable-operator = { path = "../operator-rs/crates/stackable-operator" } diff --git a/crate-hashes.json b/crate-hashes.json index 2148b36f..a7ddcc2d 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,5 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file diff --git a/rust/operator-binary/src/controller/build/node_config.rs b/rust/operator-binary/src/controller/build/node_config.rs index 26591fd2..1e76f3d0 100644 --- a/rust/operator-binary/src/controller/build/node_config.rs +++ b/rust/operator-binary/src/controller/build/node_config.rs @@ -16,7 +16,7 @@ use crate::{ framework::{ builder::pod::container::{EnvVarName, EnvVarSet}, product_logging::framework::STACKABLE_LOG_DIR, - role_group_utils, + role_group_utils::{self, ResourceNames}, types::{kubernetes::ServiceName, operator::RoleGroupName}, }, }; @@ -223,11 +223,39 @@ impl NodeConfig { CONFIG_OPTION_DISCOVERY_TYPE.to_owned(), json!(self.discovery_type()), ); + let nodes_dn = self + .cluster + .role_group_configs + .keys() + .map(|role_group_name| { + let resource_names = ResourceNames { + cluster_name: self.cluster.name.clone(), + role_name: ValidatedCluster::role_name(), + role_group_name: role_group_name.clone(), + }; + + self.cluster_domain_name + .split('.') + .rev() + .chain([ + "svc", + self.cluster.namespace.as_ref(), + resource_names.headless_service_name().as_ref(), + &format!( + "{stateful_set_name}-*", + stateful_set_name = resource_names.stateful_set_name() + ), + ]) + .map(|component| format!("DC={component}")) + .collect::>() + .join(",") + }) + .collect::>(); config.insert // Accept certificates generated by the secret-operator ( CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN.to_owned(), - json!(["CN=generated certificate for pod".to_owned()]), + json!(nodes_dn), ); config.insert( CONFIG_OPTION_NODE_ATTR_ROLE_GROUP.to_owned(), diff --git a/rust/operator-binary/src/controller/build/role_group_builder.rs b/rust/operator-binary/src/controller/build/role_group_builder.rs index 686cde70..7c8b8556 100644 --- a/rust/operator-binary/src/controller/build/role_group_builder.rs +++ b/rust/operator-binary/src/controller/build/role_group_builder.rs @@ -1075,7 +1075,8 @@ impl<'a> RoleGroupBuilder<'a> { .with_pod_scope() .with_listener_volume_scope(ROLE_GROUP_LISTENER_VOLUME_NAME.to_string()) .with_format(SecretFormat::TlsPem) - .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime); + .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true); if self .role_group_config @@ -1110,7 +1111,8 @@ impl<'a> RoleGroupBuilder<'a> { .with_pod_scope() .with_listener_volume_scope(ROLE_GROUP_LISTENER_VOLUME_NAME.to_string()) .with_format(SecretFormat::TlsPem) - .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime); + .with_auto_tls_cert_lifetime(self.role_group_config.config.requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true); if self.role_group_config.config.discovery_service_exposed { volume_source_builder diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2 index c2cd2a5f..50a7b300 100644 --- a/tests/templates/kuttl/smoke/10-assert.yaml.j2 +++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2 @@ -1000,7 +1000,7 @@ data: node.store.allow_mmap: "false" path.logs: "/stackable/log/opensearch" plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: ["CN=generated certificate for pod"] + plugins.security.nodes_dn: ["DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-*","DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-*"] {% if test_scenario['values']['server-use-tls'] == 'true' %} plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: "{{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt" @@ -1041,7 +1041,7 @@ data: node.store.allow_mmap: "false" path.logs: "/stackable/log/opensearch" plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: ["CN=generated certificate for pod"] + plugins.security.nodes_dn: ["DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-*","DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-*"] {% if test_scenario['values']['server-use-tls'] == 'true' %} plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: "{{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt" From 2a871f2a1e260f0e185b942b13da81fcbe28746c Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Wed, 27 May 2026 17:30:41 +0200 Subject: [PATCH 2/7] chore: Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9704be59..0fce56be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,11 +15,14 @@ All notable changes to this project will be documented in this file. - BREAKING: `configOverrides` now only accepts the known config file `opensearch.yml`. Previously, arbitrary file names were silently accepted and ignored ([#137]). - Bump `stackable-operator` to 0.110.1 ([#137]). +- Replace the generic subject DN in the configuration setting `plugins.security.nodes_dn` with the + FQDNs of the OpenSearch nodes ([#144]). [#129]: https://github.com/stackabletech/opensearch-operator/pull/129 [#130]: https://github.com/stackabletech/opensearch-operator/pull/130 [#137]: https://github.com/stackabletech/opensearch-operator/pull/137 [#141]: https://github.com/stackabletech/opensearch-operator/pull/141 +[#144]: https://github.com/stackabletech/opensearch-operator/pull/144 ## [26.3.0] - 2026-03-16 From 1026ef5ed3753a5b0ce892370855e37a02d3b459 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Wed, 27 May 2026 17:35:14 +0200 Subject: [PATCH 3/7] chore: Update stackable-operator --- Cargo.lock | 30 +++++++++++++------------ Cargo.nix | 56 ++++++++++++++++++++++++++++------------------- crate-hashes.json | 18 +++++++-------- 3 files changed, 58 insertions(+), 46 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1245be45..20424737 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1532,7 +1532,7 @@ dependencies = [ [[package]] name = "k8s-version" version = "0.1.3" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "regex", @@ -2916,7 +2916,7 @@ checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" [[package]] name = "stackable-certs" version = "0.4.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "const-oid", "ecdsa", @@ -2961,8 +2961,8 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.110.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +version = "0.111.1" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "base64", "clap", @@ -2998,12 +2998,13 @@ dependencies = [ "tracing-appender", "tracing-subscriber", "url", + "winnow", ] [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "proc-macro2", @@ -3014,7 +3015,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.1.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "jiff", "k8s-openapi", @@ -3031,7 +3032,7 @@ dependencies = [ [[package]] name = "stackable-telemetry" version = "0.6.3" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "axum", "clap", @@ -3054,9 +3055,10 @@ dependencies = [ [[package]] name = "stackable-versioned" -version = "0.9.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +version = "0.10.0" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ + "kube", "schemars", "serde", "serde_json", @@ -3067,8 +3069,8 @@ dependencies = [ [[package]] name = "stackable-versioned-macros" -version = "0.9.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +version = "0.10.0" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "convert_case", "convert_case_extras", @@ -3086,7 +3088,7 @@ dependencies = [ [[package]] name = "stackable-webhook" version = "0.9.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#9e6a5d726f12d60fbd6546957e82d7334ac47f23" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "arc-swap", "async-trait", @@ -3937,9 +3939,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" +checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1" dependencies = [ "memchr", ] diff --git a/Cargo.nix b/Cargo.nix index 2aa32fb3..9115a015 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4884,8 +4884,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "k8s_version"; authors = [ @@ -9596,8 +9596,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_certs"; authors = [ @@ -9789,13 +9789,13 @@ rec { }; "stackable-operator" = rec { crateName = "stackable-operator"; - version = "0.110.1"; + version = "0.111.1"; edition = "2024"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_operator"; authors = [ @@ -9955,6 +9955,10 @@ rec { packageId = "url"; features = [ "serde" ]; } + { + name = "winnow"; + packageId = "winnow"; + } ]; features = { "certs" = [ "dep:stackable-certs" ]; @@ -9974,8 +9978,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -10009,8 +10013,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_shared"; authors = [ @@ -10090,8 +10094,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_telemetry"; authors = [ @@ -10195,19 +10199,25 @@ rec { }; "stackable-versioned" = rec { crateName = "stackable-versioned"; - version = "0.9.0"; + version = "0.10.0"; edition = "2024"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_versioned"; authors = [ "Stackable GmbH " ]; dependencies = [ + { + name = "kube"; + packageId = "kube"; + usesDefaultFeatures = false; + features = [ "client" "jsonpatch" "runtime" "derive" "admission" "rustls-tls" "ring" ]; + } { name = "schemars"; packageId = "schemars"; @@ -10239,13 +10249,13 @@ rec { }; "stackable-versioned-macros" = rec { crateName = "stackable-versioned-macros"; - version = "0.9.0"; + version = "0.10.0"; edition = "2024"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10312,8 +10322,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "9e6a5d726f12d60fbd6546957e82d7334ac47f23"; - sha256 = "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_webhook"; authors = [ @@ -13939,9 +13949,9 @@ rec { }; "winnow" = rec { crateName = "winnow"; - version = "1.0.2"; + version = "1.0.3"; edition = "2021"; - sha256 = "1l7xnfvlgy4da6gq5ip2bgcm8i9d0rwzaxg1p88nlw8lxy5p1q9f"; + sha256 = "1wajycd3krn6h699vydjv7hm0ll5l31p899qzpk59y2is74y34h5"; dependencies = [ { name = "memchr"; diff --git a/crate-hashes.json b/crate-hashes.json index f6f723e9..4e0f1877 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,12 +1,12 @@ { - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#k8s-version@0.1.3": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-certs@0.4.0": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator-derive@0.3.1": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator@0.110.1": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-shared@0.1.0": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-telemetry@0.6.3": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned-macros@0.9.0": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned@0.9.0": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", - "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-webhook@0.9.1": "1nf9m1m4kks349szfxzwypijlgwrbsspdrnyivgm2mwzbkawzzp5", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#k8s-version@0.1.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-certs@0.4.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator-derive@0.3.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator@0.111.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-shared@0.1.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-telemetry@0.6.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned-macros@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-webhook@0.9.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From 3b1db97b7bc12288298ac7eeae37836714496f1e Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 28 May 2026 10:07:38 +0200 Subject: [PATCH 4/7] fix: Fix format of plugins.security.nodes_dn; Fix the unit tests --- .../src/controller/build/node_config.rs | 71 ++++++++++--------- .../controller/build/role_group_builder.rs | 6 ++ 2 files changed, 43 insertions(+), 34 deletions(-) diff --git a/rust/operator-binary/src/controller/build/node_config.rs b/rust/operator-binary/src/controller/build/node_config.rs index 3bcd7e62..3e229c39 100644 --- a/rust/operator-binary/src/controller/build/node_config.rs +++ b/rust/operator-binary/src/controller/build/node_config.rs @@ -198,44 +198,12 @@ impl NodeConfig { /// The file should only contain cluster-wide configuration options. Node-specific options /// should be defined as environment variables. pub fn static_opensearch_config(&self) -> serde_json::Value { - let nodes_dn = self - .cluster - .role_group_configs - .keys() - .map(|role_group_name| { - let resource_names = ResourceNames { - cluster_name: self.cluster.name.clone(), - role_name: ValidatedCluster::role_name(), - role_group_name: role_group_name.clone(), - }; - - self.cluster_domain_name - .split('.') - .rev() - .chain([ - "svc", - self.cluster.namespace.as_ref(), - resource_names.headless_service_name().as_ref(), - &format!( - "{stateful_set_name}-*", - stateful_set_name = resource_names.stateful_set_name() - ), - ]) - .map(|component| format!("DC={component}")) - .collect::>() - .join(",") - }) - .collect::>(); - let mut config = json!({ CONFIG_OPTION_CLUSTER_NAME: self.cluster.name, // Bind to all interfaces because the IP address is not known in advance. CONFIG_OPTION_NETWORK_HOST: "0.0.0.0", CONFIG_OPTION_DISCOVERY_TYPE: self.discovery_type(), - // Accept certificates generated by the secret-operator - CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: [ - json!(nodes_dn), - ], + CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: json!(self.nodes_dn()), CONFIG_OPTION_NODE_ATTR_ROLE_GROUP: self.role_group_name, CONFIG_OPTION_PATH_LOGS: format!( "{STACKABLE_LOG_DIR}/{container}", @@ -265,6 +233,41 @@ impl NodeConfig { config } + /// Returns the list of distinguished names (DNs) that denote the other nodes in the cluster. + /// + /// The list looks similar to: + /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* + /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* + fn nodes_dn(&self) -> Vec { + self.cluster + .role_group_configs + .keys() + .map(|role_group_name| { + let resource_names = ResourceNames { + cluster_name: self.cluster.name.clone(), + role_name: ValidatedCluster::role_name(), + role_group_name: role_group_name.clone(), + }; + + self.cluster_domain_name + .split('.') + .rev() + .chain([ + "svc", + self.cluster.namespace.as_ref(), + resource_names.headless_service_name().as_ref(), + &format!( + "{stateful_set_name}-*", + stateful_set_name = resource_names.stateful_set_name() + ), + ]) + .map(|component| format!("DC={component}")) + .collect::>() + .join(",") + }) + .collect() + } + /// Distinguished name (DN) of the super admin certificate pub fn super_admin_dn(&self) -> String { // The common name field is limited to 64 characters, see RFC 5280. @@ -687,7 +690,7 @@ mod tests { "path.logs: /stackable/log/opensearch\n", "plugins.security.authcz.admin_dn: CN=update-security-config.0b1e30e6-326e-4c1a-868d-ad6598b49e8b\n", "plugins.security.nodes_dn:\n", - "- CN=generated certificate for pod\n", + "- DC=local,DC=cluster,DC=svc,DC=default,DC=my-opensearch-cluster-nodes-default-headless,DC=my-opensearch-cluster-nodes-default-*\n", "plugins.security.ssl.http.enabled: true\n", "plugins.security.ssl.http.pemcert_filepath: /stackable/opensearch/config/tls/server/tls.crt\n", "plugins.security.ssl.http.pemkey_filepath: /stackable/opensearch/config/tls/server/tls.key\n", diff --git a/rust/operator-binary/src/controller/build/role_group_builder.rs b/rust/operator-binary/src/controller/build/role_group_builder.rs index 99227db0..728eb289 100644 --- a/rust/operator-binary/src/controller/build/role_group_builder.rs +++ b/rust/operator-binary/src/controller/build/role_group_builder.rs @@ -2550,6 +2550,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2577,6 +2578,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2762,6 +2764,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2789,6 +2792,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -2986,6 +2990,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", @@ -3013,6 +3018,7 @@ mod tests { "metadata": { "annotations": { "secrets.stackable.tech/backend.autotls.cert.lifetime": "1d", + "secrets.stackable.tech/backend.autotls.cert.domain-components-in-subject-dn": "true", "secrets.stackable.tech/class": "tls", "secrets.stackable.tech/format": "tls-pem", "secrets.stackable.tech/provision-parts": "public-private", From 268cd4c5ba0cf6fecd99a1ac2860b81431fa13d5 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 28 May 2026 11:52:05 +0200 Subject: [PATCH 5/7] fix: Support the old subject DN --- .../src/controller/build/node_config.rs | 12 ++++++++++++ tests/templates/kuttl/smoke/10-assert.yaml.j2 | 2 ++ 2 files changed, 14 insertions(+) diff --git a/rust/operator-binary/src/controller/build/node_config.rs b/rust/operator-binary/src/controller/build/node_config.rs index 3e229c39..b49e0836 100644 --- a/rust/operator-binary/src/controller/build/node_config.rs +++ b/rust/operator-binary/src/controller/build/node_config.rs @@ -1,5 +1,7 @@ //! Configuration of an OpenSearch node +use std::iter; + use serde_json::json; use stackable_operator::{ builder::pod::container::FieldPathEnvVar, commons::networking::DomainName, @@ -238,6 +240,10 @@ impl NodeConfig { /// The list looks similar to: /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* + /// - CN=generated certificate for pod + /// + /// The entry "CN=generated certificate for pod" is still added to make the transition from + /// SDP 26.3 to 26.7 possible. fn nodes_dn(&self) -> Vec { self.cluster .role_group_configs @@ -265,6 +271,11 @@ impl NodeConfig { .collect::>() .join(",") }) + // TODO Remove "CN=generated certificate for pod" after the release of SDP 26.7 and + // adapt the comment of the function and the tests. + // + // tracked in https://github.com/stackabletech/opensearch-operator/issues/145 + .chain(iter::once("CN=generated certificate for pod".to_owned())) .collect() } @@ -691,6 +702,7 @@ mod tests { "plugins.security.authcz.admin_dn: CN=update-security-config.0b1e30e6-326e-4c1a-868d-ad6598b49e8b\n", "plugins.security.nodes_dn:\n", "- DC=local,DC=cluster,DC=svc,DC=default,DC=my-opensearch-cluster-nodes-default-headless,DC=my-opensearch-cluster-nodes-default-*\n", + "- CN=generated certificate for pod\n", "plugins.security.ssl.http.enabled: true\n", "plugins.security.ssl.http.pemcert_filepath: /stackable/opensearch/config/tls/server/tls.crt\n", "plugins.security.ssl.http.pemkey_filepath: /stackable/opensearch/config/tls/server/tls.key\n", diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2 index 7e7a40b9..0cee2348 100644 --- a/tests/templates/kuttl/smoke/10-assert.yaml.j2 +++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2 @@ -1060,6 +1060,7 @@ data: plugins.security.nodes_dn: - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* + - CN=generated certificate for pod {% if test_scenario['values']['server-use-tls'] == 'true' %} plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt @@ -1103,6 +1104,7 @@ data: plugins.security.nodes_dn: - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* + - CN=generated certificate for pod {% if test_scenario['values']['server-use-tls'] == 'true' %} plugins.security.ssl.http.enabled: true plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt From ad523c1f3711d559e08c6295aa01eeec76845136 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 28 May 2026 16:52:40 +0200 Subject: [PATCH 6/7] tests: Use specific operator versions in the tests --- tests/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/release.yaml b/tests/release.yaml index c877cd40..ba3bc675 100644 --- a/tests/release.yaml +++ b/tests/release.yaml @@ -9,8 +9,8 @@ releases: commons: operatorVersion: 0.0.0-dev secret: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr708 listener: operatorVersion: 0.0.0-dev opensearch: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr144 From 507bc8790a142ca9cae097112b98809d364679a8 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Fri, 29 May 2026 12:09:55 +0200 Subject: [PATCH 7/7] test(smoke): Fix assertions --- tests/templates/kuttl/smoke/10-assert.yaml.j2 | 110 ++++++++++-------- 1 file changed, 60 insertions(+), 50 deletions(-) diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2 index 0cee2348..fe2dc73e 100644 --- a/tests/templates/kuttl/smoke/10-assert.yaml.j2 +++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2 @@ -1048,31 +1048,36 @@ metadata: kind: OpenSearchCluster name: opensearch data: - opensearch.yml: | - cluster.name: opensearch - cluster.routing.allocation.disk.threshold_enabled: false - discovery.type: zen - network.host: 0.0.0.0 - node.attr.role-group: cluster-manager - node.store.allow_mmap: false - path.logs: /stackable/log/opensearch - plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: - - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* - - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* - - CN=generated certificate for pod -{% if test_scenario['values']['server-use-tls'] == 'true' %} - plugins.security.ssl.http.enabled: true - plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt - plugins.security.ssl.http.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.key - plugins.security.ssl.http.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/ca.crt -{% else %} - plugins.security.ssl.http.enabled: false -{% endif %} - plugins.security.ssl.transport.enabled: true - plugins.security.ssl.transport.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.crt - plugins.security.ssl.transport.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.key - plugins.security.ssl.transport.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/ca.crt + log4j2.properties: | +{% raw %} + rootLogger.level = INFO + rootLogger.appenderRef.CONSOLE.ref = CONSOLE + rootLogger.appenderRef.FILE.ref = FILE + appender.CONSOLE.type = Console + appender.CONSOLE.name = CONSOLE + appender.CONSOLE.target = SYSTEM_ERR + appender.CONSOLE.layout.type = PatternLayout + appender.CONSOLE.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + appender.CONSOLE.filter.threshold.type = ThresholdFilter + appender.CONSOLE.filter.threshold.level = INFO + appender.FILE.type = RollingFile + appender.FILE.name = FILE + appender.FILE.fileName = /stackable/log/opensearch/opensearch_server.json + appender.FILE.filePattern = /stackable/log/opensearch/opensearch_server.json.%i + appender.FILE.layout.type = OpenSearchJsonLayout + appender.FILE.layout.type_name = server + appender.FILE.policies.type = Policies + appender.FILE.policies.size.type = SizeBasedTriggeringPolicy + appender.FILE.policies.size.size = 5MB + appender.FILE.strategy.type = DefaultRolloverStrategy + appender.FILE.strategy.max = 1 + appender.FILE.filter.threshold.type = ThresholdFilter + appender.FILE.filter.threshold.level = INFO +{% endraw %} + # opensearch.yml: | + # The property "plugins.security.nodes_dn" in opensearch.yml contains the namespace and cluster + # domain. Since these cannot be substituted here, opensearch.yml is omitted in this assertion. + # This is okay, because the configuration file is already covered by the unit tests. --- apiVersion: v1 kind: ConfigMap @@ -1092,31 +1097,36 @@ metadata: kind: OpenSearchCluster name: opensearch data: - opensearch.yml: | - cluster.name: opensearch - cluster.routing.allocation.disk.threshold_enabled: false - discovery.type: zen - network.host: 0.0.0.0 - node.attr.role-group: data - node.store.allow_mmap: false - path.logs: /stackable/log/opensearch - plugins.security.allow_default_init_securityindex: true - plugins.security.nodes_dn: - - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-* - - DC=local,DC=cluster,DC=svc,DC=test,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-* - - CN=generated certificate for pod -{% if test_scenario['values']['server-use-tls'] == 'true' %} - plugins.security.ssl.http.enabled: true - plugins.security.ssl.http.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.crt - plugins.security.ssl.http.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/tls.key - plugins.security.ssl.http.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/server/ca.crt -{% else %} - plugins.security.ssl.http.enabled: false -{% endif %} - plugins.security.ssl.transport.enabled: true - plugins.security.ssl.transport.pemcert_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.crt - plugins.security.ssl.transport.pemkey_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/tls.key - plugins.security.ssl.transport.pemtrustedcas_filepath: {{ test_scenario['values']['opensearch_home'] }}/config/tls/internal/ca.crt + log4j2.properties: | +{% raw %} + rootLogger.level = INFO + rootLogger.appenderRef.CONSOLE.ref = CONSOLE + rootLogger.appenderRef.FILE.ref = FILE + appender.CONSOLE.type = Console + appender.CONSOLE.name = CONSOLE + appender.CONSOLE.target = SYSTEM_ERR + appender.CONSOLE.layout.type = PatternLayout + appender.CONSOLE.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + appender.CONSOLE.filter.threshold.type = ThresholdFilter + appender.CONSOLE.filter.threshold.level = INFO + appender.FILE.type = RollingFile + appender.FILE.name = FILE + appender.FILE.fileName = /stackable/log/opensearch/opensearch_server.json + appender.FILE.filePattern = /stackable/log/opensearch/opensearch_server.json.%i + appender.FILE.layout.type = OpenSearchJsonLayout + appender.FILE.layout.type_name = server + appender.FILE.policies.type = Policies + appender.FILE.policies.size.type = SizeBasedTriggeringPolicy + appender.FILE.policies.size.size = 5MB + appender.FILE.strategy.type = DefaultRolloverStrategy + appender.FILE.strategy.max = 1 + appender.FILE.filter.threshold.type = ThresholdFilter + appender.FILE.filter.threshold.level = INFO +{% endraw %} + # opensearch.yml: | + # The property "plugins.security.nodes_dn" in opensearch.yml contains the namespace and cluster + # domain. Since these cannot be substituted here, opensearch.yml is omitted in this assertion. + # This is okay, because the configuration file is already covered by the unit tests. --- apiVersion: v1 kind: Service