feat: Use proper subject DNs in plugins.security.nodes_dn

CHANGELOG.md

@@ -15,11 +15,14 @@ All notable changes to this project will be documented in this file.
 - BREAKING: `configOverrides` now only accepts the known config file `opensearch.yml`.
   Previously, arbitrary file names were silently accepted and ignored ([#137]).
 - Bump `stackable-operator` to 0.110.1 ([#137]).
+- Replace the generic subject DN in the configuration setting `plugins.security.nodes_dn` with the
+  FQDNs of the OpenSearch nodes ([#144]).
 
 [#129]: https://github.com/stackabletech/opensearch-operator/pull/129
 [#130]: https://github.com/stackabletech/opensearch-operator/pull/130
 [#137]: https://github.com/stackabletech/opensearch-operator/pull/137
 [#141]: https://github.com/stackabletech/opensearch-operator/pull/141
+[#144]: https://github.com/stackabletech/opensearch-operator/pull/144
 
 ## [26.3.0] - 2026-03-16
 

Cargo.toml

@@ -29,4 +29,5 @@ tracing = "0.1"
 uuid = "1.18"
 
 [patch."https://github.com/stackabletech/operator-rs"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/annotation-auto-tls-cert-subject-dn" }
+# stackable-operator = { path = "../operator-rs/crates/stackable-operator" }

rust/operator-binary/src/controller/build/node_config.rs

@@ -1,5 +1,7 @@
 //! Configuration of an OpenSearch node
 
+use std::iter;
+
 use serde_json::json;
 use stackable_operator::{
     builder::pod::container::FieldPathEnvVar, commons::networking::DomainName,
@@ -17,7 +19,7 @@ use crate::{
         builder::pod::container::{EnvVarName, EnvVarSet},
         config_overrides::JsonConfigOverrides,
         product_logging::framework::STACKABLE_LOG_DIR,
-        role_group_utils,
+        role_group_utils::{self, ResourceNames},
         types::{kubernetes::ServiceName, operator::RoleGroupName},
     },
 };
@@ -203,10 +205,7 @@ impl NodeConfig {
             // Bind to all interfaces because the IP address is not known in advance.
             CONFIG_OPTION_NETWORK_HOST: "0.0.0.0",
             CONFIG_OPTION_DISCOVERY_TYPE: self.discovery_type(),
-            // Accept certificates generated by the secret-operator
-            CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: [
-                "CN=generated certificate for pod"
-            ],
+            CONFIG_OPTION_PLUGINS_SECURITY_NODES_DN: json!(self.nodes_dn()),
             CONFIG_OPTION_NODE_ATTR_ROLE_GROUP: self.role_group_name,
             CONFIG_OPTION_PATH_LOGS: format!(
                 "{STACKABLE_LOG_DIR}/{container}",
@@ -236,6 +235,50 @@ impl NodeConfig {
         config
     }
 
+    /// Returns the list of distinguished names (DNs) that denote the other nodes in the cluster.
+    ///
+    /// The list looks similar to:
+    /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-cluster-manager-headless,DC=opensearch-nodes-cluster-manager-*
+    /// - DC=local,DC=cluster,DC=svc,DC=my-namespace,DC=opensearch-nodes-data-headless,DC=opensearch-nodes-data-*
+    /// - CN=generated certificate for pod
+    ///
+    /// The entry "CN=generated certificate for pod" is still added to make the transition from
+    /// SDP 26.3 to 26.7 possible.
+    fn nodes_dn(&self) -> Vec<String> {
+        self.cluster
+            .role_group_configs
+            .keys()
+            .map(|role_group_name| {
+                let resource_names = ResourceNames {
+                    cluster_name: self.cluster.name.clone(),
+                    role_name: ValidatedCluster::role_name(),
+                    role_group_name: role_group_name.clone(),
+                };
+
+                self.cluster_domain_name
+                    .split('.')
+                    .rev()
+                    .chain([
+                        "svc",
+                        self.cluster.namespace.as_ref(),
+                        resource_names.headless_service_name().as_ref(),
+                        &format!(
+                            "{stateful_set_name}-*",
+                            stateful_set_name = resource_names.stateful_set_name()
+                        ),
+                    ])
+                    .map(|component| format!("DC={component}"))
+                    .collect::<Vec<_>>()
+                    .join(",")
+            })
+            // TODO Remove "CN=generated certificate for pod" after the release of SDP 26.7 and
+            // adapt the comment of the function and the tests.
+            //
+            // tracked in https://github.com/stackabletech/opensearch-operator/issues/145
+            .chain(iter::once("CN=generated certificate for pod".to_owned()))
+            .collect()
+    }
+
     /// Distinguished name (DN) of the super admin certificate
     pub fn super_admin_dn(&self) -> String {
         // The common name field is limited to 64 characters, see RFC 5280.
@@ -658,6 +701,7 @@ mod tests {
                 "path.logs: /stackable/log/opensearch\n",
                 "plugins.security.authcz.admin_dn: CN=update-security-config.0b1e30e6-326e-4c1a-868d-ad6598b49e8b\n",
                 "plugins.security.nodes_dn:\n",
+                "- DC=local,DC=cluster,DC=svc,DC=default,DC=my-opensearch-cluster-nodes-default-headless,DC=my-opensearch-cluster-nodes-default-*\n",
                 "- CN=generated certificate for pod\n",
                 "plugins.security.ssl.http.enabled: true\n",
                 "plugins.security.ssl.http.pemcert_filepath: /stackable/opensearch/config/tls/server/tls.crt\n",