Opensearch disable ssl/https but not SecurityPlugin

Question

it is possible now disable ssl/https but not SecurityPlugin itself?

Previously, in docker-compose, I could do this simply by disabling "plugins.security.ssl.http.enabled=false". Now I install using helm and it doesn't work. OpenSearch wants aalways certificate.

I've been trying different options for a few hours now. "DISABLE_SECURITY_PLUGIN=true" - Disabling security completely is not an option for me.

I get always following error.

Likely root cause: OpenSearchException[plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.]

My

  opensearch.yml: |
    cluster.name: opensearch-cluster
    network.host: 0.0.0.0
    plugins:
      security:
        ssl:
          transport:
            enabled: false
            enforce_hostname_verification: false
          http:
            enabled: false
        allow_unsafe_democertificates: false
        allow_default_init_securityindex: true
        audit.type: internal_opensearch
        enable_snapshot_restore_privilege: true
        check_snapshot_restore_write_privileges: true
        restapi:
          roles_enabled: ["all_access", "security_rest_api_access"]
        system_indices:
          enabled: true
          indices:
            [
              ".opendistro-alerting-config",
              ".opendistro-alerting-alert*",
              ".opendistro-anomaly-results*",
              ".opendistro-anomaly-detector*",
              ".opendistro-anomaly-checkpoints",
              ".opendistro-anomaly-detection-state",
              ".opendistro-reports-*",
              ".opendistro-notifications-*",
              ".opendistro-notebooks",
              ".opendistro-asynchronous-search-response*",
            ]

Answer 1

According to the documentation, there is no plugins.security.ssl.transport.enable option and TLS is mandatory for the transport layer. So you can copy values from helm chart. In this case you need also set option plugins.security.ssl.allow_unsafe_democertificates to true for the default certificates to work. The final config looks like the following:

  opensearch.yml: |
    cluster.name: opensearch-cluster
    network.host: 0.0.0.0
    plugins:
      security:
        ssl:
          transport:
            pemcert_filepath: esnode.pem
            pemkey_filepath: esnode-key.pem
            pemtrustedcas_filepath: root-ca.pem
            enforce_hostname_verification: false
          http:
            enabled: false
        allow_unsafe_democertificates: true