Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add hot reload TLS certificate section #433 #6875

Merged
merged 8 commits into from
Apr 18, 2024
Merged

Add hot reload TLS certificate section #433 #6875

merged 8 commits into from
Apr 18, 2024

Conversation

AntonEliatra
Copy link
Contributor

Description

Adding a section outlining TLS certificate Hot Reloading API

Issues Resolved

Part of #433

Checklist

  • By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
    For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@AntonEliatra
adding hot reload TLS certificate section opensearch-project#433
9ad86dd 
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@AntonEliatra
fixing issues on hot reload opensearch-project#433
c5afdc2 
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@AntonEliatra AntonEliatra mentioned this pull request Apr 4, 2024
Closed
Naarcha-AWS and others added 2 commits April 5, 2024 12:27
@Naarcha-AWS
Merge branch 'main' into adding-hot-reload-certificate
89354ff
@AntonEliatra
Update tls.md
6f47374 
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@Naarcha-AWS Naarcha-AWS added security 3 - Tech review PR: Tech review in progress labels Apr 8, 2024
stephen-crawford
stephen-crawford approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@Naarcha-AWS Naarcha-AWS added 4 - Doc review PR: Doc review in progress and removed 3 - Tech review PR: Tech review in progress labels Apr 10, 2024
Naarcha-AWS
Naarcha-AWS requested changes Apr 12, 2024
View reviewed changes
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
@AntonEliatra @Naarcha-AWS
Apply suggestions from code review
3ac3126 
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@hdhalter hdhalter changed the title adding hot reload TLS certificate section #433 Add hot reload TLS certificate section #433 Apr 15, 2024
@Naarcha-AWS Naarcha-AWS added 5 - Editorial review PR: Editorial review in progress and removed 4 - Doc review PR: Doc review in progress labels Apr 17, 2024
natebower
natebower reviewed Apr 17, 2024
View reviewed changes
Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AntonEliatra @Naarcha-AWS Please see my comments and changes and let me know if you have any questions. Thanks!

_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated Show resolved Hide resolved
_security/configuration/tls.md Outdated

After enabling hot reloading, use the Reload Certificates API to replace the expired certification. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be in the same location as the previous certificates, in order to prevent any changes to `opensearch.yml` file.

Only a [super admin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've been using this as one word. I'll add it to the style guide/Vale if I haven't already.

_security/configuration/tls.md Outdated
{: .note }

### Reload TLS certificates on the transport layer
The following example reloads TLS certificates on the transport layer:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add the noun after "example".

_security/configuration/tls.md Outdated

### Reload TLS certificates on the http layer

The following example reloads TLS certificates on the `http` layer:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add the noun after "example".

AntonEliatra and others added 2 commits April 17, 2024 17:02
@AntonEliatra @natebower
Apply suggestions from code review
15c8026 
Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@AntonEliatra
Update tls.md
7b42bee 
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
@Naarcha-AWS Naarcha-AWS added the backport 2.13 PR: Backport label for 2.13 label Apr 17, 2024
@Naarcha-AWS Naarcha-AWS merged commit fa38567 into opensearch-project:main Apr 18, 2024
5 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 18, 2024
@github-actions @Naarcha-AWS @natebower
Add hot reload TLS certificate section #433 (#6875)
80088f6 
* adding hot reload TLS certificate section #433

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* fixing issues on hot reload #433

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Update tls.md

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Apply suggestions from code review

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Apply suggestions from code review

Co-authored-by: Nathan Bower <nbower@amazon.com>
Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

* Update tls.md

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>

---------

Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Co-authored-by: Nathan Bower <nbower@amazon.com>
(cherry picked from commit fa38567)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Apr 18, 2024
Merged
github-actions bot pushed a commit that referenced this pull request Apr 18, 2024
@opensearch-trigger-bot
Add hot reload TLS certificate section #433 (#6875) (#6975)
717ee6c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@natebower natebower natebower left review comments

@Naarcha-AWS Naarcha-AWS Naarcha-AWS approved these changes

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@hdhalter hdhalter Awaiting requested review from hdhalter

@kolchfa-aws kolchfa-aws Awaiting requested review from kolchfa-aws kolchfa-aws is a code owner

@vagimeli vagimeli Awaiting requested review from vagimeli

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@dlvenable dlvenable Awaiting requested review from dlvenable dlvenable is a code owner

@epugh epugh Awaiting requested review from epugh epugh is a code owner

Assignees

@stephen-crawford stephen-crawford

@Naarcha-AWS Naarcha-AWS

Labels
5 - Editorial review PR: Editorial review in progress backport 2.13 PR: Backport label for 2.13 security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AntonEliatra @stephen-crawford @Naarcha-AWS @natebower