Is your feature request related to a problem?
Sort of. There is functionality in opensearch-security to reload TLS certificates in opensearch-security. It's not really documented, though.
What solution would you like?
Let folks know about the plugins.security.ssl_cert_reload_enabled flag, and that certificate reloads can be triggered with a PUT to /_opendistro/_security/api/ssl/{http,transport}/reloadcerts. Also let folks know what API access is required to make that happen.
What alternatives have you considered?
I could restart Opensearch i suppose, but, would like to avoid that if I can.
Do you have any additional context?
We issue short-ish (weeks) lived PKI certificates using Hashicorp Vault. They work well, but I'd like to avoid having to restart OS if possible. Code for the SSLReloadCertsAction is available here.
Is your feature request related to a problem?
Sort of. There is functionality in opensearch-security to reload TLS certificates in opensearch-security. It's not really documented, though.
What solution would you like?
Let folks know about the
plugins.security.ssl_cert_reload_enabledflag, and that certificate reloads can be triggered with aPUTto/_opendistro/_security/api/ssl/{http,transport}/reloadcerts. Also let folks know what API access is required to make that happen.What alternatives have you considered?
I could restart Opensearch i suppose, but, would like to avoid that if I can.
Do you have any additional context?
We issue short-ish (weeks) lived PKI certificates using Hashicorp Vault. They work well, but I'd like to avoid having to restart OS if possible. Code for the SSLReloadCertsAction is available here.