[BUG][Opensearch] Unable to read the file root-ca.pem on fresh install #661
Description
Describe the bug
A fresh install on a k0s cluster, running on a fresh copy of Ubuntu Server will lead to this error on startup.
java.lang.IllegalStateException: failed to load plugin class [org.opensearch.security.OpenSearchSecurityPlugin]
Likely root cause: OpenSearchException[Unable to read the file root-ca.pem. Please make sure this files exists and is readable regarding to permissions]
at org.opensearch.security.ssl.config.SslCertificatesLoader.resolvePath(SslCertificatesLoader.java:170)
at org.opensearch.security.ssl.config.SslCertificatesLoader.loadConfiguration(SslCertificatesLoader.java:90)
at org.opensearch.security.ssl.SslSettingsManager.loadConfigurations(SslSettingsManager.java:145)
at org.opensearch.security.ssl.SslSettingsManager.buildSslContexts(SslSettingsManager.java:101)
at org.opensearch.security.ssl.SslSettingsManager.<init>(SslSettingsManager.java:88)
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:249)
at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:326)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:809)
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:757)
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:551)
at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:197)
at org.opensearch.node.Node.<init>(Node.java:524)
at org.opensearch.node.Node.<init>(Node.java:451)
at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181)
at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172)
at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
at org.opensearch.cli.Command.main(Command.java:101)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138)
at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104)
For complete error details, refer to the log at /usr/share/opensearch/logs/opensearch-cluster.log
To Reproduce
Here are the commands that I ran:
helm install opensearchtest opensearch/opensearch \
--set "extraEnvs[0].name=OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
--set "extraEnvs[0].value=$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
Expected behavior
Expectation was that there would be a cluster of 3 nodes stable with the initial password set.
Chart Name
opensearchtest monitoring 1 2025-03-10 12:18:42.73212 +0000 UTC deployed opensearch-2.32.0 2.19.1
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
k8s: 1.32.1
➜ ~ helm version
version.BuildInfo{Version:"v3.14.3", GitCommit:"f03cc04caaa8f6d7c3e67cf918929150cf6f3f12", GitTreeState:"clean", GoVersion:"go1.22.1"}
Additional context
Add any other context about the problem here.
This is also mentioned in this: #642 (comment)