provision and validate opensearch CA secret for tier-2

MJarmo · MJarmo · commit f632cf75ad72 · 2026-04-08T17:07:56.000+02:00
diff --git a/showroom/kubectl/secrets.example.yaml b/showroom/kubectl/secrets.example.yaml
@@ -6,6 +6,7 @@
 # - tier-2 otel: secret otel-otlp-ingest-htpasswd key htpasswd -> file /etc/otelcol-secrets/htpasswd
 #   The htpasswd line MUST authenticate the same user/password as otel-otlp-client-auth (tier-1 exporter).
 # - tier-2 otel OpenSearch: secret opensearch-credentials keys username, password -> OPENSEARCH_*
+# - tier-2 otel OpenSearch TLS: secret opensearch-ca-cert key ca.crt -> /etc/opensearch-ca/ca.crt
 #
 # Legacy (optional): copy this file to secrets.local.yaml (gitignored), replace REPLACE_ME, then:
 #   kubectl apply -f secrets.local.yaml
@@ -17,6 +18,8 @@
 #   (for example: `htpasswd -nbB otel-client strong-password`).
 # - opensearch-credentials.username/password: OpenSearch ingest user credentials (for example: admin/<strong-password> for local dev),
 #   preferably stored in OpenBao and injected from there.
+# - opensearch-ca-cert.ca.crt: PEM-encoded CA certificate that signs the OpenSearch HTTP certificate
+#   (for example: root-ca.pem from the OpenSearch deployment).
 ---
 apiVersion: v1
 kind: Secret
@@ -56,3 +59,13 @@ type: Opaque
 stringData:
   username: REPLACE_ME # OpenSearch username with index/write permissions (example local dev: admin), preferably stored/retrieved in OpenBao
   password: REPLACE_ME # Matching OpenSearch password (example local dev: admin password), preferably stored/retrieved in OpenBao
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: opensearch-ca-cert
+  namespace: tier-2
+type: Opaque
+stringData:
+  ca.crt: |
+    REPLACE_ME_PEM_CA_CERTIFICATE
diff --git a/showroom/tasks/otelcol-agent.yaml b/showroom/tasks/otelcol-agent.yaml
@@ -25,6 +25,8 @@ tasks:
     preconditions:
       - sh: "{{ .KUBECTL_CMD }} cluster-info >/dev/null 2>&1"
         msg: "Please ensure that you have a k8s-cluster running. Try:\ttask garden:set-kubeconfig"
+      - sh: "{{ .KUBECTL_CMD }} get secret opensearch-ca-cert -n {{ .NAMESPACE }} >/dev/null 2>&1"
+        msg: "Missing required secret tier-2/opensearch-ca-cert (key: ca.crt). Apply showroom/kubectl/secrets.example.yaml first."
     status:
       - "{{ .KUBECTL_CMD }} get pods -n {{ .NAMESPACE }} | grep otelcol-agent >/dev/null 2>&1"
     cmds:
@@ -40,6 +42,8 @@ tasks:
     preconditions:
       - sh: "{{ .KUBECTL_CMD }} cluster-info >/dev/null 2>&1"
         msg: "Please ensure that you have a k8s-cluster running. Try:\ttask garden:set-kubeconfig"
+      - sh: "{{ .KUBECTL_CMD }} get secret opensearch-ca-cert -n {{ .NAMESPACE }} >/dev/null 2>&1"
+        msg: "Missing required secret tier-2/opensearch-ca-cert (key: ca.crt). Apply showroom/kubectl/secrets.example.yaml first."
     cmds:
       - "{{ .KUBECTL_CMD }} apply -f kubectl/tier-2.yaml -n {{ .NAMESPACE }}"
       - echo "OpenTelemetry Collector agent setup upgraded successfully!"
