Skip to content

CSPL-4878: Add operator-driven TLS certificate configuration for server and input (S2S) certs#906

Open
minjieqiu wants to merge 3 commits into
splunk:developfrom
minjieqiu:cert-phase1-poc
Open

CSPL-4878: Add operator-driven TLS certificate configuration for server and input (S2S) certs#906
minjieqiu wants to merge 3 commits into
splunk:developfrom
minjieqiu:cert-phase1-poc

Conversation

@minjieqiu
Copy link
Copy Markdown
Contributor

@minjieqiu minjieqiu commented May 28, 2026

Summary

Introduces Ansible support for mounting and configuring TLS certificates delivered by the Splunk Operator (SOK) as Kubernetes Secrets. This is the format-adaptor layer of the SOK Certificate Management design (Phase 1).

  • Adds configure_splunk_certs.yml — dispatcher that checks for operator-mounted cert directories under /mnt/tls/ and conditionally includes per-cert-type tasks. If a cert directory is absent, Ansible skips it entirely with no error.
  • Adds configure_server_cert.yml — reads tls.crt, tls.key, ca.crt from /mnt/tls/splunk-server-tls-cert/, generates an ephemeral passphrase, encrypts the private key, bundles cert+key into splunk-server-bundle.pem, and configures server.conf [sslConfig] (serverCert, sslPassword, sslRootCAPath).
  • Adds configure_input_cert.yml — same flow for S2S input cert, reads from /mnt/tls/splunk-input-tls-cert/, configures inputs.conf [SSL], outputs splunk-input-bundle.pem and splunk-input-ca.pem.
  • Wires configure_splunk_certs.yml into main.yml before the existing enable_splunkd_ssl.yml step, gated on Linux only.

Design Notes

  • Non-breaking: cert processing is fully conditional on directory existence. Existing deployments without operator-mounted certs are unaffected.
  • Extensible: adding a new cert type (e.g. web) requires only a new stat + include_tasks entry in the dispatcher and a corresponding task file.
  • Ephemeral passphrase: a new random passphrase is generated at each pod startup to meet Splunk's bundled cert format requirement. The passphrase is not persisted.
  • Output file naming: consistent splunk-<role>-bundle.pem / splunk-<role>-ca.pem pattern across all cert types.

Test Plan

  • Deploy SOK with these Ansible changes baked into the Splunk image
  • Deploy Standalone with no cert secret — verify Ansible skips cert configuration cleanly
  • Create splunk-server-tls-cert secret with tls.crt, tls.key, ca.crt — verify splunk-server-bundle.pem created and server.conf [sslConfig] configured correctly
  • Create splunk-input-tls-cert secret — verify splunk-input-bundle.pem created and inputs.conf [SSL] configured correctly
  • Verify Splunk REST endpoint (port 8089) and S2S port (9997) accept TLS connections using the configured certs

minjieqiu and others added 3 commits May 28, 2026 13:14
@minjieqiu @claude
Add operator-driven TLS cert configuration via Ansible
e3d91e2 
Introduces two new task files:
- configure_splunk_certs.yml: dispatcher that checks for operator-mounted
  cert directories under /mnt/tls/ and includes per-cert-type tasks
- configure_server_cert.yml: reads tls.crt, tls.key, ca.crt from
  /mnt/tls/splunk-server-tls-cert/, generates an ephemeral passphrase,
  encrypts the private key, bundles cert+key into server-bundle.pem,
  and configures server.conf [sslConfig] stanzas

Adds include of configure_splunk_certs.yml in main.yml before the
existing enable_splunkd_ssl.yml step, gated on Linux only.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@minjieqiu @claude
Add input (S2S) TLS cert configuration via Ansible
dfcb0d2 
Adds configure_input_cert.yml: reads tls.crt, tls.key, ca.crt from
/mnt/tls/splunk-input-tls-cert/, generates an ephemeral passphrase,
encrypts the private key, bundles cert+key into input-bundle.pem,
and configures inputs.conf [SSL] stanzas (serverCert, sslPassword,
sslRootCAPath).

Updates configure_splunk_certs.yml dispatcher to check for the input
cert mount and include configure_input_cert.yml when present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@minjieqiu @claude
Rename server cert output files to match input cert naming convention
4d8069b 
Use splunk-server-bundle.pem and splunk-server-ca.pem instead of
server-bundle.pem and splunk-ca.pem, consistent with the input cert
naming (input-bundle.pem, splunk-input-ca.pem).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@minjieqiu minjieqiu requested a review from a team as a code owner May 28, 2026 20:27
@minjieqiu minjieqiu changed the title Add operator-driven TLS certificate configuration for server and input (S2S) certs CSPL-4878: Add operator-driven TLS certificate configuration for server and input (S2S) certs May 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minjieqiu