CRITEO - Use built in java truststore for securityadmin.sh

opensearch-operator/pkg/builders/cluster.go

@@ -963,7 +963,9 @@ func NewSecurityconfigUpdateJob(
 	dns := DnsOfService(instance)
 	adminCert := "/certs/tls.crt"
 	adminKey := "/certs/tls.key"
-	caCert := "/certs/ca.crt"
+
+	// CRITEO WORKAROUND
+	// caCert := "/certs/ca.crt"
 
 	// Dummy node spec required to resolve image
 	node := opsterv1.NodePool{
@@ -980,14 +982,24 @@ func NewSecurityconfigUpdateJob(
 	})
 	//Following httpPort, securityconfigPath are used for executing securityadmin.sh
 	httpPort, securityconfigPath := helpers.VersionCheck(instance)
+
+	// CRITEO WORKAROUND
+	// -----------------
+	// We specify -ts instead of -cacert because our API certificates are signed by a real
+	// certificate authority, and are valid using Java's default turststore.
+	// '/certs/ca.crt' is the root for self signed admin cert, and will *not* work as a
+	// trust root for the rest API.
+	// See: https://github.com/Opster/opensearch-k8s-operator/issues/569
+	// -----------------
+
 	// The following curl command is added to make sure cluster is full connected before .opendistro_security is created.
 	arg := "ADMIN=/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh;" +
 		"chmod +x $ADMIN;" +
 		fmt.Sprintf("until curl -k --silent https://%s.svc.%s:%v; do", dns, helpers.ClusterDnsBase(), instance.Spec.General.HttpPort) +
 		" echo 'Waiting to connect to the cluster'; sleep 120; " +
 		"done; " +
 		"count=0;" +
-		fmt.Sprintf("until $ADMIN -cacert %s -cert %s -key %s -cd %s -icl -nhnv -h %s.svc.%s -p %v || (( count++ >= 20 )); do", caCert, adminCert, adminKey, securityconfigPath, dns, helpers.ClusterDnsBase(), httpPort) +
+		fmt.Sprintf("until $ADMIN -ts /usr/share/opensearch/jdk/lib/security/cacerts -cert %s -key %s -cd %s -icl -nhnv -h %s.svc.%s -p %v || (( count++ >= 20 )); do", adminCert, adminKey, securityconfigPath, dns, helpers.ClusterDnsBase(), httpPort) +
 		"  sleep 20; " +
 		"done"
 	annotations := map[string]string{