I have a deployment server and a single cluster master with two clustered indexers (pretty simple) in this setup.
As documented everywhere, I am distributing the authentication.conf files in Apps and using the cluster master to distribute this.
I created an auth\local\authentication.conf app and I have put this into the master-apps folder on the Cluster Master.
When I look at the Indexers, I see that the auth\local\authentication.conf app is appearing in the slave-apps folder AND in the apps folder.
When I check this in btool, I see that the bindDNpassword in the slave-apps directory is plain text and not encrypted, but Splunk has encrypted the bindDNpassword in the apps folder.
I don't believe that this is expected behaviour - how do I get this to work?
This makes sense, from everything that I have seen and understand, but if I need to distribute the authentication.conf to all of the indexers and the cluster master/configuration bundles are the only way, what am to do for items like this? Am I to manually put the app into the /etc/apps directory and then send another Configuration Bundle down to my indexers to get them to pick up the new app?
I didn't understand why you need to push authentication.conf every time to Indexer cluster because search head sending bundles to Indexers when any search query will execute on search head and it will pass necessary authentication to Indexer, so no need to provide access to any users on Indexer. Only you need to provide access users on search heads.
And if you really want to push authentication.conf in indexer cluster then there will no solution for your requirement as per my knowledge.