Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ssl bundle support for autoconfigured opensearch client #397

Merged
merged 2 commits into from
Dec 27, 2024
Merged

add ssl bundle support for autoconfigured opensearch client #397

merged 2 commits into from
Dec 27, 2024

Conversation

aivish
Copy link
Contributor

@aivish aivish commented Dec 27, 2024
edited
Loading

Description

Allows to configure SSL Bundle using opensearch.restclient.ssl.bundle.

Note: the certificate in integration tests is from opensearch security plugin's demo config (https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/tools/democonfig/Certificates.java#L157), if the certificate is changed in a future version then the integration test would probably break.

Looked at the SSL hot reload, but implementing it doesn't look that straight forward:

  • Saw some simple examples where a singleton bean is deleted and registered with DefaultSingletonBeanRegistry (could re-create the RestClient bean), but that doesn't really work because it would not effect the already autowired/injected beans.
  • Seems like this also requires changes on RestClient side, so it's possible to keep the same instance/bean and update its underlying http client. For example, allow swapping out the Apache HTTP client instance with a new one (currently it's final) or maybe the Apache HTTP client allows to update SSLContext, either way need some method on RestClient side that allows something like that.

Where should I document that hot reload is not supported? The documentation for available properties is in javadoc, but I can't add anything to the restclient.ssl.bundle because the class is from Elasticsearch. Thought about adding Restclient to OpenSearchProperties, but that would be breaking change in projects that do something like ElasticsearchProperties.Restclient restclientProperties = openSearchProperties.getRestclient().

Issues Resolved

resolve #396

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@reta
Copy link
Collaborator

reta commented Dec 27, 2024

Thanks a lot @aivish LGTM but some tests need adjustments

@aivish
fix tests
0e5d990 
- fix formatting
- add certificate used by OpenSearch 1.3.x
- don't need to set ssl context when ssl strategy is set

Signed-off-by: Aivis Henins <[email protected]>
@aivish
Copy link
Contributor Author

aivish commented Dec 27, 2024
edited
Loading

should be better now, opensearch 1.3.x uses different certificate, had to add it to the trusted certs as well

if the security plugin will change the demo certificate often then could get a bit annoying, but hopefully the test won't cause too much trouble for you..

@reta reta merged commit ebef1d5 into opensearch-project:main Dec 27, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@dblock dblock Awaiting requested review from dblock dblock is a code owner

@dlvenable dlvenable Awaiting requested review from dlvenable dlvenable is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FEATURE] https connection using Spring Boot SSL Bundle
2 participants
@aivish @reta