feat: support opensearch client cert auth #13641
Merged
+896
−190
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kezhenxu94
force-pushed
the
opensearchclientauth
branch
3 times, most recently
from
1ec3604 to
efcc81a
Compare
kezhenxu94
force-pushed
the
opensearchclientauth
branch
2 times, most recently
from
46557ba to
64d5ece
Compare
kezhenxu94
force-pushed
the
opensearchclientauth
branch
from
64d5ece to
5b6b4dd
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds support for client certificate authentication (mutual TLS) for OpenSearch and Elasticsearch storage backends, enabling more secure connections where clients present certificates to authenticate.
Key Changes:
- Adds
keyStorePathandkeyStorePassconfiguration options for client certificate keystore (PKCS12/JKS formats) - Implements SSL/TLS configuration with mutual TLS support in ElasticSearchBuilder
- Updates Armeria dependency from 1.32.0 to 1.34.2 to support enhanced SSL/TLS features
- Includes comprehensive E2E test infrastructure with OpenSearch SSL configuration and certificate generation
Reviewed changes
Copilot reviewed 26 out of 28 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e-v2/java-test-service/pom.xml | Updates Lombok and Maven compiler plugin versions for compatibility |
| test/e2e-v2/cases/storage/opensearch/opensearch.yml | Configures OpenSearch SSL/TLS with client certificate authentication |
| test/e2e-v2/cases/storage/opensearch/internal_users.yml | Defines internal admin user for OpenSearch security |
| test/e2e-v2/cases/storage/opensearch/generate-certs.sh | Shell script to generate test certificates (CA, node, admin, client) |
| test/e2e-v2/cases/storage/opensearch/docker-compose.yml | E2E test setup with SSL-enabled OpenSearch and client certificate configuration |
| test/e2e-v2/cases/storage/opensearch/clientcert_config.yml | OpenSearch security configuration for client certificate authentication |
| test/e2e-v2/cases/storage/opensearch/certs/*.pem | Generated SSL certificates and keystores for testing |
| oap-server/server-storage-plugin/.../StorageModuleElasticsearchProvider.java | Adds keystore validation and file monitoring for client certificates |
| oap-server/server-storage-plugin/.../StorageModuleElasticsearchConfig.java | Adds keyStorePath and keyStorePass configuration properties |
| oap-server/server-starter/src/main/resources/application.yml | Exposes new keystore configuration with environment variable support |
| oap-server/server-library/library-elasticsearch-client/.../ElasticSearchIT.java | Adds test for ElasticSearch client builder functionality |
| oap-server/server-library/library-elasticsearch-client/.../ElasticSearchBuilder.java | Implements mutual TLS with keystore/truststore loading and certificate logging |
| oap-server/server-library/library-client/.../ElasticSearchIT.java | Updates test constructor calls with new keystore parameters |
| oap-server/server-library/library-client/.../ElasticSearchClient.java | Adds keystore parameters and conditional configuration logic |
| oap-server-bom/pom.xml | Upgrades Armeria to 1.34.2 for enhanced SSL/TLS support |
| dist-material/release-docs/LICENSE | Updates license attributions for upgraded dependencies |
| .licenserc.yaml | Updates dependency versions in license configuration |
| .github/workflows/skywalking.yaml | Removes OpenSearch 1.1.0 from E2E tests (likely due to SSL incompatibility) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...h-client/src/main/java/org/apache/skywalking/library/elasticsearch/ElasticSearchBuilder.java
Outdated
Show resolved
Hide resolved
...h-client/src/main/java/org/apache/skywalking/library/elasticsearch/ElasticSearchBuilder.java
Outdated
Show resolved
Hide resolved
Member
|
Please update the elastic/opensearch storage docs about how to use different auth in different servers. |
kezhenxu94
force-pushed
the
opensearchclientauth
branch
from
d5b2f13 to
0d06b3a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 29 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wu-sheng
reviewed
Jan 5, 2026
| We support and tested the following versions of OpenSearch: | ||
|
|
||
| - 1.1.0, 1.3.10 | ||
| - 1.3.10 |
Member
There was a problem hiding this comment.
Do we remove the support of 1.1.0, or just because of not been tested?
Member
Author
There was a problem hiding this comment.
Do we remove the support of 1.1.0, or just because of not been tested?
We just remove it from the test matrix
wu-sheng
added
feature
wu-sheng
approved these changes
Jan 5, 2026
wu-sheng
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CHANGESlog.