Merge pull request #1890 from opencloud-eu/fix-opensearch-client-cert

fix opensearch client certificate well ... technically it is not a fix. We expected the certificate on the CLI to be in PEM format. so, it would have worked if you used sth. like: ```console export SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT="-----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIJAKJ... ... -----END CERTIFICATE-----" ``` which was different than all our other cert env vars, which take a path.
2025-12-23 22:29:59 -05:00 · 2025-11-21 15:15:48 +01:00
parent d1fa52b603 538e8141b2
commit c1fcf71d42
2 changed files with 31 additions and 23 deletions
--- a/services/search/pkg/command/server.go
+++ b/services/search/pkg/command/server.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"os"
 	"os/signal"

 	"github.com/opencloud-eu/reva/v2/pkg/events/raw"
@@ -84,30 +85,37 @@ func Server(cfg *config.Config) *cli.Command {

 				eng = bleve.NewBackend(idx, bleveQuery.DefaultCreator, logger)
 			case "open-search":
-				client, err := opensearchgoAPI.NewClient(opensearchgoAPI.Config{
-					Client: opensearchgo.Config{
-						Addresses:             cfg.Engine.OpenSearch.Client.Addresses,
-						Username:              cfg.Engine.OpenSearch.Client.Username,
-						Password:              cfg.Engine.OpenSearch.Client.Password,
-						Header:                cfg.Engine.OpenSearch.Client.Header,
-						CACert:                cfg.Engine.OpenSearch.Client.CACert,
-						RetryOnStatus:         cfg.Engine.OpenSearch.Client.RetryOnStatus,
-						DisableRetry:          cfg.Engine.OpenSearch.Client.DisableRetry,
-						EnableRetryOnTimeout:  cfg.Engine.OpenSearch.Client.EnableRetryOnTimeout,
-						MaxRetries:            cfg.Engine.OpenSearch.Client.MaxRetries,
-						CompressRequestBody:   cfg.Engine.OpenSearch.Client.CompressRequestBody,
-						DiscoverNodesOnStart:  cfg.Engine.OpenSearch.Client.DiscoverNodesOnStart,
-						DiscoverNodesInterval: cfg.Engine.OpenSearch.Client.DiscoverNodesInterval,
-						EnableMetrics:         cfg.Engine.OpenSearch.Client.EnableMetrics,
-						EnableDebugLogger:     cfg.Engine.OpenSearch.Client.EnableDebugLogger,
-						Transport: &http.Transport{
-							TLSClientConfig: &tls.Config{
-								MinVersion:         tls.VersionTLS12,
-								InsecureSkipVerify: cfg.Engine.OpenSearch.Client.Insecure,
-							},
+				clientConfig := opensearchgo.Config{
+					Addresses:             cfg.Engine.OpenSearch.Client.Addresses,
+					Username:              cfg.Engine.OpenSearch.Client.Username,
+					Password:              cfg.Engine.OpenSearch.Client.Password,
+					Header:                cfg.Engine.OpenSearch.Client.Header,
+					RetryOnStatus:         cfg.Engine.OpenSearch.Client.RetryOnStatus,
+					DisableRetry:          cfg.Engine.OpenSearch.Client.DisableRetry,
+					EnableRetryOnTimeout:  cfg.Engine.OpenSearch.Client.EnableRetryOnTimeout,
+					MaxRetries:            cfg.Engine.OpenSearch.Client.MaxRetries,
+					CompressRequestBody:   cfg.Engine.OpenSearch.Client.CompressRequestBody,
+					DiscoverNodesOnStart:  cfg.Engine.OpenSearch.Client.DiscoverNodesOnStart,
+					DiscoverNodesInterval: cfg.Engine.OpenSearch.Client.DiscoverNodesInterval,
+					EnableMetrics:         cfg.Engine.OpenSearch.Client.EnableMetrics,
+					EnableDebugLogger:     cfg.Engine.OpenSearch.Client.EnableDebugLogger,
+					Transport: &http.Transport{
+						TLSClientConfig: &tls.Config{
+							MinVersion:         tls.VersionTLS12,
+							InsecureSkipVerify: cfg.Engine.OpenSearch.Client.Insecure,
 						},
 					},
-				})
+				}
+
+				if cfg.Engine.OpenSearch.Client.CACert != "" {
+					certBytes, err := os.ReadFile(cfg.Engine.OpenSearch.Client.CACert)
+					if err != nil {
+						return fmt.Errorf("failed to read CA cert: %w", err)
+					}
+					clientConfig.CACert = certBytes
+				}
+
+				client, err := opensearchgoAPI.NewClient(opensearchgoAPI.Config{Client: clientConfig})
 				if err != nil {
 					return fmt.Errorf("failed to create OpenSearch client: %w", err)
 				}
--- a/services/search/pkg/config/engine.go
+++ b/services/search/pkg/config/engine.go
@@ -34,7 +34,7 @@ type EngineOpenSearchClient struct {
 	Username              string        `yaml:"username" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME" desc:"Username for HTTP Basic Authentication." introductionVersion:"%%NEXT%%"`
 	Password              string        `yaml:"password" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD" desc:"Password for HTTP Basic Authentication." introductionVersion:"%%NEXT%%"`
 	Header                http.Header   `yaml:"header" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER" desc:"HTTP headers to include in requests." introductionVersion:"%%NEXT%%"`
-	CACert                []byte        `yaml:"ca_cert" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT" desc:"CA certificate for TLS connections." introductionVersion:"%%NEXT%%"`
+	CACert                string        `yaml:"ca_cert" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT" desc:"Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the opensearch server." introductionVersion:"%%NEXT%%"`
 	RetryOnStatus         []int         `yaml:"retry_on_status" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS" desc:"HTTP status codes that trigger a retry." introductionVersion:"%%NEXT%%"`
 	DisableRetry          bool          `yaml:"disable_retry" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY" desc:"Disable retries on errors." introductionVersion:"%%NEXT%%"`
 	EnableRetryOnTimeout  bool          `yaml:"enable_retry_on_timeout" env:"SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT" desc:"Enable retries on timeout." introductionVersion:"%%NEXT%%"`