Add SSL/TLS and basic auth support for external OpenSearch connections

[rexbut]

Summary

Add support for basic authentication, SSL/TLS and mutual TLS (mTLS) when connecting to an external OpenSearch cluster.

#942

Motivation

In production environments (e.g. Kubernetes), external OpenSearch clusters typically require authentication and encrypted connections. This was not possible until now.

Changes

• PhotonDBConfig: 7 new CLI parameters (-opensearch-user, -opensearch-password, -opensearch-ssl, -opensearch-truststore, -opensearch-truststore-password, -opensearch-keystore, -opensearch-keystore-password)
• OpenSearchTransportBuilder (new): configures the Apache HttpClient 5 transport with basic auth and/or SSL following the official OpenSearch Java client documentation
• Server: delegates external transport construction to OpenSearchTransportBuilder
• docs/usage.md: new section documenting the three usage scenarios (basic auth, SSL with custom CA, mTLS)

Usage examples

Basic authentication only:

java -jar photon.jar serve \
    -transport-addresses opensearch.example.com:9200 \
    -opensearch-user photon -opensearch-password secret

With SSL and a custom CA:

java -jar photon.jar serve \
    -transport-addresses opensearch.example.com:9200 \
    -opensearch-ssl \
    -opensearch-user photon -opensearch-password secret \
    -opensearch-truststore /path/to/truststore.p12 \
    -opensearch-truststore-password changeit

With mutual TLS (mTLS):

java -jar photon.jar serve \
    -transport-addresses opensearch.example.com:9200 \
    -opensearch-ssl \
    -opensearch-truststore /path/to/truststore.p12 \
    -opensearch-truststore-password changeit \
    -opensearch-keystore /path/to/client-keystore.p12 \
    -opensearch-keystore-password clientpass

Tests

• OpenSearchTransportBuilderTest: host parsing/scheme selection, SSL context construction with truststore, full auth+SSL smoke test
• PhotonDBConfigTest: CLI parameter parsing round-trip and defaults

Proof of actual usage

Tested against an external OpenSearch 3.x cluster with basic auth and SSL enabled:

AI disclosure

This PR was developed with AI assistance (Cursor / Claude). All code was reviewed, tested against a real OpenSearch cluster, and validated by the author.

[cursor]

Default port 9201 wrong for external OpenSearch connections

Medium Severity

The buildHosts() method defaults to port 9201 when no port is specified in a transport address, but the standard OpenSearch HTTP port is 9200. This causes connection failures for users who specify an address without an explicit port (e.g., opensearch.example.com). The value 9201 was carried over from internal runner discovery config and is not correct for external connections. The test also codifies this incorrect default.

Additional Locations (1)

• src/test/java/de/komoot/photon/opensearch/OpenSearchTransportBuilderTest.java#L56-L57

 

[rexbut]

Just moving existing code (refactoring) from Server.java without changes

[lonvia]

I'm leaning toward fixing this while reworking this code.

[lonvia]

Thanks. I need to put this on hold for a bit. httpclient5 has a new version 5.6 out which causes failing tests in Photon. This needs resolved first before adding additional features.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

JCommander password=true prevents command-line value acceptance

High Severity

The password = true attribute on the -opensearch-password, -opensearch-truststore-password, and -opensearch-keystore-password parameters sets their arity to 0 in JCommander, causing them to prompt for console input rather than accepting values from the command line. Without an explicit arity = 1, passing e.g. -opensearch-password secret won't consume secret as the value — it becomes a stray argument and likely triggers a parse error. The existing -password parameter in PostgresqlConfig notably does not use password = true, following the correct pattern.

Additional Locations (2)

• src/main/java/de/komoot/photon/config/PhotonDBConfig.java#L63-L67
• src/main/java/de/komoot/photon/config/PhotonDBConfig.java#L75-L79

 

[lonvia]

Can you comment on that? cursor seems to be right here.

[rexbut]

Hi @lonvia,

I've updated the dependencies to the latest versions:

• org.apache.httpcomponents.client5:httpclient5 5.5.1 to 5.6
• org.opensearch.client:opensearch-java 3.5.0 to 3.6.0

I ran the tests locally with ./gradlew test and everything is passing successfully (see screenshot below). This should resolve the concerns regarding the new HttpClient version.

[lonvia]

The code looks okay but it is very verbose, even for Java standards. I'm also rather reluctant to add 7 more parameters, especially when 3 of them are passwords. I can already see the "security bug bounty hunters" having a field day with that.

It's really hard to find decent documentation on this whole SSL/TLS thing but I see references coming up of being able to configure key and trust stores via Java system variables like this:

-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.keyStore=keystore.p12
-Djavax.net.ssl.trustStore=truststore.jks
-Djavax.net.ssl.keyStorePassword=$PASS
-Djavax.net.ssl.trustStorePassword=$PASS

So there must be some 'default' way of setting up a SSL connection that is hopefully less verbose and just does the right thing. This would be my preferred way of configuring.

The -opensearch-ssl parameter might be obliterated by requiring a protocol (https or http) in front of the node URLs and assuming http when it is omitted for backwards compatibility.

That would leave the user and password for the OpenSearch database proper. I don't see a good way around that.

[lonvia]

KeyStore has a getInstance() that takes a file and password. Would that be usable here?

[lonvia]

I'm leaning toward fixing this while reworking this code.

[lonvia]

Can you comment on that? cursor seems to be right here.

[otbutz]

I don't see why we can't create Trust- and KeyStore in-memory from supplied PEM files?

[lonvia]

My knowledge on Trust/Keystores is rather limited, I'm afraid. Can you elaborate on what you mean and/or point to documentation?

[otbutz]

You can create an empty KeyStore on the fly and add certificates/keys:

KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);

CertificateFactory factory = CertificateFactory.getInstance("X.509");
InputStream certContent = // load PEM content
X509Certificate cert = (X509Certificate) factory.generateCertificate(certContent);

trustStore.setCertificateEntry("ca-root", cert);

https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/KeyStore.html#load(java.io.InputStream,char%5B%5D)

https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/cert/CertificateFactory.html#generateCertificate(java.io.InputStream)

IMHO handling PEM files is a lot easier from a sysop perspective than having to deal with Java truststore shenanigans. We can also remove any kind of password handling if we rely on the files having reasonable permissions.

[lonvia]

I see. But that would mean customizing the process even further. Anything where we can rely on standard Java processes is preferable, even if the standard Java process is a bit convoluted. The goal here is to minimize the code that needs to be maintained in Photon.