Skip to content

Add mutual_tls authentication plugin for HTTP-based sources#6916

Open
divakarsingh wants to merge 1 commit into
opensearch-project:mainfrom
divakarsingh:feature/mtls-client-auth
Open

Add mutual_tls authentication plugin for HTTP-based sources#6916
divakarsingh wants to merge 1 commit into
opensearch-project:mainfrom
divakarsingh:feature/mtls-client-auth

Conversation

@divakarsingh

@divakarsingh divakarsingh commented Jun 10, 2026

Copy link
Copy Markdown

Description

Adds a mutual_tls authentication plugin that enables mTLS client certificate
authentication on all HTTP-based sources. Clients must present a valid certificate
signed by the configured trust CA to connect.

This is implemented as an ArmeriaHttpAuthenticationProvider plugin (consistent with
http_basic and unauthenticated), with a new getTlsCustomizer() method on the
interface for TLS-layer configuration.

Configuration example:

source:
  opensearch_api:
    ssl: true
    ssl_certificate_file: "/certs/server.crt"
    ssl_key_file: "/certs/server.key"
    authentication:
      mutual_tls:
        ssl_trust_certificate_file: "/certs/ca.crt"

Works on all HTTP-based sources: http, opensearch_api, otel_trace_source,
otel_metrics_source, otel_logs_source.

Issues Resolved

Resolves #6889

Check List

  • New functionality includes testing (unit + integration)
  • Commits are signed with DCO (Signed-off-by)

@divakarsingh
Add mutual_tls authentication plugin for HTTP-based sources
bd85890 
Add a new ArmeriaHttpAuthenticationProvider plugin called mutual_tls
that configures Armeria with ClientAuth.REQUIRE and a trust CA for
client certificate verification at the TLS handshake level.

Extends the ArmeriaHttpAuthenticationProvider interface with a
getTlsCustomizer() method so authentication plugins can configure
TLS-level settings. BaseHttpSource applies this during server setup.

This applies to all HTTP-based sources (http, opensearch_api,
otel_trace_source, otel_metrics_source, otel_logs_source) since they
all inherit from BaseHttpSource.

Configuration:
  authentication:
    mutual_tls:
      ssl_trust_certificate_file: /path/to/ca.crt

Resolves opensearch-project#6889

Signed-off-by: Divakar Pratap Singh <divakar.p.singh@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divbok divbok Awaiting requested review from divbok divbok is a code owner

@sb2k16 sb2k16 Awaiting requested review from sb2k16 sb2k16 is a code owner

@san81 san81 Awaiting requested review from san81 san81 is a code owner

@srikanthjg srikanthjg Awaiting requested review from srikanthjg srikanthjg is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@dinujoh dinujoh Awaiting requested review from dinujoh dinujoh is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

@srikanthpadakanti srikanthpadakanti Awaiting requested review from srikanthpadakanti srikanthpadakanti is a code owner

@KarstenSchnitter KarstenSchnitter Awaiting requested review from KarstenSchnitter KarstenSchnitter is a code owner

@dlvenable dlvenable Awaiting requested review from dlvenable dlvenable is a code owner

@oeyh oeyh Awaiting requested review from oeyh oeyh is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add mTLS client certificate authentication to HTTP-based sources

1 participant

@divakarsingh