feat: support opensearch client cert auth (#13641)

Author: kezhenxu94

.github/workflows/skywalking.yaml

@@ -387,9 +387,6 @@ jobs:
           - name: Storage ES 8.9.0
             config: test/e2e-v2/cases/storage/es/e2e.yaml
             env: ES_VERSION=8.18.1
-          - name: Storage OpenSearch 1.1.0
-            config: test/e2e-v2/cases/storage/opensearch/e2e.yaml
-            env: OPENSEARCH_VERSION=1.1.0
           - name: Storage OpenSearch 1.3.10
             config: test/e2e-v2/cases/storage/opensearch/e2e.yaml
             env: OPENSEARCH_VERSION=1.3.10
@@ -1121,4 +1118,4 @@ jobs:
           [[ ${e2eJavaVersionResults} == 'success' ]] || [[ ${execute} != 'true' && ${e2eJavaVersionResults} == 'skipped' ]] || exit -7;
           [[ ${timeConsumingITResults} == 'success' ]] || [[ ${execute} != 'true' && ${timeConsumingITResults} == 'skipped' ]] || exit -8;
 
-          exit 0;
+          exit 0;

.licenserc.yaml

@@ -109,10 +109,10 @@ dependency:
       version: 2.13.4
       license: Apache-2.0
     - name: com.fasterxml.jackson.datatype:jackson-datatype-jsr310
-      version: 2.18.2
+      version: 2.20.1
       license: Apache-2.0
     - name: com.fasterxml.jackson.datatype:jackson-datatype-jdk8
-      version: 2.18.2
+      version: 2.20.1
       license: Apache-2.0
     - name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
       version: 2.15.2
@@ -139,7 +139,7 @@ dependency:
       version: 1.2.1
       license: Apache-2.0
     - name: com.aayushatharva.brotli4j:service
-      version: 1.18.0
+      version: 1.20.0
       license: Apache-2.0
     - name: io.vertx:vertx-grpc
       version: 4.5.9

dist-material/release-docs/LICENSE

@@ -210,8 +210,8 @@ The following components are provided under the Apache-2.0 License. See project
 The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/pgv-java-stub/1.2.1 Apache-2.0
     https://mvnrepository.com/artifact/build.buf.protoc-gen-validate/protoc-gen-validate/1.2.1 Apache-2.0
-    https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/brotli4j/1.18.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/service/1.18.0 Apache-2.0
+    https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/brotli4j/1.20.0 Apache-2.0
+    https://mvnrepository.com/artifact/com.aayushatharva.brotli4j/service/1.20.0 Apache-2.0
     https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-auth-plugin/2.3.2 Apache-2.0
     https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-client/2.3.2 Apache-2.0
     https://mvnrepository.com/artifact/com.alibaba.nacos/nacos-encryption-plugin/2.3.2 Apache-2.0
@@ -222,8 +222,8 @@ The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.16.0 Apache-2.0
     https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.2 Apache-2.0
     https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-guava/2.12.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-jdk8/2.18.2 Apache-2.0
-    https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.18.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-jdk8/2.20.1 Apache-2.0
+    https://mvnrepository.com/artifact/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.20.1 Apache-2.0
     https://mvnrepository.com/artifact/com.fasterxml.jackson.module/jackson-module-kotlin/2.13.4 Apache-2.0
     https://mvnrepository.com/artifact/com.fasterxml/classmate/1.5.1 Apache-2.0
     https://mvnrepository.com/artifact/com.google.api.grpc/proto-google-common-protos/2.48.0 Apache-2.0
@@ -238,12 +238,12 @@ The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/com.google.inject/guice/4.1.0 Apache-2.0
     https://mvnrepository.com/artifact/com.google.j2objc/j2objc-annotations/2.8 Apache-2.0
     https://mvnrepository.com/artifact/com.graphql-java/java-dataloader/3.2.1 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria/1.32.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-graphql/1.32.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-graphql-protocol/1.32.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-grpc/1.32.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-grpc-protocol/1.32.0 Apache-2.0
-    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-protobuf/1.32.0 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria/1.34.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-graphql/1.34.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-graphql-protocol/1.34.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-grpc/1.34.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-grpc-protocol/1.34.2 Apache-2.0
+    https://mvnrepository.com/artifact/com.linecorp.armeria/armeria-protobuf/1.34.2 Apache-2.0
     https://mvnrepository.com/artifact/com.orbitz.consul/consul-client/1.5.3 Apache-2.0
     https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/3.14.9 Apache-2.0
     https://mvnrepository.com/artifact/com.squareup.okio/okio/1.17.2 Apache-2.0
@@ -300,6 +300,7 @@ The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/io.grpc/grpc-services/1.70.0 Apache-2.0
     https://mvnrepository.com/artifact/io.grpc/grpc-stub/1.70.0 Apache-2.0
     https://mvnrepository.com/artifact/io.grpc/grpc-util/1.70.0 Apache-2.0
+    https://mvnrepository.com/artifact/io.micrometer/context-propagation/1.2.0 Apache-2.0
     https://mvnrepository.com/artifact/io.micrometer/micrometer-commons/1.14.4 Apache-2.0
     https://mvnrepository.com/artifact/io.micrometer/micrometer-core/1.14.4 Apache-2.0
     https://mvnrepository.com/artifact/io.micrometer/micrometer-observation/1.14.4 Apache-2.0
@@ -369,6 +370,7 @@ The text of each license is the standard Apache 2.0 license.
     https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-jdk8/1.6.4 Apache-2.0
     https://mvnrepository.com/artifact/org.jetbrains.kotlinx/kotlinx-coroutines-reactive/1.6.4 Apache-2.0
     https://mvnrepository.com/artifact/org.jetbrains/annotations/13.0 Apache-2.0
+    https://mvnrepository.com/artifact/org.jspecify/jspecify/1.0.0 Apache-2.0
     https://mvnrepository.com/artifact/org.lz4/lz4-java/1.8.0 Apache-2.0
     https://mvnrepository.com/artifact/org.slf4j/jcl-over-slf4j/1.7.30 Apache-2.0
     https://mvnrepository.com/artifact/org.slf4j/log4j-over-slf4j/1.7.30 Apache-2.0
@@ -543,7 +545,7 @@ The text of each license is also included in licenses/LICENSE-[project].txt.
     https://npmjs.com/package/nanoid/v/3.3.8 3.3.8 MIT
     https://mvnrepository.com/artifact/org.checkerframework/checker-qual/3.33.0 MIT
     https://mvnrepository.com/artifact/org.codehaus.mojo/animal-sniffer-annotations/1.24 MIT
-    https://mvnrepository.com/artifact/org.curioswitch.curiostack/protobuf-jackson/2.7.0 MIT
+    https://mvnrepository.com/artifact/org.curioswitch.curiostack/protobuf-jackson/2.8.1 MIT
     https://mvnrepository.com/artifact/org.slf4j/slf4j-api/1.7.30 MIT
     https://npmjs.com/package/pinia/v/2.0.28 2.0.28 MIT
     https://npmjs.com/package/pinia/node_modules/vue-demi/v/0.13.11 0.13.11 MIT

docs/en/changes/changes.md

@@ -14,6 +14,7 @@
 * Add `LatestLabeledFunction` for meter.
 * MAL Labeled metrics support additional attributes.
 * Bump up netty to 4.2.9.Final.
+* Add support for OpenSearch/ElasticSearch client certificate authentication.
 
 #### UI
 * Fix the missing icon in new native trace view.

docs/en/setup/backend/storages/elasticsearch.md

@@ -11,7 +11,7 @@ In order to activate OpenSearch as storage, set the storage provider to **elasti
 
 We support and tested the following versions of OpenSearch:
 
-- 1.1.0, 1.3.10
+- 1.3.10
 - 2.4.0, 2.8.0, 3.0.0
 
 ## Elasticsearch
@@ -51,6 +51,8 @@ storage:
     protocol: ${SW_STORAGE_ES_HTTP_PROTOCOL:"http"}
     trustStorePath: ${SW_STORAGE_ES_SSL_JKS_PATH:""}
     trustStorePass: ${SW_STORAGE_ES_SSL_JKS_PASS:""}
+    keyStorePath: ${SW_STORAGE_ES_SSL_KEY_STORE_PATH:""} # Path to client certificate keystore for mutual TLS (OpenSearch/Elasticsearch client cert auth). Supports PKCS12 (.p12, .pfx) and JKS (.jks) formats.
+    keyStorePass: ${SW_STORAGE_ES_SSL_KEY_STORE_PASS:""} # Password for the client certificate keystore. Can be managed via secretsManagementFile.
     user: ${SW_ES_USER:""}
     password: ${SW_ES_PASSWORD:""}
     secretsManagementFile: ${SW_ES_SECRETS_MANAGEMENT_FILE:""} # Secrets management file in the properties format includes the username, password, which are managed by 3rd party tool.
@@ -83,7 +85,9 @@ storage:
     enableCustomRouting: ${SW_STORAGE_ES_ENABLE_CUSTOM_ROUTING:false}
 ```
 
-### ElasticSearch With Https SSL Encrypting communications.
+### ElasticSearch/OpenSearch With HTTPS SSL Encrypting Communications
+
+#### Basic HTTPS with Server Certificate Verification
 
 Example:
 
@@ -103,6 +107,32 @@ storage:
 - File at `trustStorePath` is being monitored. Once it is changed, the ElasticSearch client will reconnect.
 - `trustStorePass` could be changed in the runtime through [**Secrets Management File Of ElasticSearch Authentication**](#secrets-management-file-of-elasticsearch-authentication).
 
+#### Mutual TLS (mTLS) with Client Certificate Authentication
+
+For enhanced security, you can configure mutual TLS where the client presents a certificate to the server. This is commonly used with OpenSearch security plugin's client certificate authentication.
+
+Example:
+
+```yaml
+storage:
+  selector: ${SW_STORAGE:elasticsearch}
+  elasticsearch:
+    namespace: ${SW_NAMESPACE:""}
+    clusterNodes: ${SW_STORAGE_ES_CLUSTER_NODES:localhost:9200}
+    protocol: ${SW_STORAGE_ES_HTTP_PROTOCOL:"https"}
+    trustStorePath: ${SW_STORAGE_ES_SSL_JKS_PATH:"../truststore.jks"}
+    trustStorePass: ${SW_STORAGE_ES_SSL_JKS_PASS:"changeit"}
+    keyStorePath: ${SW_STORAGE_ES_SSL_KEY_STORE_PATH:"../client.p12"}
+    keyStorePass: ${SW_STORAGE_ES_SSL_KEY_STORE_PASS:"changeit"}
+    ...
+```
+
+- `keyStorePath` points to the client certificate keystore file. Supports both PKCS12 (`.p12`, `.pfx`) and JKS (`.jks`) formats.
+- `keyStorePass` is the password for the client keystore. Use empty string `""` for keystores without password.
+- Both `trustStorePath` and `keyStorePath` files are being monitored. Once they are changed, the ElasticSearch client will reconnect.
+- `trustStorePass` and `keyStorePass` could be changed in the runtime through [**Secrets Management File Of ElasticSearch Authentication**](#secrets-management-file-of-elasticsearch-authentication).
+- When `keyStorePath` is configured, `keyStorePass` must also be provided (can be empty string for no password).
+
 ### Daily Index Step
 Daily index step(`storage/elasticsearch/dayStep`, default 1) represents the index creation period. In this period, metrics for several days (dayStep value) are saved.
 
@@ -121,17 +151,18 @@ NOTE: TTL deletion would be affected by these steps. You should set an extra day
 
 ### Secrets Management File Of ElasticSearch Authentication
 The value of `secretsManagementFile` should point to the secrets management file absolute path.
-The file includes the username, password, and JKS password of the ElasticSearch server in the properties format.
+The file includes the username, password, JKS password, and keystore password of the ElasticSearch server in the properties format.
 ```properties
 user=xxx
 password=yyy
 trustStorePass=zzz
+keyStorePass=aaa
 ```
 
-The major difference between using `user, password, trustStorePass` configs in the `application.yaml` file is that the **Secrets Management File** is being watched by the OAP server.
+The major difference between using `user, password, trustStorePass, keyStorePass` configs in the `application.yaml` file is that the **Secrets Management File** is being watched by the OAP server.
 Once it is changed manually or through a 3rd party tool, such as [Vault](https://github.com/hashicorp/vault),
-the storage provider will use the new username, password, and JKS password to establish the connection and close the old one. If the information exists in the file,
-the `user/password` will be overridden.
+the storage provider will use the new username, password, JKS password, and keystore password to establish the connection and close the old one. If the information exists in the file,
+the `user/password/trustStorePass/keyStorePass` will be overridden.
 
 
 ### Index Settings

oap-server-bom/pom.xml

@@ -67,7 +67,7 @@
         <postgresql.version>42.4.4</postgresql.version>
         <jetcd.version>0.6.1</jetcd.version>
         <testcontainers.version>1.17.6</testcontainers.version>
-        <armeria.version>1.32.0</armeria.version>
+        <armeria.version>1.34.2</armeria.version>
         <awaitility.version>3.0.0</awaitility.version>
         <httpcore.version>4.4.16</httpcore.version>
         <httpasyncclient.version>4.1.5</httpasyncclient.version>

oap-server/server-library/library-client/src/main/java/org/apache/skywalking/oap/server/library/client/elasticsearch/ElasticSearchClient.java

@@ -76,6 +76,11 @@ public class ElasticSearchClient implements Client, HealthCheckable {
     @Setter
     private volatile String trustStorePass;
 
+    private final String keyStorePath;
+
+    @Setter
+    private volatile String keyStorePass;
+
     @Setter
     private volatile String user;
 
@@ -107,6 +112,8 @@ public ElasticSearchClient(ModuleManager moduleManager,
                                String protocol,
                                String trustStorePath,
                                String trustStorePass,
+                               String keyStorePath,
+                               String keyStorePass,
                                String user,
                                String password,
                                Function<String, String> indexNameConverter,
@@ -119,6 +126,8 @@ public ElasticSearchClient(ModuleManager moduleManager,
         this.protocol = protocol;
         this.trustStorePath = trustStorePath;
         this.trustStorePass = trustStorePass;
+        this.keyStorePath = keyStorePath;
+        this.keyStorePass = keyStorePass;
         this.user = user;
         this.password = password;
         this.indexNameConverter = indexNameConverter;
@@ -152,9 +161,17 @@ public void connect() {
 
         if (!Strings.isNullOrEmpty(trustStorePath)) {
             cb.trustStorePath(trustStorePath);
+            // Always set trustStorePass if trustStorePath is set (even if empty string)
+            if (trustStorePass != null) {
+                cb.trustStorePass(trustStorePass);
+            }
         }
-        if (!Strings.isNullOrEmpty(trustStorePass)) {
-            cb.trustStorePass(trustStorePass);
+        if (!Strings.isNullOrEmpty(keyStorePath)) {
+            cb.keyStorePath(keyStorePath);
+            // Always set keyStorePass if keyStorePath is set (even if empty string)
+            if (keyStorePass != null) {
+                cb.keyStorePass(keyStorePass);
+            }
         }
         if (!Strings.isNullOrEmpty(user)) {
             cb.username(user);

oap-server/server-library/library-client/src/test/java/org/apache/skywalking/library/elasticsearch/bulk/ElasticSearchIT.java

@@ -112,7 +112,7 @@ public void indexOperate(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );
@@ -165,7 +165,7 @@ public void documentOperate(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );
@@ -241,7 +241,7 @@ public void templateOperate(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );
@@ -297,7 +297,7 @@ public void bulk(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );
@@ -331,7 +331,7 @@ public void bulkPer_1KB(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );
@@ -361,7 +361,7 @@ public void timeSeriesOperate(final ElasticsearchContainer server,
         final ElasticSearchClient client = new ElasticSearchClient(
             moduleManager,
             server.getHttpHostAddress(),
-            "http", "", "", "test", "test",
+            "http", "", "", "", "", "test", "test",
             indexNameConverter(namespace), 500, 6000,
             0, 15
         );