Refactor OpenSearch config to separate use_ssl and verify_certs flags (#20075)

Co-authored-by: he.huang <he.huang1@outlook.com> Co-authored-by: crazywoola <427733928@qq.com>
2025-08-11 23:29:01 +08:00 · 2025-05-22 06:14:38 +04:00 · 2025-05-22 06:14:38 +04:00 · 6f48af2610
commit 6f48af2610
parent adca981eee
5 changed files with 14 additions and 2 deletions
--- a/api/.env.example
+++ b/api/.env.example
@ -269,6 +269,7 @@ OPENSEARCH_PORT=9200
 OPENSEARCH_USER=admin
 OPENSEARCH_PASSWORD=admin
 OPENSEARCH_SECURE=true
+OPENSEARCH_VERIFY_CERTS=true

 # Baidu configuration
 BAIDU_VECTOR_DB_ENDPOINT=http://127.0.0.1:5287
--- a/api/configs/middleware/vdb/opensearch_config.py
+++ b/api/configs/middleware/vdb/opensearch_config.py
@ -33,6 +33,11 @@ class OpenSearchConfig(BaseSettings):
        default=False,
    )

+    OPENSEARCH_VERIFY_CERTS: bool = Field(
+        description="Whether to verify SSL certificates for HTTPS connections (recommended to set True in production)",
+        default=True,
+    )
+
    OPENSEARCH_AUTH_METHOD: AuthMethod = Field(
        description="Authentication method for OpenSearch connection (default is 'basic')",
        default=AuthMethod.BASIC,
--- a/api/core/rag/datasource/vdb/opensearch/opensearch_vector.py
+++ b/api/core/rag/datasource/vdb/opensearch/opensearch_vector.py
@ -23,7 +23,8 @@ logger = logging.getLogger(__name__)
 class OpenSearchConfig(BaseModel):
    host: str
    port: int
-    secure: bool = False
+    secure: bool = False  # use_ssl
+    verify_certs: bool = True
    auth_method: Literal["basic", "aws_managed_iam"] = "basic"
    user: Optional[str] = None
    password: Optional[str] = None
@ -42,6 +43,8 @@ class OpenSearchConfig(BaseModel):
                raise ValueError("config OPENSEARCH_AWS_REGION is required for AWS_MANAGED_IAM auth method")
            if not values.get("aws_service"):
                raise ValueError("config OPENSEARCH_AWS_SERVICE is required for AWS_MANAGED_IAM auth method")
+        if not values.get("OPENSEARCH_SECURE") and values.get("OPENSEARCH_VERIFY_CERTS"):
+            raise ValueError("verify_certs=True requires secure (HTTPS) connection")
        return values

    def create_aws_managed_iam_auth(self) -> Urllib3AWSV4SignerAuth:
@ -57,7 +60,7 @@ class OpenSearchConfig(BaseModel):
        params = {
            "hosts": [{"host": self.host, "port": self.port}],
            "use_ssl": self.secure,
-            "verify_certs": self.secure,
+            "verify_certs": self.verify_certs,
            "connection_class": Urllib3HttpConnection,
            "pool_maxsize": 20,
        }
@ -279,6 +282,7 @@ class OpenSearchVectorFactory(AbstractVectorFactory):
            host=dify_config.OPENSEARCH_HOST or "localhost",
            port=dify_config.OPENSEARCH_PORT,
            secure=dify_config.OPENSEARCH_SECURE,
+            verify_certs=dify_config.OPENSEARCH_VERIFY_CERTS,
            auth_method=dify_config.OPENSEARCH_AUTH_METHOD.value,
            user=dify_config.OPENSEARCH_USER,
            password=dify_config.OPENSEARCH_PASSWORD,
--- a/docker/.env.example
+++ b/docker/.env.example
@ -531,6 +531,7 @@ RELYT_DATABASE=postgres
 OPENSEARCH_HOST=opensearch
 OPENSEARCH_PORT=9200
 OPENSEARCH_SECURE=true
+OPENSEARCH_VERIFY_CERTS=true
 OPENSEARCH_AUTH_METHOD=basic
 OPENSEARCH_USER=admin
 OPENSEARCH_PASSWORD=admin
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@ -227,6 +227,7 @@ x-shared-env: &shared-api-worker-env
  OPENSEARCH_HOST: ${OPENSEARCH_HOST:-opensearch}
  OPENSEARCH_PORT: ${OPENSEARCH_PORT:-9200}
  OPENSEARCH_SECURE: ${OPENSEARCH_SECURE:-true}
+  OPENSEARCH_VERIFY_CERTS: ${OPENSEARCH_VERIFY_CERTS:-true}
  OPENSEARCH_AUTH_METHOD: ${OPENSEARCH_AUTH_METHOD:-basic}
  OPENSEARCH_USER: ${OPENSEARCH_USER:-admin}
  OPENSEARCH_PASSWORD: ${OPENSEARCH_PASSWORD:-admin}