Skip to content

Feature Request: Add verify=false option for TLS connections to Elasticsearch/OpenSearch #9974

New issue
New issue
Open
Open
Feature Request: Add verify=false option for TLS connections to Elasticsearch/OpenSearch#9974
@crocinsocks

Description

@crocinsocks
crocinsocks
opened on Sep 29, 2025

🧩 Feature Request: Add verify=false option for TLS connections to Elasticsearch/OpenSearch

File: [server/elastic/src/adapter.ts#L699](https://github.com/hcengineering/platform/blob/7681ccb8998d04403dca65c668552308060d9d19/server/elastic/src/adapter.ts#L699)

🧠 Summary

Please add support for a configuration option to disable TLS certificate verification (e.g. verify=false) when connecting to Elasticsearch or OpenSearch backends over TLS.

This is useful in environments where the connection is local and secure, but the CA used by the search cluster is not trusted by the pod root (for example, self-signed or cluster-internal certificates).

💡 Motivation

When running OpenSearch in Kubernetes, it’s common to terminate TLS using either:

  • a self-signed CA issued by an operator (e.g. OpenSearch Operator, Elastic Cloud Operator), or
  • an internal certificate managed by the cluster’s PKI system.

Currently, if the pod’s trust store doesn’t include that CA, the TLS connection fails even though:

  • the network is private (e.g. ClusterIP or Pod network only),
  • and MITM risk is negligible.

Allowing a verify=false flag would enable developers to use secure protocols without needing to patch container roots or disable TLS entirely.

⚙️ Proposed Change

Add an optional configuration (e.g. via environment variable or config key):

ELASTIC_VERIFY=false

And modify the TLS handling around
[adapter.ts#L699](https://github.com/hcengineering/platform/blob/7681ccb8998d04403dca65c668552308060d9d19/server/elastic/src/adapter.ts#L699)
to skip certificate validation when verify=false is set.

Pseudocode example:

const client = new Client({
  node: config.url,
  ssl: {
    rejectUnauthorized: config.verify !== false,
  },
});

🧱 Use Case

This is specifically relevant when deploying Huly or other platform components in local Kubernetes clusters where:

  • OpenSearch runs with TLS enabled,
  • the CA is not globally trusted,
  • and disabling TLS entirely is undesirable.

✅ Expected Outcome

  • When verify=false, platform connects to OpenSearch/Elasticsearch even if the certificate chain is not trusted.
  • When verify=true (default), normal strict verification continues.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions