chore(es): support cert connection for opensearch backend

yaozheng-fang · yaozheng-fang · commit 3a36d6e2c3a7 · 2025-12-24T08:43:54.000+08:00
diff --git a/veadk/configs/database_configs.py b/veadk/configs/database_configs.py
@@ -28,6 +28,8 @@ class OpensearchConfig(BaseSettings):
 
     port: int = 9200
 
+    cert_path: str = ""
+
     username: str = ""
 
     password: str = ""
diff --git a/veadk/knowledgebase/backends/opensearch_backend.py b/veadk/knowledgebase/backends/opensearch_backend.py
@@ -27,9 +27,13 @@
 
 import veadk.config  # noqa E401
 from veadk.configs.database_configs import OpensearchConfig
-from veadk.configs.model_configs import EmbeddingModelConfig, NormalEmbeddingModelConfig
+from veadk.configs.model_configs import (
+    EmbeddingModelConfig,
+    NormalEmbeddingModelConfig,
+)
 from veadk.knowledgebase.backends.base_backend import BaseKnowledgebaseBackend
 from veadk.knowledgebase.backends.utils import get_llama_index_splitter
+from veadk.utils.logger import get_logger
 
 try:
     from llama_index.vector_stores.opensearch import (
@@ -42,6 +46,9 @@
     )
 
 
+logger = get_logger(__name__)
+
+
 class OpensearchKnowledgeBackend(BaseKnowledgebaseBackend):
     """Opensearch-based backend for knowledgebase.
 
@@ -79,6 +86,12 @@ class OpensearchKnowledgeBackend(BaseKnowledgebaseBackend):
 
     def model_post_init(self, __context: Any) -> None:
         self.precheck_index_naming()
+
+        if not self.opensearch_config.cert_path:
+            logger.warning(
+                "OpenSearch cert_path is not set, which may lead to security risks"
+            )
+
         self._opensearch_client = OpensearchVectorClient(
             endpoint=self.opensearch_config.host,
             port=self.opensearch_config.port,
@@ -87,7 +100,8 @@ def model_post_init(self, __context: Any) -> None:
                 self.opensearch_config.password,
             ),
             use_ssl=True,
-            verify_certs=False,
+            verify_certs=False if not self.opensearch_config.cert_path else True,
+            cert_path=self.opensearch_config.cert_path,
             dim=self.embedding_config.dim,
             index=self.index,  # collection name
         )
diff --git a/veadk/memory/long_term_memory_backends/opensearch_backend.py b/veadk/memory/long_term_memory_backends/opensearch_backend.py
@@ -22,7 +22,10 @@
 
 import veadk.config  # noqa E401
 from veadk.configs.database_configs import OpensearchConfig
-from veadk.configs.model_configs import EmbeddingModelConfig, NormalEmbeddingModelConfig
+from veadk.configs.model_configs import (
+    EmbeddingModelConfig,
+    NormalEmbeddingModelConfig,
+)
 from veadk.knowledgebase.backends.utils import get_llama_index_splitter
 from veadk.memory.long_term_memory_backends.base_backend import (
     BaseLongTermMemoryBackend,
@@ -74,6 +77,11 @@ def _create_vector_index(self, index: str) -> VectorStoreIndex:
 
         self.precheck_index_naming(index)
 
+        if not self.opensearch_config.cert_path:
+            logger.warning(
+                "OpenSearch cert_path is not set, which may lead to security risks"
+            )
+
         opensearch_client = OpensearchVectorClient(
             endpoint=self.opensearch_config.host,
             port=self.opensearch_config.port,
@@ -82,7 +90,8 @@ def _create_vector_index(self, index: str) -> VectorStoreIndex:
                 self.opensearch_config.password,
             ),
             use_ssl=True,
-            verify_certs=False,
+            verify_certs=False if not self.opensearch_config.cert_path else True,
+            cert_path=self.opensearch_config.cert_path,
             dim=self.embedding_config.dim,
             index=index,
         )
