Add SSL service connection support for ElasticSearch

See gh-41137

Author: mhalbritter

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/elasticsearch/ElasticsearchConnectionDetails.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,6 +21,7 @@
 import java.util.List;
 
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetails;
+import org.springframework.boot.ssl.SslBundle;
 
 /**
  * Details required to establish a connection to an Elasticsearch service.
@@ -63,6 +64,15 @@ default String getPathPrefix() {
 		return null;
 	}
 
+	/**
+	 * SSL bundle to use.
+	 * @return the SSL bundle to use
+	 * @since 3.5.0
+	 */
+	default SslBundle getSslBundle() {
+		return null;
+	}
+
 	/**
 	 * An Elasticsearch node.
 	 *

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/elasticsearch/ElasticsearchRestClientConfigurations.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,12 +44,14 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnSingleCandidate;
 import org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchConnectionDetails.Node;
 import org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchConnectionDetails.Node.Protocol;
+import org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchProperties.Restclient.Ssl;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.ssl.SslOptions;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 /**
@@ -75,8 +77,8 @@ static class RestClientBuilderConfiguration {
 
 		@Bean
 		@ConditionalOnMissingBean(ElasticsearchConnectionDetails.class)
-		PropertiesElasticsearchConnectionDetails elasticsearchConnectionDetails() {
-			return new PropertiesElasticsearchConnectionDetails(this.properties);
+		PropertiesElasticsearchConnectionDetails elasticsearchConnectionDetails(ObjectProvider<SslBundles> sslBundles) {
+			return new PropertiesElasticsearchConnectionDetails(this.properties, sslBundles.getIfAvailable());
 		}
 
 		@Bean
@@ -87,16 +89,16 @@ RestClientBuilderCustomizer defaultRestClientBuilderCustomizer(
 
 		@Bean
 		RestClientBuilder elasticsearchRestClientBuilder(ElasticsearchConnectionDetails connectionDetails,
-				ObjectProvider<RestClientBuilderCustomizer> builderCustomizers, ObjectProvider<SslBundles> sslBundles) {
+				ObjectProvider<RestClientBuilderCustomizer> builderCustomizers) {
 			RestClientBuilder builder = RestClient.builder(connectionDetails.getNodes()
 				.stream()
 				.map((node) -> new HttpHost(node.hostname(), node.port(), node.protocol().getScheme()))
 				.toArray(HttpHost[]::new));
 			builder.setHttpClientConfigCallback((httpClientBuilder) -> {
 				builderCustomizers.orderedStream().forEach((customizer) -> customizer.customize(httpClientBuilder));
-				String sslBundleName = this.properties.getRestclient().getSsl().getBundle();
-				if (StringUtils.hasText(sslBundleName)) {
-					configureSsl(httpClientBuilder, sslBundles.getObject().getBundle(sslBundleName));
+				SslBundle sslBundle = connectionDetails.getSslBundle();
+				if (sslBundle != null) {
+					configureSsl(httpClientBuilder, sslBundle);
 				}
 				return httpClientBuilder;
 			});
@@ -236,8 +238,11 @@ static class PropertiesElasticsearchConnectionDetails implements ElasticsearchCo
 
 		private final ElasticsearchProperties properties;
 
-		PropertiesElasticsearchConnectionDetails(ElasticsearchProperties properties) {
+		private final SslBundles sslBundles;
+
+		PropertiesElasticsearchConnectionDetails(ElasticsearchProperties properties, SslBundles sslBundles) {
 			this.properties = properties;
+			this.sslBundles = sslBundles;
 		}
 
 		@Override
@@ -260,6 +265,16 @@ public String getPathPrefix() {
 			return this.properties.getPathPrefix();
 		}
 
+		@Override
+		public SslBundle getSslBundle() {
+			Ssl ssl = this.properties.getRestclient().getSsl();
+			if (StringUtils.hasLength(ssl.getBundle())) {
+				Assert.notNull(this.sslBundles, "SSL bundle name has been set but no SSL bundles found in context");
+				return this.sslBundles.getBundle(ssl.getBundle());
+			}
+			return null;
+		}
+
 		private Node createNode(String uri) {
 			if (!(uri.startsWith("http://") || uri.startsWith("https://"))) {
 				uri = "http://" + uri;

spring-boot-project/spring-boot-testcontainers/src/main/java/org/springframework/boot/testcontainers/service/connection/elasticsearch/ElasticsearchContainerConnectionDetailsFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,15 +16,26 @@
 
 package org.springframework.boot.testcontainers.service.connection.elasticsearch;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.util.List;
 
 import org.testcontainers.elasticsearch.ElasticsearchContainer;
 
 import org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchConnectionDetails;
 import org.springframework.boot.autoconfigure.elasticsearch.ElasticsearchConnectionDetails.Node.Protocol;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslStoreBundle;
 import org.springframework.boot.testcontainers.service.connection.ContainerConnectionDetailsFactory;
 import org.springframework.boot.testcontainers.service.connection.ContainerConnectionSource;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
+import org.springframework.boot.testcontainers.service.connection.Ssl;
 
 /**
  * {@link ContainerConnectionDetailsFactory} to create
@@ -53,15 +64,83 @@ protected ElasticsearchConnectionDetails getContainerConnectionDetails(
 	private static final class ElasticsearchContainerConnectionDetails
 			extends ContainerConnectionDetails<ElasticsearchContainer> implements ElasticsearchConnectionDetails {
 
+		private volatile SslBundle sslBundle;
+
 		private ElasticsearchContainerConnectionDetails(ContainerConnectionSource<ElasticsearchContainer> source) {
 			super(source);
 		}
 
+		@Override
+		public String getUsername() {
+			return "elastic";
+		}
+
+		@Override
+		public String getPassword() {
+			return getContainer().getEnvMap().get("ELASTIC_PASSWORD");
+		}
+
 		@Override
 		public List<Node> getNodes() {
 			String host = getContainer().getHost();
 			Integer port = getContainer().getMappedPort(DEFAULT_PORT);
-			return List.of(new Node(host, port, Protocol.HTTP, null, null));
+			return List.of(new Node(host, port, (getSslBundle() != null) ? Protocol.HTTPS : Protocol.HTTP,
+					getUsername(), getPassword()));
+		}
+
+		@Override
+		public SslBundle getSslBundle() {
+			if (this.sslBundle != null) {
+				return this.sslBundle;
+			}
+			SslBundle sslBundle = super.getSslBundle();
+			if (sslBundle != null) {
+				this.sslBundle = sslBundle;
+				return sslBundle;
+			}
+			if (hasAnnotation(Ssl.class)) {
+				byte[] caCertificate = getContainer().caCertAsBytes().orElse(null);
+				if (caCertificate != null) {
+					KeyStore trustStore = createTrustStore(caCertificate);
+					sslBundle = createSslBundleWithTrustStore(trustStore);
+					this.sslBundle = sslBundle;
+					return sslBundle;
+				}
+			}
+			return null;
+		}
+
+		private SslBundle createSslBundleWithTrustStore(KeyStore trustStore) {
+			return SslBundle.of(new SslStoreBundle() {
+				@Override
+				public KeyStore getKeyStore() {
+					return null;
+				}
+
+				@Override
+				public String getKeyStorePassword() {
+					return null;
+				}
+
+				@Override
+				public KeyStore getTrustStore() {
+					return trustStore;
+				}
+			});
+		}
+
+		private KeyStore createTrustStore(byte[] caCertificate) {
+			try {
+				KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+				keyStore.load(null, null);
+				CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+				Certificate certificate = certFactory.generateCertificate(new ByteArrayInputStream(caCertificate));
+				keyStore.setCertificateEntry("ca", certificate);
+				return keyStore;
+			}
+			catch (KeyStoreException | CertificateException | IOException | NoSuchAlgorithmException ex) {
+				throw new IllegalStateException("Failed to create keystore from CA certificate", ex);
+			}
 		}
 
 	}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-elasticsearch/build.gradle

@@ -0,0 +1,22 @@
+plugins {
+	id "java"
+	id "org.springframework.boot.conventions"
+	id "org.springframework.boot.docker-test"
+}
+
+description = "Spring Boot Data ElasticSearch smoke test"
+
+dependencies {
+	dockerTestImplementation(project(":spring-boot-project:spring-boot-starters:spring-boot-starter-test"))
+	dockerTestImplementation(project(":spring-boot-project:spring-boot-test"))
+	dockerTestImplementation(project(":spring-boot-project:spring-boot-tools:spring-boot-test-support-docker"))
+	dockerTestImplementation(project(":spring-boot-project:spring-boot-testcontainers"))
+	dockerTestImplementation("org.junit.jupiter:junit-jupiter")
+	dockerTestImplementation("org.junit.platform:junit-platform-engine")
+	dockerTestImplementation("org.junit.platform:junit-platform-launcher")
+	dockerTestImplementation("org.testcontainers:junit-jupiter")
+	dockerTestImplementation("org.testcontainers:elasticsearch")
+	dockerTestImplementation("org.testcontainers:testcontainers")
+
+	implementation(project(":spring-boot-project:spring-boot-starters:spring-boot-starter-data-elasticsearch"))
+}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-elasticsearch/src/dockerTest/java/smoketest/data/elasticsearch/SampleElasticSearch8ApplicationTests.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2012-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.data.elasticsearch;
+
+import java.util.UUID;
+
+import org.junit.jupiter.api.Test;
+import org.testcontainers.elasticsearch.ElasticsearchContainer;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.data.elasticsearch.DataElasticsearchTest;
+import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
+import org.springframework.boot.testcontainers.service.connection.Ssl;
+import org.springframework.boot.testsupport.container.TestImage;
+import org.springframework.data.elasticsearch.client.elc.ElasticsearchTemplate;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Smoke tests for Elasticsearch 8.
+ *
+ * @author Moritz Halbritter
+ */
+@Testcontainers(disabledWithoutDocker = true)
+@DataElasticsearchTest
+class SampleElasticSearch8ApplicationTests {
+
+	@Container
+	@ServiceConnection
+	@Ssl
+	static final ElasticsearchContainer elasticSearch = new ElasticsearchContainer(TestImage.ELASTICSEARCH_8.toString())
+		.withPassword("my-custom-password");
+
+	@Autowired
+	private ElasticsearchTemplate elasticsearchTemplate;
+
+	@Autowired
+	private SampleRepository exampleRepository;
+
+	@Test
+	void testRepository() {
+		SampleDocument document = new SampleDocument();
+		document.setText("Look, new @DataElasticsearchTest!");
+		String id = UUID.randomUUID().toString();
+		document.setId(id);
+		SampleDocument savedDocument = this.exampleRepository.save(document);
+		SampleDocument getDocument = this.elasticsearchTemplate.get(id, SampleDocument.class);
+		assertThat(getDocument).isNotNull();
+		assertThat(getDocument.getId()).isNotNull();
+		assertThat(getDocument.getId()).isEqualTo(savedDocument.getId());
+		this.exampleRepository.deleteAll();
+	}
+
+}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-data-elasticsearch/src/dockerTest/java/smoketest/data/elasticsearch/SampleElasticSearchApplicationTests.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2012-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.data.elasticsearch;
+
+import java.util.UUID;
+
+import org.junit.jupiter.api.Test;
+import org.testcontainers.elasticsearch.ElasticsearchContainer;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.data.elasticsearch.DataElasticsearchTest;
+import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
+import org.springframework.boot.testsupport.container.TestImage;
+import org.springframework.data.elasticsearch.client.elc.ElasticsearchTemplate;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Smoke tests for Elasticsearch.
+ *
+ * @author Moritz Halbritter
+ */
+@Testcontainers(disabledWithoutDocker = true)
+@DataElasticsearchTest
+class SampleElasticSearchApplicationTests {
+
+	@Container
+	@ServiceConnection
+	static final ElasticsearchContainer elasticSearch = TestImage.container(ElasticsearchContainer.class);
+
+	@Autowired
+	private ElasticsearchTemplate elasticsearchTemplate;
+
+	@Autowired
+	private SampleRepository exampleRepository;
+
+	@Test
+	void testRepository() {
+		SampleDocument document = new SampleDocument();
+		document.setText("Look, new @DataElasticsearchTest!");
+		String id = UUID.randomUUID().toString();
+		document.setId(id);
+		SampleDocument savedDocument = this.exampleRepository.save(document);
+		SampleDocument getDocument = this.elasticsearchTemplate.get(id, SampleDocument.class);
+		assertThat(getDocument).isNotNull();
+		assertThat(getDocument.getId()).isNotNull();
+		assertThat(getDocument.getId()).isEqualTo(savedDocument.getId());
+		this.exampleRepository.deleteAll();
+	}
+
+}