opensearch-project · covert8 · Oct 7, 2025
@@ -3993,6 +3993,9 @@ spec:
                     type: string
                   defaultRepo:
                     type: string
+                  disableSSL:
+                    description: Disable SSL for the cluster
+                    type: boolean
                   drainDataNodes:
                     description: Drain data nodes controls whether to drain data notes
                       on rolling restart operations

@@ -199,6 +199,12 @@ GeneralConfig defines global Opensearch cluster configuration
         <td>Default image repository to use</td>
         <td></td>
         <td></td>
+      </tr><tr>
+        <td><b>DisableSSL</b></td>
+        <td>bool</td>
+        <td>Disable SSL for the cluster (uses HTTP instead of HTTPS)</td>
+        <td>false</td>
+        <td>false</td>
       </tr><tr>
         <td><b>keystore</b></td>
         <td>[]opsterv1.KeystoreValue</td>

@@ -52,6 +52,8 @@ type GeneralConfig struct {
 	ServiceName      string  `json:"serviceName"`
 	SetVMMaxMapCount bool    `json:"setVMMaxMapCount,omitempty"`
 	DefaultRepo      *string `json:"defaultRepo,omitempty"`
+	// Disable SSL for the cluster
+	DisableSSL bool `json:"disableSSL,omitempty"`
 	// Extra items to add to the opensearch.yml
 	AdditionalConfig map[string]string `json:"additionalConfig,omitempty"`
 	// Adds support for annotations in services

@@ -3993,6 +3993,9 @@ spec:
                     type: string
                   defaultRepo:
                     type: string
+                  disableSSL:
+                    description: Disable SSL for the cluster
+                    type: boolean
                   drainDataNodes:
                     description: Drain data nodes controls whether to drain data notes
                       on rolling restart operations

@@ -184,10 +184,14 @@ func NewSTSForNodePool(
 	startupProbeFailureThreshold := int32(10) // 30s * 10 = 5m time to wait for startup
 	startupProbeSuccessThreshold := int32(1)
 	startupProbeInitialDelaySeconds := int32(10)
+	probeProtocol := "https"
+	if cr.Spec.General.DisableSSL {
+		probeProtocol = "http"
+	}
 	startupProbeCommand := []string{
 		"/bin/bash",
 		"-c",
-		fmt.Sprintf("curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail 'https://localhost:%d'", PortForCluster(cr)),
+		fmt.Sprintf("curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail '%s://localhost:%d'", probeProtocol, PortForCluster(cr)),
 	}
 
 	readinessProbePeriodSeconds := int32(30)
@@ -198,7 +202,7 @@ func NewSTSForNodePool(
 	readinessProbeCommand := []string{
 		"/bin/bash",
 		"-c",
-		fmt.Sprintf("curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail 'https://localhost:%d'", PortForCluster(cr)),
+		fmt.Sprintf("curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail '%s://localhost:%d'", probeProtocol, PortForCluster(cr)),
 	}
 
 	livenessProbePeriodSeconds := int32(20)
@@ -1063,7 +1067,11 @@ func PortForCluster(cr *opsterv1.OpenSearchCluster) int32 {
 
 func URLForCluster(cr *opsterv1.OpenSearchCluster) string {
 	httpPort := PortForCluster(cr)
-	return fmt.Sprintf("https://%s.svc.%s:%d", DnsOfService(cr), helpers.ClusterDnsBase(), httpPort)
+	protocol := "https"
+	if cr.Spec.General.DisableSSL {
+		protocol = "http"
+	}
+	return fmt.Sprintf("%s://%s.svc.%s:%d", protocol, DnsOfService(cr), helpers.ClusterDnsBase(), httpPort)
 }
 
 func PasswordSecret(cr *opsterv1.OpenSearchCluster, username, password string) *corev1.Secret {
@@ -1253,6 +1261,11 @@ func NewServiceMonitor(cr *opsterv1.OpenSearchCluster) *monitoring.ServiceMonito
 		monitorLabel[k] = v
 	}
 
+	scheme := "https"
+	if cr.Spec.General.DisableSSL {
+		scheme = "http"
+	}
+
 	return &monitoring.ServiceMonitor{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      cr.Name + "-monitor",
@@ -1277,7 +1290,7 @@ func NewServiceMonitor(cr *opsterv1.OpenSearchCluster) *monitoring.ServiceMonito
 					BearerTokenFile: "",
 					HonorLabels:     false,
 					BasicAuth:       &user,
-					Scheme:          "https",
+					Scheme:          scheme,
 				},
 			},
 			Selector:          selector,

@@ -943,6 +943,46 @@ var _ = Describe("Builders", func() {
 		})
 	})
 
+	When("DisableSSL is enabled", func() {
+		It("should use http protocol in URLForCluster", func() {
+			clusterObject := ClusterDescWithVersion("2.7.0")
+			clusterObject.Spec.General.DisableSSL = true
+			clusterObject.Spec.General.ServiceName = "opensearch"
+			clusterObject.Namespace = "default"
+			clusterObject.Spec.General.HttpPort = 9200
+
+			actualUrl := URLForCluster(&clusterObject)
+			Expect(actualUrl).To(ContainSubstring("http://"))
+			Expect(actualUrl).NotTo(ContainSubstring("https://"))
+		})
+
+		It("should use http protocol in probe commands", func() {
+			clusterObject := ClusterDescWithVersion("2.7.0")
+			clusterObject.Spec.General.DisableSSL = true
+			nodePool := opsterv1.NodePool{
+				Component: "masters",
+				Roles:     []string{"cluster_manager"},
+			}
+			result := NewSTSForNodePool("foobar", &clusterObject, nodePool, "foobar", nil, nil, nil)
+			Expect(result.Spec.Template.Spec.Containers[0].StartupProbe.ProbeHandler.Exec.Command).
+				To(Equal([]string{"/bin/bash", "-c", "curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail 'http://localhost:9200'"}))
+			Expect(result.Spec.Template.Spec.Containers[0].ReadinessProbe.ProbeHandler.Exec.Command).
+				To(Equal([]string{"/bin/bash", "-c", "curl -k -u \"$(cat /mnt/admin-credentials/username):$(cat /mnt/admin-credentials/password)\" --silent --fail 'http://localhost:9200'"}))
+		})
+
+		It("should use http scheme in ServiceMonitor", func() {
+			clusterObject := ClusterDescWithVersion("2.7.0")
+			clusterObject.Name = "test-cluster"
+			clusterObject.Namespace = "default"
+			clusterObject.Spec.General.DisableSSL = true
+			clusterObject.Spec.General.Monitoring.Enable = true
+			clusterObject.Spec.General.Monitoring.ScrapeInterval = "30s"
+
+			result := NewServiceMonitor(&clusterObject)
+			Expect(result.Spec.Endpoints[0].Scheme).To(Equal("http"))
+		})
+	})
+
 	When("Configuring InitHelper Resources", func() {
 		It("should propagate Resources to all init containers", func() {
 			clusterObject := ClusterDescWithVersion("2.2.1")

@@ -56,6 +56,12 @@ const (
 )
 
 func (r *TLSReconciler) Reconcile() (ctrl.Result, error) {
+	if r.instance.Spec.General.DisableSSL {
+		r.logger.Info("HTTP TLS is disabled. Disabling SSL for HTTP layer")
+		r.reconcilerContext.AddConfig("plugins.security.ssl.http.enabled", "false")
+		return ctrl.Result{}, nil
+	}
+
 	if r.instance.Spec.Security == nil || r.instance.Spec.Security.Tls == nil {
 		r.logger.Info("No security specified. Not doing anything")
 		return ctrl.Result{}, nil

@@ -215,8 +215,13 @@ func CreateAdditionalVolumes(
 }
 
 func OpensearchClusterURL(cluster *opsterv1.OpenSearchCluster) string {
+	protocol := "https"
+	if cluster.Spec.General.DisableSSL {
+		protocol = "http"
+	}
 	return fmt.Sprintf(
-		"https://%s.%s.svc.%s:%v",
+		"%s://%s.%s.svc.%s:%v",
+		protocol,
 		cluster.Spec.General.ServiceName,
 		cluster.Namespace,
 		helpers.ClusterDnsBase(),

@@ -201,3 +201,50 @@ var _ = Describe("Additional volumes", func() {
 		})
 	})
 })
+
+var _ = Describe("OpensearchClusterURL", func() {
+	When("DisableSSL is false", func() {
+		It("should return https URL", func() {
+			cluster := &opsterv1.OpenSearchCluster{
+				Spec: opsterv1.ClusterSpec{
+					General: opsterv1.GeneralConfig{
+						ServiceName: "test-service",
+						HttpPort:    9200,
+						DisableSSL:  false,
+					},
+				},
+			}
+			cluster.Name = "test-cluster"
+			cluster.Namespace = "test-namespace"
+
+			url := OpensearchClusterURL(cluster)
+			Expect(url).To(ContainSubstring("https://"))
+			Expect(url).To(ContainSubstring("test-service"))
+			Expect(url).To(ContainSubstring("test-namespace"))
+			Expect(url).To(ContainSubstring(":9200"))
+		})
+	})
+
+	When("DisableSSL is true", func() {
+		It("should return http URL", func() {
+			cluster := &opsterv1.OpenSearchCluster{
+				Spec: opsterv1.ClusterSpec{
+					General: opsterv1.GeneralConfig{
+						ServiceName: "test-service",
+						HttpPort:    9200,
+						DisableSSL:  true,
+					},
+				},
+			}
+			cluster.Name = "test-cluster"
+			cluster.Namespace = "test-namespace"
+
+			url := OpensearchClusterURL(cluster)
+			Expect(url).To(ContainSubstring("http://"))
+			Expect(url).NotTo(ContainSubstring("https://"))
+			Expect(url).To(ContainSubstring("test-service"))
+			Expect(url).To(ContainSubstring("test-namespace"))
+			Expect(url).To(ContainSubstring(":9200"))
+		})
+	})
+})