Support mTLS in Elastic Inference Service plugin (#116423)

[vidok]

Note: Technically, this PR reverts b357936227df04f88c980b6cbf7cd7cde982a25b.

This PR introduced support for mTLS in the Elastic Inference Service plugin. It uses SSLService to parse, validate the configuration, and create an SSLStrategy that’s used in the HTTPClientManager.

• Embedded xpack.inference.elastic.http.ssl to SSLService.
• Extended HTTPClientManager to propagate SSLStrategy to HTTPClientConnectionManager
• Added the following settings:

xpack.inference.elastic.http.ssl.enable
xpack.inference.elastic.http.ssl.cipher_suites
xpack.inference.elastic.http.ssl.supported_protocols
xpack.inference.elastic.http.ssl.truststore.path
xpack.inference.elastic.http.ssl.truststore.secure_password
xpack.inference.elastic.http.ssl.truststore.algorithm
xpack.inference.elastic.http.ssl.truststore.type
xpack.inference.elastic.http.ssl.trust_restrictions.path
xpack.inference.elastic.http.ssl.trust_restrictions.x509_fields
xpack.inference.elastic.http.ssl.certificate_authorities
xpack.inference.elastic.http.ssl.client_authentication
xpack.inference.elastic.http.ssl.verification_mode
xpack.inference.elastic.http.ssl.truststore.password
xpack.inference.elastic.http.ssl.keystore.path
xpack.inference.elastic.http.ssl.keystore.secure_password
xpack.inference.elastic.http.ssl.keystore.algorithm
xpack.inference.elastic.http.ssl.keystore.type
xpack.inference.elastic.http.ssl.keystore.secure_key_password
xpack.inference.elastic.http.ssl.key
xpack.inference.elastic.http.ssl.secure_key_passphrase
xpack.inference.elastic.http.ssl.certificate
xpack.inference.elastic.http.ssl.keystore.password
xpack.inference.elastic.http.ssl.keystore.key_password
xpack.inference.elastic.http.ssl.key_passphrase

How to test the PR locally?:

Skip certificates validation

1. Run Elastic Inference Service locally and disable client certificate validate (see the service's documentation).
2. Build an Elasticsearch snapshot by running ./gradlew localDistro.
3. Go to build/distribution/local/elasticsearch-x.x.x-SNAPSHOT folder.
4. Run Elasticsearch with the following command

./bin/elasticsearch -E xpack.inference.elastic.url=https://localhost:8443 -E xpack.inference.elastic.http.ssl.verification_mode=none

Certificates validation

1. Generate a new set of TLS certificates and run Elastic Inference Service locally (see the service's documentation).
2. Build an Elasticsearch snapshot by running ./gradlew localDistro.
3. Go to build/distribution/local/elasticsearch-x.x.x-SNAPSHOT folder.
4. Copy generated in step 1 tls.key, tis.crt and ca.crt to Elasticsearch snapshot config folder.
5. Rename ca.crt to ca.pem (it seems unnecessary but ES expects a PEM file).
6. Run Elasticsearch with the following command (make sure the path to the certificates is correct).

./bin/elasticsearch -E xpack.inference.elastic.url=https://localhost:8443 -E xpack.inference.elastic.http.ssl.certificate=tls/tls.crt -E xpack.inference.elastic.http.ssl.key=tls/tls.key -E xpack.inference.elastic.http.ssl.certificate_authorities=ca/ca.pem

Perform inference requests:

1. Create an inference endpoint:

PUT {ES_HOST}/_inference/sparse_embedding/eis

{
    "service": "elastic",
    "service_settings": {
        "model_id": ".elser_model_2"
    }
}

2. Perform an inference request

POST {ES_HOST}/_inference/sparse_embedding/eis

{
    "input": "A blue sky"
}

Follow-up actions:

• Utilize the same connection eviction manager to reduce the number of used threads.
• Find a way to use the same connection manager for all external HTTP connections instead of having a dedicated manager for Elastic Inference Service.
• Add an integration test.

[elasticsearchmachine]

Hi @vidok, I've created a changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/ml-core (Team:ML)

[slobodanadamovic]

LGTM