chore(bors): merge pull request #927

mayastor-bors · John Zakrzewski · mayastor-bors · commit 12875e674ae8 · 2025-02-19T10:20:43.000Z
927: Feature: Configuring rest components for TLS r=tiagolobocastro a=Johnaius This PR configures components using rest protocols to speak tls. It is dependent on [this PR in extensions repo](openebs/mayastor-extensions#622). ### Rest-api Clients - Modified certificate loading to use pkcs8_private_keys instead of rsa_private_keys. This was a change I made to get the generated certificates to work, they were apparently created in pkcs8 format, not rsa - I attempted to convert them with no luck, and found the pkcs8_private_keys in the [rustl-pemfile crate](https://docs.rs/rustls-pemfile/latest/rustls_pemfile/)... ### Csi-controller and Diskpool operator: - Added support for TLS configuration based on CA certificate path. - if certs are provided, use https, if not use http. - error handling for HTTPS connections without a certificate etc Co-authored-by: John Zakrzewski <Jozakrzewski@microsoft.com>
diff --git a/control-plane/csi-driver/src/bin/controller/client.rs b/control-plane/csi-driver/src/bin/controller/client.rs
@@ -123,16 +123,49 @@ impl RestApiClient {
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {}: {:?}", endpoint, error))?;
         let concurrency_limit = cfg.create_volume_limit() * 2;
-        let tower = clients::tower::Configuration::builder()
-            .with_timeout(cfg.io_timeout())
-            .with_concurrency_limit(Some(concurrency_limit))
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!(
-                    "Failed to create openapi configuration, Error: '{:?}'",
-                    error
-                )
-            })?;
+        let ca_certificate_path = cfg.ca_certificate_path();
+        let cert = match ca_certificate_path {
+            Some(path) => {
+                let cert = std::fs::read(path).map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration at path {}, Error: '{:?}'",
+                        path.display(),
+                        error
+                    )
+                })?;
+                Some(cert)
+            }
+            None => None,
+        };
+        let tower = match (url.scheme(), cert) {
+            ("https", Some(cert)) => clients::tower::Configuration::builder()
+                .with_timeout(Some(cfg.io_timeout()))
+                .with_concurrency_limit(Some(concurrency_limit))
+                .with_certificate(cert.as_slice())
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?,
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            }
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            }
+            _ => clients::tower::Configuration::builder()
+                .with_timeout(Some(cfg.io_timeout()))
+                .with_concurrency_limit(Some(concurrency_limit))
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?,
+        };
 
         REST_CLIENT.get_or_init(|| Self {
             rest_client: clients::tower::ApiClient::new(tower.clone()),
diff --git a/control-plane/csi-driver/src/bin/controller/config.rs b/control-plane/csi-driver/src/bin/controller/config.rs
@@ -1,7 +1,11 @@
 use anyhow::Context;
 use clap::ArgMatches;
 use once_cell::sync::OnceCell;
-use std::{collections::HashMap, time::Duration};
+use std::{
+    collections::HashMap,
+    path::{Path, PathBuf},
+    time::Duration,
+};
 
 static CONFIG: OnceCell<CsiControllerConfig> = OnceCell::new();
 
@@ -17,6 +21,8 @@ pub(crate) struct CsiControllerConfig {
     create_volume_limit: usize,
     /// Force unstage volume.
     force_unstage_volume: bool,
+    /// Path to the CA certificate file.
+    ca_certificate_path: Option<PathBuf>,
 }
 
 impl CsiControllerConfig {
@@ -50,14 +56,17 @@ impl CsiControllerConfig {
             tracing::warn!(
                 "Force unstage volume is disabled, can trigger potential data corruption!"
             );
-        }
+        };
+
+        let ca_certificate_path: Option<&PathBuf> = args.get_one::<PathBuf>("tls-client-ca-path");
 
         CONFIG.get_or_init(|| Self {
             rest_endpoint: rest_endpoint.into(),
             io_timeout: io_timeout.into(),
             node_selector,
             create_volume_limit,
             force_unstage_volume,
+            ca_certificate_path: ca_certificate_path.cloned(),
         });
         Ok(())
     }
@@ -92,4 +101,9 @@ impl CsiControllerConfig {
     pub(crate) fn force_unstage_volume(&self) -> bool {
         self.force_unstage_volume
     }
+
+    /// Path to the CA certificate file.
+    pub(crate) fn ca_certificate_path(&self) -> Option<&Path> {
+        self.ca_certificate_path.as_deref()
+    }
 }
diff --git a/control-plane/csi-driver/src/bin/controller/main.rs b/control-plane/csi-driver/src/bin/controller/main.rs
@@ -131,6 +131,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable force unstage volume feature")
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file")
+        )
         .get_matches();
 
     utils::print_package_info!();
diff --git a/control-plane/csi-driver/src/bin/node/client.rs b/control-plane/csi-driver/src/bin/node/client.rs
@@ -6,7 +6,7 @@ use stor_port::types::v0::openapi::{
 };
 
 use anyhow::anyhow;
-use std::{collections::HashMap, sync::Arc, time::Duration};
+use std::{collections::HashMap, path::PathBuf, sync::Arc, time::Duration};
 use stor_port::types::v0::openapi::{
     apis::{
         app_nodes_api::tower::client::direct::AppNodes,
@@ -107,6 +107,7 @@ impl AppNodesClientWrapper {
     /// Initialize AppNodes API client instance.
     pub(crate) fn initialize(
         endpoint: Option<&String>,
+        ca_certificate_path: Option<&PathBuf>,
     ) -> anyhow::Result<Option<AppNodesClientWrapper>> {
         const REST_TIMEOUT: Duration = Duration::from_secs(5);
 
@@ -117,12 +118,49 @@ impl AppNodesClientWrapper {
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {endpoint}: {error:?}"))?;
 
-        let tower = clients::tower::Configuration::builder()
-            .with_timeout(REST_TIMEOUT)
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!("Failed to create openapi configuration, Error: '{error:?}'")
-            })?;
+        let cert = match ca_certificate_path {
+            Some(path) => {
+                let cert = std::fs::read(path).map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration at path {}, Error: '{:?}'",
+                        path.display(),
+                        error
+                    )
+                })?;
+                Some(cert)
+            }
+            None => None,
+        };
+
+        let tower = match (url.scheme(), cert) {
+            ("https", Some(cert)) => clients::tower::Configuration::builder()
+                .with_timeout(REST_TIMEOUT)
+                .with_concurrency_limit(Some(10))
+                .with_certificate(&cert)
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration***, Error: '{:?}'",
+                        error
+                    )
+                })?,
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            }
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            }
+            _ => clients::tower::Configuration::builder()
+                .with_timeout(REST_TIMEOUT)
+                .with_concurrency_limit(Some(10))
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error???: '{:?}'",
+                        error
+                    )
+                })?,
+        };
 
         info!(
             "API client is initialized with endpoint {endpoint}, request timeout = {REST_TIMEOUT:?}"
@@ -169,20 +207,56 @@ pub(crate) struct VolumesClientWrapper {
 
 impl VolumesClientWrapper {
     /// Initialize VolumesClientWrapper instance.
-    pub(crate) fn new(endpoint: &str) -> anyhow::Result<Self> {
+    pub(crate) fn new(
+        endpoint: &str,
+        ca_certificate_path: Option<PathBuf>,
+    ) -> anyhow::Result<Self> {
         /// TODO: what's the NodeStage timeout?
         const REST_TIMEOUT: Duration = Duration::from_secs(10);
 
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {endpoint}: {error:?}"))?;
+        let cert = match ca_certificate_path {
+            Some(path) => {
+                let cert = std::fs::read(path.clone()).map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration at path {}, Error: '{:?}'",
+                        path.display(),
+                        error
+                    )
+                })?;
+                Some(cert)
+            }
+            None => None,
+        };
 
-        let config = clients::tower::Configuration::builder()
-            .with_timeout(REST_TIMEOUT)
-            .with_concurrency_limit(Some(10))
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!("Failed to create openapi configuration, Error: '{error:?}'")
-            })?;
+        let config = match (url.scheme(), cert) {
+            ("https", Some(cert)) => clients::tower::Configuration::builder()
+                .with_timeout(REST_TIMEOUT)
+                .with_certificate(&cert)
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration***, Error: '{:?}'",
+                        error
+                    )
+                })?,
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            }
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            }
+            _ => clients::tower::Configuration::builder()
+                .with_timeout(REST_TIMEOUT)
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error???: '{:?}'",
+                        error
+                    )
+                })?,
+        };
 
         info!(
             "VolumesClient API is initialized with endpoint {endpoint}, request timeout = {REST_TIMEOUT:?}"
diff --git a/control-plane/csi-driver/src/bin/node/main_.rs b/control-plane/csi-driver/src/bin/node/main_.rs
@@ -29,6 +29,7 @@ use std::{
     future::Future,
     io::ErrorKind,
     net::{IpAddr, SocketAddr},
+    path::PathBuf,
     str::FromStr,
 };
 use tokio::net::UnixListener;
@@ -191,6 +192,13 @@ pub(super) async fn main() -> anyhow::Result<()> {
                 .default_value("/var/lib/kubelet")
                 .help("Kubelet path on the host system")
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .value_parser(clap::value_parser!(PathBuf))
+                .requires("enable-rest")
+                .help("path to the CA certificate file")
+        )
         .subcommand(
             clap::Command::new("fs-freeze")
                 .arg(
@@ -345,7 +353,10 @@ pub(super) async fn main() -> anyhow::Result<()> {
     }
 
     // Initialize the rest api client.
-    let client = AppNodesClientWrapper::initialize(matches.get_one::<String>("rest-endpoint"))?;
+    let client = AppNodesClientWrapper::initialize(
+        matches.get_one::<String>("rest-endpoint"),
+        matches.get_one::<PathBuf>("tls-client-ca-path"),
+    )?;
 
     let registration_enabled = matches.get_flag("enable-registration");
 
@@ -403,7 +414,10 @@ impl CsiServer {
         };
 
         let vol_client = match cli_args.get_one::<String>("rest-endpoint") {
-            Some(ep) if cli_args.get_flag("enable-rest") => Some(VolumesClientWrapper::new(ep)?),
+            Some(ep) if cli_args.get_flag("enable-rest") => {
+                let cert = cli_args.get_one::<PathBuf>("tls-client-ca-path");
+                Some(VolumesClientWrapper::new(ep, cert.cloned())?)
+            }
             _ => {
                 tracing::warn!("The rest client is not enabled - functionality may be limited");
                 None
diff --git a/control-plane/rest/service/src/main.rs b/control-plane/rest/service/src/main.rs
@@ -185,6 +185,7 @@ fn load_certificates<R: std::io::Read>(
         .map_err(|_| {
             anyhow::anyhow!("Failed to retrieve the rsa private keys from the key file",)
         })?;
+
     if keys.is_empty() {
         anyhow::bail!("No keys found in the keys file");
     }
diff --git a/k8s/operators/src/pool/main.rs b/k8s/operators/src/pool/main.rs
@@ -129,14 +129,49 @@ async fn pool_controller(args: ArgMatches) -> anyhow::Result<()> {
         .expect("timeout value is invalid")
         .into();
 
-    let cfg = clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
-        |error| {
+    let ca_certificate_path: Option<&str> = args
+        .get_one::<String>("tls-client-ca-path")
+        .map(|x| x.as_str());
+    // take in cert path and make pem file
+    let cert = match ca_certificate_path {
+        Some(path) => {
+            let cert = std::fs::read(path).map_err(|error| {
+                anyhow::anyhow!("Failed to read certificate file, Error: '{:?}'", error)
+            })?;
+            Some(cert)
+        }
+        None => None,
+    };
+    let cfg = match (url.scheme(), cert) {
+        ("https", Some(cert)) => clients::tower::Configuration::new(
+            url,
+            timeout,
+            None,
+            Some(cert.as_slice()),
+            true,
+            None,
+        )
+        .map_err(|error| {
             anyhow::anyhow!(
                 "Failed to create openapi configuration, Error: '{:?}'",
                 error
             )
-        },
-    )?;
+        })?,
+        ("https", None) => {
+            anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+        }
+        (_, Some(_path)) => {
+            anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+        }
+        _ => clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
+            |error| {
+                anyhow::anyhow!(
+                    "Failed to create openapi configuration, Error: '{:?}'",
+                    error
+                )
+            },
+        )?,
+    };
     let interval = args
         .get_one::<String>("interval")
         .unwrap()
@@ -243,6 +278,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable ansi color for logs"),
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file"),
+        )
         .get_matches();
 
     utils::print_package_info!();

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,7 @@ fn load_certificates<R: std::io::Read>(`
`185`	`185`	`.map_err(\|_\| {`
`186`	`186`	`anyhow::anyhow!("Failed to retrieve the rsa private keys from the key file",)`
`187`	`187`	`})?;`
	`188`	`+`
`188`	`189`	`if keys.is_empty() {`
`189`	`190`	`anyhow::bail!("No keys found in the keys file");`
`190`	`191`	`}`