feat: configure rest components for tls

Signed-off-by: John Zakrzewski <[email protected]>

configuring diskpool operator to speak tls

Signed-off-by: John Zakrzewski <[email protected]>

debugging rest api and cert configuration

Signed-off-by: John Zakrzewski <[email protected]>

tidying up

Signed-off-by: John Zakrzewski <[email protected]>

resolving comments

Signed-off-by: John Zakrzewski <[email protected]>

fix: running linter

Signed-off-by: John Zakrzewski <[email protected]>

fix: address failed tests, rely on cert-manager for certs

Signed-off-by: John Zakrzewski <[email protected]>

fix: addressing comments

Signed-off-by: John Zakrzewski <[email protected]>

Author: John Zakrzewski

control-plane/csi-driver/src/bin/controller/client.rs

@@ -123,16 +123,49 @@ impl RestApiClient {
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {}: {:?}", endpoint, error))?;
         let concurrency_limit = cfg.create_volume_limit() * 2;
-        let tower = clients::tower::Configuration::builder()
-            .with_timeout(cfg.io_timeout())
-            .with_concurrency_limit(Some(concurrency_limit))
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!(
-                    "Failed to create openapi configuration, Error: '{:?}'",
-                    error
-                )
-            })?;
+        let ca_certificate_path = cfg.ca_certificate_path();
+        let cert = match ca_certificate_path {
+            Some(path) => {
+                let cert = std::fs::read(path).map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration at path {}, Error: '{:?}'",
+                        path.display(),
+                        error
+                    )
+                })?;
+                Some(cert)
+            }
+            None => None,
+        };
+        let tower = match (url.scheme(), cert) {
+            ("https", Some(cert)) => clients::tower::Configuration::builder()
+                .with_timeout(Some(cfg.io_timeout()))
+                .with_concurrency_limit(Some(concurrency_limit))
+                .with_certificate(cert.as_slice())
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?,
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            }
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            }
+            _ => clients::tower::Configuration::builder()
+                .with_timeout(Some(cfg.io_timeout()))
+                .with_concurrency_limit(Some(concurrency_limit))
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?,
+        };
 
         REST_CLIENT.get_or_init(|| Self {
             rest_client: clients::tower::ApiClient::new(tower.clone()),

control-plane/csi-driver/src/bin/controller/config.rs

@@ -1,7 +1,11 @@
 use anyhow::Context;
 use clap::ArgMatches;
 use once_cell::sync::OnceCell;
-use std::{collections::HashMap, time::Duration};
+use std::{
+    collections::HashMap,
+    path::{Path, PathBuf},
+    time::Duration,
+};
 
 static CONFIG: OnceCell<CsiControllerConfig> = OnceCell::new();
 
@@ -17,6 +21,8 @@ pub(crate) struct CsiControllerConfig {
     create_volume_limit: usize,
     /// Force unstage volume.
     force_unstage_volume: bool,
+    /// Path to the CA certificate file.
+    ca_certificate_path: Option<PathBuf>,
 }
 
 impl CsiControllerConfig {
@@ -50,14 +56,17 @@ impl CsiControllerConfig {
             tracing::warn!(
                 "Force unstage volume is disabled, can trigger potential data corruption!"
             );
-        }
+        };
+
+        let ca_certificate_path: Option<&PathBuf> = args.get_one::<PathBuf>("tls-client-ca-path");
 
         CONFIG.get_or_init(|| Self {
             rest_endpoint: rest_endpoint.into(),
             io_timeout: io_timeout.into(),
             node_selector,
             create_volume_limit,
             force_unstage_volume,
+            ca_certificate_path: ca_certificate_path.cloned(),
         });
         Ok(())
     }
@@ -92,4 +101,9 @@ impl CsiControllerConfig {
     pub(crate) fn force_unstage_volume(&self) -> bool {
         self.force_unstage_volume
     }
+
+    /// Path to the CA certificate file.
+    pub(crate) fn ca_certificate_path(&self) -> Option<&Path> {
+        self.ca_certificate_path.as_deref()
+    }
 }

control-plane/csi-driver/src/bin/controller/main.rs

@@ -131,6 +131,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable force unstage volume feature")
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file")
+        )
         .get_matches();
 
     utils::print_package_info!();

control-plane/rest/service/src/main.rs

@@ -185,6 +185,7 @@ fn load_certificates<R: std::io::Read>(
         .map_err(|_| {
             anyhow::anyhow!("Failed to retrieve the rsa private keys from the key file",)
         })?;
+
     if keys.is_empty() {
         anyhow::bail!("No keys found in the keys file");
     }

k8s/operators/src/pool/main.rs

@@ -129,14 +129,49 @@ async fn pool_controller(args: ArgMatches) -> anyhow::Result<()> {
         .expect("timeout value is invalid")
         .into();
 
-    let cfg = clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
-        |error| {
+    let ca_certificate_path: Option<&str> = args
+        .get_one::<String>("tls-client-ca-path")
+        .map(|x| x.as_str());
+    // take in cert path and make pem file
+    let cert = match ca_certificate_path {
+        Some(path) => {
+            let cert = std::fs::read(path).map_err(|error| {
+                anyhow::anyhow!("Failed to read certificate file, Error: '{:?}'", error)
+            })?;
+            Some(cert)
+        }
+        None => None,
+    };
+    let cfg = match (url.scheme(), cert) {
+        ("https", Some(cert)) => clients::tower::Configuration::new(
+            url,
+            timeout,
+            None,
+            Some(cert.as_slice()),
+            true,
+            None,
+        )
+        .map_err(|error| {
             anyhow::anyhow!(
                 "Failed to create openapi configuration, Error: '{:?}'",
                 error
             )
-        },
-    )?;
+        })?,
+        ("https", None) => {
+            anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+        }
+        (_, Some(_path)) => {
+            anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+        }
+        _ => clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
+            |error| {
+                anyhow::anyhow!(
+                    "Failed to create openapi configuration, Error: '{:?}'",
+                    error
+                )
+            },
+        )?,
+    };
     let interval = args
         .get_one::<String>("interval")
         .unwrap()
@@ -243,6 +278,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable ansi color for logs"),
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file"),
+        )
         .get_matches();
 
     utils::print_package_info!();