Try #927:

mayastor-bors · mayastor-bors · commit 8a1752587e68 · 2025-02-08T13:11:17.000Z
diff --git a/control-plane/csi-driver/src/bin/controller/client.rs b/control-plane/csi-driver/src/bin/controller/client.rs
@@ -123,16 +123,53 @@ impl RestApiClient {
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {}: {:?}", endpoint, error))?;
         let concurrency_limit = cfg.create_volume_limit() * 2;
-        let tower = clients::tower::Configuration::builder()
-            .with_timeout(cfg.io_timeout())
-            .with_concurrency_limit(Some(concurrency_limit))
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!(
-                    "Failed to create openapi configuration, Error: '{:?}'",
-                    error
-                )
-            })?;
+        let ca_certificate_path = cfg.ca_certificate_path();
+        let cert = match ca_certificate_path {
+            Some(path) => {
+                let cert = std::fs::read(path).map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?;
+                Some(cert)
+            }
+            None => None,
+        };
+        let tower = match (url.scheme(), cert) {
+            ("https", Some(cert)) => {
+                debug!("Attempting TLS connection to {}", url);
+
+                // Use new_with_client method to create the configuration
+                clients::tower::Configuration::builder()
+                    .with_timeout(Some(cfg.io_timeout()))
+                    .with_concurrency_limit(Some(concurrency_limit))
+                    .with_certificate(cert.as_slice())
+                    .build_url(url)
+                    .map_err(|error| {
+                        anyhow::anyhow!(
+                            "Failed to create openapi configuration, Error: '{:?}'",
+                            error
+                        )
+                    })?
+            }
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            }
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            }
+            _ => clients::tower::Configuration::builder()
+                .with_timeout(Some(cfg.io_timeout()))
+                .with_concurrency_limit(Some(concurrency_limit))
+                .build_url(url)
+                .map_err(|error| {
+                    anyhow::anyhow!(
+                        "Failed to create openapi configuration, Error: '{:?}'",
+                        error
+                    )
+                })?,
+        };
 
         REST_CLIENT.get_or_init(|| Self {
             rest_client: clients::tower::ApiClient::new(tower.clone()),
diff --git a/control-plane/csi-driver/src/bin/controller/config.rs b/control-plane/csi-driver/src/bin/controller/config.rs
@@ -1,7 +1,11 @@
 use anyhow::Context;
 use clap::ArgMatches;
 use once_cell::sync::OnceCell;
-use std::{collections::HashMap, time::Duration};
+use std::{
+    collections::HashMap,
+    path::{Path, PathBuf},
+    time::Duration,
+};
 
 static CONFIG: OnceCell<CsiControllerConfig> = OnceCell::new();
 
@@ -17,6 +21,8 @@ pub(crate) struct CsiControllerConfig {
     create_volume_limit: usize,
     /// Force unstage volume.
     force_unstage_volume: bool,
+    /// Path to the CA certificate file.
+    ca_certificate_path: Option<PathBuf>,
 }
 
 impl CsiControllerConfig {
@@ -50,14 +56,17 @@ impl CsiControllerConfig {
             tracing::warn!(
                 "Force unstage volume is disabled, can trigger potential data corruption!"
             );
-        }
+        };
+
+        let ca_certificate_path: Option<&PathBuf> = args.get_one::<PathBuf>("tls-client-ca-path");
 
         CONFIG.get_or_init(|| Self {
             rest_endpoint: rest_endpoint.into(),
             io_timeout: io_timeout.into(),
             node_selector,
             create_volume_limit,
             force_unstage_volume,
+            ca_certificate_path: ca_certificate_path.cloned(),
         });
         Ok(())
     }
@@ -92,4 +101,9 @@ impl CsiControllerConfig {
     pub(crate) fn force_unstage_volume(&self) -> bool {
         self.force_unstage_volume
     }
+
+    /// Path to the CA certificate file.
+    pub(crate) fn ca_certificate_path(&self) -> Option<&Path> {
+        self.ca_certificate_path.as_deref()
+    }
 }
diff --git a/control-plane/csi-driver/src/bin/controller/main.rs b/control-plane/csi-driver/src/bin/controller/main.rs
@@ -131,6 +131,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable force unstage volume feature")
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file")
+        )
         .get_matches();
 
     utils::print_package_info!();
diff --git a/control-plane/rest/service/src/main.rs b/control-plane/rest/service/src/main.rs
@@ -21,7 +21,7 @@ use clap::Parser;
 use grpc::{client::CoreClient, operations::jsongrpc::client::JsonGrpcClient};
 use http::Uri;
 use rustls::{pki_types::PrivateKeyDer, ServerConfig};
-use rustls_pemfile::{certs, rsa_private_keys};
+use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{fs::File, io::BufReader, time::Duration};
 use stor_port::transport_api::{RequestMinTimeout, TimeoutOptions};
 use utils::{
@@ -180,17 +180,18 @@ fn load_certificates<R: std::io::Read>(
         .map_err(|_| {
             anyhow::anyhow!("Failed to retrieve certificates from the certificate file",)
         })?;
-    let mut keys = rsa_private_keys(key_file)
+    let mut keys: Vec<rustls::pki_types::PrivatePkcs8KeyDer<'_>> = pkcs8_private_keys(key_file)
         .collect::<Result<Vec<_>, _>>()
         .map_err(|_| {
             anyhow::anyhow!("Failed to retrieve the rsa private keys from the key file",)
         })?;
+
     if keys.is_empty() {
         anyhow::bail!("No keys found in the keys file");
     }
     let config = config
         .with_no_client_auth()
-        .with_single_cert(cert_chain, PrivateKeyDer::Pkcs1(keys.remove(0)))?;
+        .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0)))?;
     Ok(config)
 }
 
diff --git a/k8s/operators/src/pool/main.rs b/k8s/operators/src/pool/main.rs
@@ -31,7 +31,7 @@ use kube::{
 use mayastorpool::client::{check_crd, delete, list};
 use openapi::clients::{self, tower::Url};
 use std::{collections::HashMap, sync::Arc, time::Duration};
-use tracing::{error, info, trace, warn};
+use tracing::{debug, error, info, trace, warn};
 use utils::tracing_telemetry::{FmtLayer, FmtStyle};
 
 const PAGINATION_LIMIT: u32 = 100;
@@ -129,14 +129,51 @@ async fn pool_controller(args: ArgMatches) -> anyhow::Result<()> {
         .expect("timeout value is invalid")
         .into();
 
-    let cfg = clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
-        |error| {
-            anyhow::anyhow!(
-                "Failed to create openapi configuration, Error: '{:?}'",
-                error
+    let ca_certificate_path: Option<&str> = args
+        .get_one::<String>("tls-client-ca-path")
+        .map(|x| x.as_str());
+    // take in cert path and make pem file
+    let cert = match ca_certificate_path {
+        Some(path) => {
+            let cert = std::fs::read(path).expect("Failed to read certificate file");
+            Some(cert)
+        }
+        None => None,
+    };
+    let cfg = match (url.scheme(), cert) {
+        ("https", Some(cert)) => {
+            debug!("Attempting TLS connection to {}", url);
+
+            clients::tower::Configuration::new(
+                url,
+                timeout,
+                None,
+                Some(cert.as_slice()),
+                true,
+                None,
             )
-        },
-    )?;
+            .map_err(|error| {
+                anyhow::anyhow!(
+                    "Failed to create openapi configuration, Error: '{:?}'",
+                    error
+                )
+            })?
+        }
+        ("https", None) => {
+            anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+        }
+        (_, Some(_path)) => {
+            anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+        }
+        _ => clients::tower::Configuration::new(url, timeout, None, None, true, None).map_err(
+            |error| {
+                anyhow::anyhow!(
+                    "Failed to create openapi configuration, Error: '{:?}'",
+                    error
+                )
+            },
+        )?,
+    };
     let interval = args
         .get_one::<String>("interval")
         .unwrap()
@@ -243,6 +280,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable ansi color for logs"),
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file"),
+        )
         .get_matches();
 
     utils::print_package_info!();
