configuring csi-controller to speak tls

Signed-off-by: John Zakrzewski <[email protected]>

Author: John Zakrzewski

control-plane/csi-driver/src/bin/controller/client.rs

@@ -123,16 +123,44 @@ impl RestApiClient {
         let url = clients::tower::Url::parse(endpoint)
             .map_err(|error| anyhow!("Invalid API endpoint URL {}: {:?}", endpoint, error))?;
         let concurrency_limit = cfg.create_volume_limit() * 2;
-        let tower = clients::tower::Configuration::builder()
-            .with_timeout(cfg.io_timeout())
-            .with_concurrency_limit(Some(concurrency_limit))
-            .build_url(url)
-            .map_err(|error| {
-                anyhow::anyhow!(
-                    "Failed to create openapi configuration, Error: '{:?}'",
-                    error
-                )
-            })?;
+        let ca_certificate_path = cfg.ca_certificate_path();
+
+        let tower = match (url.scheme(), ca_certificate_path) {
+            ("https", Some(path)) => {
+                debug!("Attempting TLS connection to {}", url);
+
+                // Use new_with_client method to create the configuration
+                clients::tower::Configuration::builder()
+                    .with_timeout(Some(cfg.io_timeout()))
+                    .with_concurrency_limit(Some(concurrency_limit))
+                    .with_certificate(path.as_bytes())
+                    .build_url(url)
+                    .map_err(|error| {
+                        anyhow::anyhow!(
+                            "Failed to create openapi configuration, Error: '{:?}'",
+                            error
+                        )
+                    })?
+            },
+            ("https", None) => {
+                anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+            },
+            (_, Some(_path)) => {
+                anyhow::bail!("CA certificate path is only supported for HTTPS endpoints");
+            },
+            _ => {
+                clients::tower::Configuration::builder()
+                    .with_timeout(Some(cfg.io_timeout()))
+                    .with_concurrency_limit(Some(concurrency_limit))
+                    .build_url(url)
+                    .map_err(|error| {
+                        anyhow::anyhow!(
+                            "Failed to create openapi configuration, Error: '{:?}'",
+                            error
+                        )
+                    })?
+            }
+        };
 
         REST_CLIENT.get_or_init(|| Self {
             rest_client: clients::tower::ApiClient::new(tower.clone()),

control-plane/csi-driver/src/bin/controller/config.rs

@@ -17,6 +17,8 @@ pub(crate) struct CsiControllerConfig {
     create_volume_limit: usize,
     /// Force unstage volume.
     force_unstage_volume: bool,
+    /// Path to the CA certificate file.
+    ca_certificate_path: Option<String>,
 }
 
 impl CsiControllerConfig {
@@ -50,14 +52,17 @@ impl CsiControllerConfig {
             tracing::warn!(
                 "Force unstage volume is disabled, can trigger potential data corruption!"
             );
-        }
+        };
+
+        let ca_certificate_path = args.get_one::<String>("tls-client-ca-path");
 
         CONFIG.get_or_init(|| Self {
             rest_endpoint: rest_endpoint.into(),
             io_timeout: io_timeout.into(),
             node_selector,
             create_volume_limit,
             force_unstage_volume,
+            ca_certificate_path: ca_certificate_path.cloned(),
         });
         Ok(())
     }
@@ -92,4 +97,9 @@ impl CsiControllerConfig {
     pub(crate) fn force_unstage_volume(&self) -> bool {
         self.force_unstage_volume
     }
+
+     /// Path to the CA certificate file.
+     pub(crate) fn ca_certificate_path(&self) -> Option<&str> {
+        self.ca_certificate_path.as_deref()
+    }
 }

control-plane/csi-driver/src/bin/controller/main.rs

@@ -131,6 +131,11 @@ async fn main() -> anyhow::Result<()> {
                 .value_parser(clap::value_parser!(bool))
                 .help("Enable force unstage volume feature")
         )
+        .arg(
+            Arg::new("tls-client-ca-path")
+                .long("tls-client-ca-path")
+                .help("path to the CA certificate file"),
+        )
         .get_matches();
 
     utils::print_package_info!();