feat: configure callhome for tls with restapi

Signed-off-by: John Zakrzewski <[email protected]>

Author: John Zakrzewski

call-home/src/bin/callhome/main.rs

@@ -52,6 +52,10 @@ struct CliArgs {
     /// The endpoint to fetch events stats.
     #[clap(long, short)]
     aggregator_url: Option<Url>,
+
+    /// The path to the TLS CA certificate
+    #[clap(long, short)]
+    tls_client_ca_path: Option<String>,
 }
 impl CliArgs {
     fn args() -> Self {
@@ -107,12 +111,42 @@ async fn run(logs: Arc<Mutex<VecDeque<LogEntry>>>) -> anyhow::Result<()> {
             anyhow::anyhow!("failed to generate metrics receiver client: {:?}", error)
         })?;
 
+    let ca_certificate_path = args.tls_client_ca_path;
+    let cert = match ca_certificate_path {
+        Some(path) => {
+            let cert = std::fs::read(path).map_err(|error| {
+                anyhow::anyhow!("Failed to read certificate file, Error: '{:?}'", error)
+            })?;
+            Some(cert)
+        }
+        None => None,
+    };
+
     // Generate Mayastor REST client.
-    let config = Configuration::builder()
-        .with_timeout(Duration::from_secs(30))
-        .with_tracing(true)
-        .build_url(endpoint)
-        .map_err(|error| anyhow::anyhow!("failed to create openapi configuration: {:?}", error))?;
+    let config = match (endpoint.scheme(), cert.as_deref()) {
+        ("https", Some(cert)) => Configuration::builder()
+            .with_timeout(Duration::from_secs(30))
+            .with_tracing(true)
+            .with_certificate(cert)
+            .build_url(endpoint)
+            .map_err(|error| {
+                anyhow::anyhow!("failed to create openapi configuration: {:?}", error)
+            })?,
+        ("https", None) => {
+            anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+        }
+        (_, Some(_path)) => {
+            anyhow::bail!("TLS certificate is only supported for HTTPS connection")
+        }
+        _ => Configuration::builder()
+            .with_timeout(Duration::from_secs(30))
+            .with_tracing(true)
+            .build_url(endpoint)
+            .map_err(|error| {
+                anyhow::anyhow!("failed to create openapi configuration: {:?}", error)
+            })?,
+    };
+
     let client = openapi::clients::tower::ApiClient::new(config);
 
     loop {

chart/README.md

@@ -56,6 +56,7 @@ This removes all the Kubernetes components associated with the chart and deletes
 |------------|------|---------|
 |  | crds | 0.0.0 |
 | https://charts.bitnami.com/bitnami | etcd | 8.6.0 |
+| https://charts.jetstack.io | cert-manager(cert-manager) | v1.17.0 |
 | https://grafana.github.io/helm-charts | loki-stack | 2.9.11 |
 | https://jaegertracing.github.io/helm-charts | jaeger-operator | 2.50.1 |
 | https://nats-io.github.io/k8s/helm/charts/ | nats | 0.19.14 |
@@ -114,6 +115,7 @@ This removes all the Kubernetes components associated with the chart and deletes
 | apis.​rest.​service.​type | Rest K8s service type | `"ClusterIP"` |
 | apis.​rest.​tolerations | Set tolerations, overrides global | `[]` |
 | base.​cache_poll_period | Cache timeout for core agent & diskpool deployment | `"30s"` |
+| base.​cert-manager.​enabled | Enable cert-manager only if tls is enabled | `false` |
 | base.​default_req_timeout | Request timeout for rest & core agents | `"5s"` |
 | base.​logging.​color | Enable ansi color code for Pod StdOut/StdErr | `true` |
 | base.​logging.​format | Valid values for format are pretty, json and compact | `"pretty"` |

chart/templates/mayastor/csi/csi-controller-deployment.yaml

@@ -131,7 +131,6 @@ spec:
             {{- else }}
             - "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"
             {{- end }}
-
           env:
             - name: RUST_LOG
               value: {{ .Values.csi.controller.logLevel }}

chart/templates/mayastor/obs/obs-callhome-deployment.yaml

@@ -37,19 +37,31 @@ spec:
         - name: obs-callhome
           image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ include "image_prefix" . }}-obs-callhome:{{ default .Values.image.tag .Values.image.repoTags.extensions }}"
           args:
-            - "-e http://{{ .Release.Name }}-api-rest:8081"
             - "-n {{ .Release.Namespace }}"{{ if .Values.eventing.enabled }}
             - "--aggregator-url=http://{{ .Release.Name }}-obs-callhome-stats:9090/stats"{{ end }}
             {{ if .Values.obs.callhome.sendReport }}
             - "--send-report"
             {{ end }}
+            {{- if .Values.tls.enabled }}
+            - "--e=https://{{ .Release.Name }}-api-rest:8080"
+            - "--tls-client-ca-path=/etc/client_cert/ca.crt" # CA cert for client verification with rest
+            {{- else }}
+            - "--e=http://{{ .Release.Name }}-api-rest:8081"
+            {{- end }}
           env:
             - name: RUST_LOG
               value: {{ .Values.obs.callhome.logLevel }}
           {{- if .Values.obs.callhome.productName }}
             - name: CALLHOME_PRODUCT_NAME
               value: {{ .Values.obs.callhome.productName | quote }}
           {{- end }}
+          volumeMounts:
+            {{- if .Values.tls.enabled }}
+            - name: ca-cert
+              mountPath: /etc/client_cert/ca.crt
+              subPath: ca.crt
+              readOnly: true
+            {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             limits:
@@ -83,4 +95,11 @@ spec:
               cpu: {{ .Values.obs.stats.resources.requests.cpu | quote }}
               memory: {{ .Values.obs.stats.resources.requests.memory | quote }}
         {{- end }}
+      volumes:
+        {{- if .Values.tls.enabled }}
+        - name: ca-cert
+          secret:
+            defaultMode: 420
+            secretName: api-rest-tls
+        {{- end }}
 {{- end }}