feat(CSI-253): support custom CA certificate in API secret

weka · Sep 12, 2024 · 5b1968b · 5b1968b
1 parent c8098c3
commit 5b1968b
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/examples/common/csi-wekafs-api-secret.yaml b/examples/common/csi-wekafs-api-secret.yaml
@@ -15,7 +15,7 @@ data:
   # It is recommended to configure at least 2 management endpoints (cluster backend nodes), or a load-balancer if used
   # e.g. 172.31.15.113:14000,172.31.12.91:14000
   endpoints: MTcyLjMxLjQxLjU0OjE0MDAwLDE3Mi4zMS40Ny4xNTI6MTQwMDAsMTcyLjMxLjM4LjI1MDoxNDAwMCwxNzIuMzEuNDcuMTU1OjE0MDAwLDE3Mi4zMS4zMy45MToxNDAwMCwxNzIuMzEuMzguMTU1OjE0MDAwCg==
-  # protocol to use for API connection (may be either http or https, base64-encoded)
+  # protocol to use for API connection (may be either http or https, base64-encoded. NOTE: since Weka 4.3.0, HTTPS is mandatory)
   scheme: aHR0cA==
   # for multiple clusters setup, set specific container name rather than attempt to identify it automatically
   localContainerName: ""
@@ -24,3 +24,7 @@ data:
   # maybe either (true/false), base64-encoded
   # NOTE: if a load balancer is used to access the cluster API, leave this setting as "false"
   autoUpdateEndpoints: ZmFsc2U=
+  # When using HTTPS connection and self-signed or untrusted certificates, provide a CA certificate in PEM format, base64-encoded
+  # caCertificate: <base64-encoded-PEM>
+  caCertificate: ""
+
diff --git a/pkg/wekafs/apiclient/apiclient.go b/pkg/wekafs/apiclient/apiclient.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -89,9 +90,22 @@ func (e *ApiEndPoint) String() string {
 }
 
 func NewApiClient(ctx context.Context, credentials Credentials, allowInsecureHttps bool, hostname string) (*ApiClient, error) {
+	logger := log.Ctx(ctx)
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: allowInsecureHttps},
 	}
+	useCustomCACert := credentials.CaCertificate != ""
+	if useCustomCACert {
+		var caCertPool *x509.CertPool
+		if pool, err := x509.SystemCertPool(); err != nil {
+			caCertPool = x509.NewCertPool()
+		} else {
+			caCertPool = pool
+		}
+		caCertPool.AppendCertsFromPEM([]byte(credentials.CaCertificate))
+		tr.TLSClientConfig.RootCAs = caCertPool
+	}
+
 	a := &ApiClient{
 		Mutex: sync.Mutex{},
 		client: &http.Client{
@@ -108,7 +122,7 @@ func NewApiClient(ctx context.Context, credentials Credentials, allowInsecureHtt
 	}
 	a.resetDefaultEndpoints(ctx)
 
-	log.Ctx(ctx).Trace().Bool("insecure_skip_verify", allowInsecureHttps).Msg("Creating new API client")
+	logger.Trace().Bool("insecure_skip_verify", allowInsecureHttps).Bool("custom_ca_cert", useCustomCACert).Msg("Creating new API client")
 	a.clientHash = a.generateHash()
 	return a, nil
 }
@@ -756,6 +770,7 @@ type Credentials struct {
 	Endpoints           []string
 	LocalContainerName  string
 	AutoUpdateEndpoints bool
+	CaCertificate       string
 }
 
 func (c *Credentials) String() string {

diff --git a/pkg/wekafs/wekafs.go b/pkg/wekafs/wekafs.go
@@ -110,6 +110,10 @@ func (api *ApiStore) fromSecrets(ctx context.Context, secrets map[string]string,
 	if ok {
 		autoUpdateEndpoints = strings.TrimSpace(strings.TrimSuffix(autoUpdateEndpointsStr, "\n")) == "true"
 	}
+	caCertificate, ok := secrets["caCertificate"]
+	if !ok {
+		caCertificate = ""
+	}
 
 	credentials := apiclient.Credentials{
 		Username:            strings.TrimSpace(strings.TrimSuffix(secrets["username"], "\n")),
@@ -119,6 +123,7 @@ func (api *ApiStore) fromSecrets(ctx context.Context, secrets map[string]string,
 		HttpScheme:          strings.TrimSpace(strings.TrimSuffix(secrets["scheme"], "\n")),
 		LocalContainerName:  localContainerName,
 		AutoUpdateEndpoints: autoUpdateEndpoints,
+		CaCertificate:       caCertificate,
 	}
 	return api.fromCredentials(ctx, credentials, hostname)
 }