feat(CSI-253): support custom CA certificate in API secret

[sergeyberezansky]

TL;DR

Added support for custom CA certificates in WekaFS CSI driver API client.

What changed?

• Updated csi-wekafs-api-secret.yaml to include a new caCertificate field for HTTPS connections with self-signed or untrusted certificates.
• Modified apiclient.go to handle custom CA certificates when creating a new API client.
• Updated wekafs.go to parse the caCertificate from secrets and include it in the credentials.

How to test?

1. Update the csi-wekafs-api-secret.yaml file with a base64-encoded PEM format CA certificate in the caCertificate field.
2. Deploy the updated secret to your Kubernetes cluster.
3. Verify that the WekaFS CSI driver can successfully connect to the Weka cluster using HTTPS with the custom CA certificate.

NOTE: for this to be tested, we still need the certificate to match endpoint names. IIRC, the certificate that is generated automatically does not have hostnames / IP address SANs.

Why make this change?

This change enhances security by allowing users to use custom CA certificates when connecting to Weka clusters, especially when using self-signed or untrusted certificates. It also prepares for the mandatory HTTPS requirement in Weka 4.3.0 and later versions.

---

[sergeyberezansky]

• chore(deps): update sidecar versions #326
• docs(CSI-254): update official docs link in Helm templates and README #323
• feat(CSI-252): implement kubelet PVC stats #322
• refactor(CSI-250): do not maintain redundant active mounts from node server after publishing volume #320
• feat(CSI-247): implement InterfaceGroup.GetRandomIpAddress() #319
• feat(CSI-249): optimize NFS mounter to use multiple targets #318
• fix(CSI-241): fix unmountWithOptions to use map key rather than options.String() #317
• feat(CSI-245): allow specifying client group for NFS #316
• chore(deps): update packages to latest versions and Go to 1.22.5 #314
• chore(deps): combine chmod with ADD in Dockerfile #313
• feat(CSI-239): moveToTrash does not return error to upper layers #312
• fix(CSI-243): service accounts for CSI plugin assume ImagePullSecret and cause error messages. #311
• feat(CSI-244): match subnets if existing in client rule #315
• fix(CSI-241): conflict in metrics between node and controller #325
• feat(CSI-213): support NFS transport #299
• fix(CSI-241): disregard sync_on_close in mountmap per FS #310
• feat(CSI-253): support custom CA certificate in API secret #324 👈
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @sergeyberezansky and the rest of your teammates on Graphite

[graphite-app]

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (09/11/24)

1 reviewer was added to this PR based on Sergey Berezansky's automation.

[sergeyberezansky]

Merge activity

• Sep 12, 6:10 AM EDT: @sergeyberezansky started a stack merge that includes this pull request via Graphite.
• Sep 12, 6:11 AM EDT: Graphite rebased this pull request as part of a merge.
• Sep 12, 6:16 AM EDT: @sergeyberezansky merged this pull request with Graphite.