Context
The ConnectRPC server supports TLS via tls_cert_file, tls_key_file, and tls_client_ca_file config options. However, the CLI client has no way to specify a custom CA certificate or client certificate for connecting to a TLS-enabled server.
The old gRPC createConnection() had a caCertFile parameter but it was never wired up — both createClient and createAdminClient always passed "".
Proposal
Add CLI flags (or config options) to support:
--ca-cert — Path to a custom CA certificate file (for self-signed or internal CAs)--client-cert / --client-key — For mTLS (optional, lower priority)--insecure — Skip TLS verification (dev only)
These should be configurable via both CLI flags and ~/.config/raystack/frontier.yml.
Related
Context
The ConnectRPC server supports TLS via
tls_cert_file,tls_key_file, andtls_client_ca_fileconfig options. However, the CLI client has no way to specify a custom CA certificate or client certificate for connecting to a TLS-enabled server.The old gRPC
createConnection()had acaCertFileparameter but it was never wired up — bothcreateClientandcreateAdminClientalways passed"".Proposal
Add CLI flags (or config options) to support:
--ca-cert— Path to a custom CA certificate file (for self-signed or internal CAs)--client-cert/--client-key— For mTLS (optional, lower priority)--insecure— Skip TLS verification (dev only)These should be configurable via both CLI flags and
~/.config/raystack/frontier.yml.Related