Skip to content

feat(tls): support multiple server certificates#158

Merged
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:fix/multi-cert-tls-sni
Jul 11, 2026
Merged

feat(tls): support multiple server certificates#158
GatewayJ merged 2 commits into
rustfs:mainfrom
GatewayJ:fix/multi-cert-tls-sni

Conversation

@GatewayJ

@GatewayJ GatewayJ commented Jul 4, 2026

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Fixes #156

Summary of Changes

This PR extends Tenant TLS configuration to support multiple server certificates for public and internal RustFS hosts.

It adds spec.tls.certificates[] while keeping the existing single-certificate spec.tls.certManager path backward compatible. Each certificate entry can reconcile its own cert-manager Certificate and Secret, and the operator now projects certificates into the RustFS TLS directory layout used for SNI selection:

  • the default certificate is mounted at rustfs_cert.pem and rustfs_key.pem
  • per-host certificates are mounted under <host>/rustfs_cert.pem and <host>/rustfs_key.pem
  • process-wide trust remains controlled by top-level caTrust or the default certificate trust settings

The change also updates Tenant TLS status, generated CRDs, docs, and examples.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (if user-visible change; N/A because this repository does not currently include CHANGELOG.md)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: adds a backward-compatible Tenant TLS API for multiple RustFS SNI certificates

Verification

CI=true \
  PNPM_CONFIG_REGISTRY=https://registry.npmmirror.com \
  PNPM_CONFIG_DANGEROUSLY_ALLOW_ALL_BUILDS=true \
  PNPM_CONFIG_FETCH_TIMEOUT=600000 \
  PNPM_CONFIG_NETWORK_TIMEOUT=600000 \
  PNPM_CONFIG_FETCH_RETRIES=5 \
  make pre-commit

Additional Notes

The CRD manifests under deploy/rustfs-operator/crds/ were regenerated from the Rust types so chart installs accept the new spec.tls.certificates and top-level spec.tls.caTrust fields.


Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

@GatewayJ GatewayJ force-pushed the fix/multi-cert-tls-sni branch from 08f9642 to 7819263 Compare July 11, 2026 03:38
@GatewayJ GatewayJ marked this pull request as ready for review July 11, 2026 03:48
@GatewayJ GatewayJ added this pull request to the merge queue Jul 11, 2026
Merged via the queue into rustfs:main with commit 345b9b5 Jul 11, 2026
3 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 78192632a1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/reconcile/tls.rs
Comment on lines +364 to +366
if config.require_san_match
&& let Err(failure) =
validate_tls_secret_san_match(&secret_name, &cert_bytes, &san_dns_names)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep peer SAN checks gated by internode HTTPS

When enableInternodeHttps is false, legacy/single-certificate configs that omit includeGeneratedDnsNames still make san_validation_dns_names include the generated service/pod DNS names, so this now blocks user-provided TLS Secrets whose cert only covers the public endpoint. Previously the SAN check only ran for internode HTTPS, and the docs still frame generated peer DNS coverage as required only in that mode; keep that guard or avoid adding generated names for this case.

Useful? React with 👍 / 👎.

Comment thread src/reconcile/tls.rs
Comment on lines +235 to +236
let certificate_name = certificate_name(tenant, &entry);
desired_managed_certificate_names.insert(certificate_name.clone());

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject duplicate managed Certificate names

If two spec.tls.certificates entries set the same certManager.certificateName, this insert silently collapses them while the loop still applies the same cert-manager Certificate twice with different secretName/DNS data; the second apply wins, leaving the earlier entry to mount or report a Secret that is no longer reconciled by its Certificate. Resolve and reject duplicate managed Certificate names before applying them.

Useful? React with 👍 / 👎.

Comment thread src/reconcile/tls.rs
cert_manager,
&entry.hosts,
include_generated_dns_names(&entry),
&secret_name,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject duplicate managed Secret names

For manageCertificate=true entries, this secretName becomes Certificate.spec.secretName, but the multi-certificate validation never rejects two managed entries sharing the same Secret. In that configuration cert-manager has two Certificate resources racing to write different keypairs into one Secret, so one SNI mount can end up serving the other certificate; require managed certificate Secret names to be unique, or require a single Certificate entry to cover all of those hosts.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature Request] Allow configuring separate TLS for each host

1 participant