feat: multiple client CA.

Updates the policy server to allow loading multiple CA to validate the
certificate used by client in a mTLS scenario.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

src/cli.rs

@@ -95,6 +95,7 @@ pub(crate) fn build_cli() -> Command {
 
         Arg::new("client-ca-file")
             .long("client-ca-file")
+            .value_delimiter(',')
             .value_name("CLIENT_CA_FILE")
             .env("KUBEWARDEN_CLIENT_CA_FILE")
             .help("Path to an CA certificate file that issued the client certificate. Required to enable mTLS"),

src/config.rs

@@ -54,7 +54,7 @@ pub struct Config {
 pub struct TlsConfig {
     pub cert_file: String,
     pub key_file: String,
-    pub client_ca_file: Option<String>,
+    pub client_ca_file: Vec<PathBuf>,
 }
 
 impl Config {
@@ -192,14 +192,20 @@ fn readiness_probe_bind_address(matches: &clap::ArgMatches) -> Result<SocketAddr
 fn build_tls_config(matches: &clap::ArgMatches) -> Result<Option<TlsConfig>> {
     let cert_file = matches.get_one::<String>("cert-file").cloned();
     let key_file = matches.get_one::<String>("key-file").cloned();
-    let client_ca_file = matches.get_one::<String>("client-ca-file").cloned();
+    let client_ca_file = matches.get_many::<String>("client-ca-file");
 
     match (cert_file, key_file, &client_ca_file) {
-        (Some(cert_file), Some(key_file), _) => Ok(Some(TlsConfig {
-            cert_file,
-            key_file,
-            client_ca_file,
-        })),
+        (Some(cert_file), Some(key_file), _) => {
+            let client_ca_file = client_ca_file
+                .unwrap_or_default()
+                .map(PathBuf::from)
+                .collect();
+            Ok(Some(TlsConfig {
+                cert_file,
+                key_file,
+                client_ca_file,
+            }))
+        }
         // No TLS configuration provided
         (None, None, None) => Ok(None),
         // Client CA certificate provided without server certificate and key

src/lib.rs

@@ -332,11 +332,19 @@ async fn build_tls_server_config(tls_config: &TlsConfig) -> Result<rustls::Serve
     let key = PrivateKeyDer::try_from(key_vec.pop().unwrap())
         .map_err(|e| anyhow!("Cannot parse server key: {e}"))?;
 
-    if let Some(client_ca_file) = tls_config.client_ca_file.clone() {
+    if tls_config.client_ca_file.is_empty() {
+        return Ok(ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(cert, key)?);
+    }
+
+    let mut store = RootCertStore::empty();
+
+    //mTLS enabled
+    for client_ca_file in tls_config.client_ca_file.clone() {
         // we have the client CA. Therefore, we should enable mTLS.
         let client_ca_reader = &mut BufReader::new(File::open(client_ca_file)?);
 
-        let mut store = RootCertStore::empty();
         let client_ca_certs: Vec<_> = rustls_pemfile::certs(client_ca_reader)
             .filter_map(|it| {
                 if let Err(ref e) = it {
@@ -351,15 +359,10 @@ async fn build_tls_server_config(tls_config: &TlsConfig) -> Result<rustls::Serve
             client_ca_certs_ignored = cert_ignored,
             "Loaded client CA certificates"
         );
-        let client_verifier = WebPkiClientVerifier::builder(Arc::new(store)).build()?;
-
-        return Ok(ServerConfig::builder()
-            .with_client_cert_verifier(client_verifier)
-            .with_single_cert(cert, key)?);
     }
-
+    let client_verifier = WebPkiClientVerifier::builder(Arc::new(store)).build()?;
     Ok(ServerConfig::builder()
-        .with_no_client_auth()
+        .with_client_cert_verifier(client_verifier)
         .with_single_cert(cert, key)?)
 }
 
@@ -385,11 +388,12 @@ async fn create_tls_config_and_watch_certificate_changes(
 ) -> Result<RustlsConfig> {
     use ::tracing::error;
 
-    let config = build_tls_server_config(&tls_config).await?;
-
-    let rust_config = RustlsConfig::from_config(Arc::new(config));
+    // Build initial TLS configuration
+    let initial_config = build_tls_server_config(&tls_config).await?;
+    let rust_config = RustlsConfig::from_config(Arc::new(initial_config));
     let reloadable_rust_config = rust_config.clone();
 
+    // Init inotify to watch for changes in the certificate files
     let inotify =
         inotify::Inotify::init().map_err(|e| anyhow!("Cannot initialize inotify: {e}"))?;
     let cert_watch = inotify
@@ -404,15 +408,18 @@ async fn create_tls_config_and_watch_certificate_changes(
         .add(tls_config.key_file.clone(), inotify::WatchMask::CLOSE_WRITE)
         .map_err(|e| anyhow!("Cannot watch key file: {e}"))?;
 
-    let mut client_cert_watch = None;
-    if let Some(ref client_ca_file) = tls_config.client_ca_file {
-        client_cert_watch = Some(
+    let client_cert_watches = tls_config
+        .client_ca_file
+        .clone()
+        .into_iter()
+        .map(|path| {
             inotify
                 .watches()
-                .add(client_ca_file, inotify::WatchMask::CLOSE_WRITE)
-                .map_err(|e| anyhow!("Cannot watch client certificate file: {e}"))?,
-        );
-    }
+                .add(path, inotify::WatchMask::CLOSE_WRITE)
+                .map_err(|e| anyhow!("Cannot watch client certificate file: {e}"))
+                .unwrap()
+        })
+        .collect::<Vec<_>>();
 
     let buffer = [0; 1024];
     let stream = inotify
@@ -442,7 +449,8 @@ async fn create_tls_config_and_watch_certificate_changes(
                 info!("TLS key file has been modified");
                 key_changed = true;
             }
-            if let Some(ref client_cert_watch) = client_cert_watch {
+
+            for client_cert_watch in client_cert_watches.iter() {
                 if event.wd == *client_cert_watch {
                     info!("TLS client certificate file has been modified");
                     client_cert_changed = true;
@@ -454,11 +462,12 @@ async fn create_tls_config_and_watch_certificate_changes(
             if (key_changed && cert_changed)
                 || (client_cert_changed && (key_changed == cert_changed))
             {
-                info!("reloading TLS certificates");
+                info!("Reloading TLS certificates");
 
                 cert_changed = false;
                 key_changed = false;
                 client_cert_changed = false;
+
                 let server_config = build_tls_server_config(&tls_config).await;
                 if let Err(e) = server_config {
                     error!("Failed to reload TLS certificate: {}", e);
@@ -468,7 +477,6 @@ async fn create_tls_config_and_watch_certificate_changes(
             }
         }
     });
-
     Ok(rust_config)
 }