Skip to content

feat(tls): support multiple server certificates#158

Draft
GatewayJ wants to merge 1 commit into
rustfs:mainfrom
GatewayJ:fix/multi-cert-tls-sni
Draft

feat(tls): support multiple server certificates#158
GatewayJ wants to merge 1 commit into
rustfs:mainfrom
GatewayJ:fix/multi-cert-tls-sni

Conversation

@GatewayJ

@GatewayJ GatewayJ commented Jul 4, 2026

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other:

Related Issues

Fixes #156

Summary of Changes

This PR extends Tenant TLS configuration to support multiple server certificates for public and internal RustFS hosts.

It adds spec.tls.certificates[] while keeping the existing single-certificate spec.tls.certManager path backward compatible. Each certificate entry can reconcile its own cert-manager Certificate and Secret, and the operator now projects certificates into the RustFS TLS directory layout used for SNI selection:

  • the default certificate is mounted at rustfs_cert.pem and rustfs_key.pem
  • per-host certificates are mounted under <host>/rustfs_cert.pem and <host>/rustfs_key.pem
  • process-wide trust remains controlled by top-level caTrust or the default certificate trust settings

The change also updates Tenant TLS status, generated CRDs, docs, and examples.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (if user-visible change; N/A because this repository does not currently include CHANGELOG.md)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: adds a backward-compatible Tenant TLS API for multiple RustFS SNI certificates

Verification

CI=true \
  PNPM_CONFIG_REGISTRY=https://registry.npmmirror.com \
  PNPM_CONFIG_DANGEROUSLY_ALLOW_ALL_BUILDS=true \
  PNPM_CONFIG_FETCH_TIMEOUT=600000 \
  PNPM_CONFIG_NETWORK_TIMEOUT=600000 \
  PNPM_CONFIG_FETCH_RETRIES=5 \
  make pre-commit

Additional Notes

The CRD manifests under deploy/rustfs-operator/crds/ were regenerated from the Rust types so chart installs accept the new spec.tls.certificates and top-level spec.tls.caTrust fields.


Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature Request] Allow configuring separate TLS for each host

1 participant