make certificate_authority_path field optional in source TLS config (#…

…1117)

docs/src/source-types.md

@@ -23,12 +23,13 @@ Cassandra:
   # When this field is provided TLS is used when the client connects to Shotover.
   # Removing this field will disable TLS.
   #tls:
-  #  # Path to the certificate authority file, typically named with a .crt extension.
-  #  certificate_authority_path: "tls/localhost_CA.crt"
   #  # Path to the certificate file, typically named with a .crt extension.
   #  certificate_path: "tls/localhost.crt"
   #  # Path to the private key file, typically named with a .key extension.
   #  private_key_path: "tls/localhost.key"
+  #  # Path to the certificate authority file, typically named with a .crt extension.
+  #  # When this field is provided client authentication will be enabled.
+  #  #certificate_authority_path: "tls/localhost_CA.crt"
 
   # Timeout in seconds after which to terminate an idle connection. This field is optional, if not provided, idle connections will never be terminated.
   # timeout: 60
@@ -57,7 +58,8 @@ Redis:
   #  # Path to the private key file, typically named with a .key extension.
   #  private_key_path: "tls/redis.key"
   #  # Path to the certificate authority file typically named ca.crt.
-  #  certificate_authority_path: "tls/ca.crt"
+  #  # When this field is provided client authentication will be enabled.
+  #  #certificate_authority_path: "tls/ca.crt"
 
   # Timeout in seconds after which to terminate an idle connection. This field is optional, if not provided, idle connections will never be terminated.
   # timeout: 60

shotover-proxy/example-configs/cassandra-cluster-tls/topology.yaml

@@ -4,7 +4,6 @@ sources:
     Cassandra:
       listen_addr: "127.0.0.1:9042"
       tls:
-        certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt"
         certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt"
         private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key"
 chain_config:

shotover-proxy/example-configs/cassandra-tls/topology-with-key.yaml

@@ -4,7 +4,6 @@ sources:
     Cassandra:
       listen_addr: "127.0.0.1:9043"
       tls:
-        certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt"
         certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt"
         private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key"
 chain_config:

shotover-proxy/example-configs/cassandra-tls/topology.yaml

@@ -4,7 +4,6 @@ sources:
     Cassandra:
       listen_addr: "127.0.0.1:9043"
       tls:
-        certificate_authority_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost_CA.crt"
         certificate_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.crt"
         private_key_path: "example-configs/docker-images/cassandra-tls-4.0.6/certs/localhost.key"
 chain_config:

shotover-proxy/example-configs/redis-tls/topology.yaml

@@ -7,7 +7,6 @@ sources:
     Redis:
       listen_addr: "127.0.0.1:6380"
       tls:
-        certificate_authority_path: "example-configs/redis-tls/certs/localhost_CA.crt"
         certificate_path: "example-configs/redis-tls/certs/localhost.crt"
         private_key_path: "example-configs/redis-tls/certs/localhost.key"
 chain_config:

shotover/src/tls.rs

@@ -16,7 +16,7 @@ use tokio_openssl::SslStream;
 #[derive(Serialize, Deserialize, Debug, Clone)]
 pub struct TlsAcceptorConfig {
     /// Path to the certificate authority in PEM format
-    pub certificate_authority_path: String,
+    pub certificate_authority_path: Option<String>,
     /// Path to the certificate in PEM format
     pub certificate_path: String,
     /// Path to the private key in PEM format
@@ -48,18 +48,20 @@ pub fn check_file_field(field_name: &str, file_path: &str) -> Result<()> {
 impl TlsAcceptor {
     pub fn new(tls_config: TlsAcceptorConfig) -> Result<TlsAcceptor> {
         // openssl's errors are really bad so we do our own checks so we can provide reasonable errors
-        check_file_field(
-            "certificate_authority_path",
-            &tls_config.certificate_authority_path,
-        )?;
         check_file_field("private_key_path", &tls_config.private_key_path)?;
         check_file_field("certificate_path", &tls_config.certificate_path)?;
 
         let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())
             .map_err(openssl_stack_error_to_anyhow)?;
-        builder
-            .set_ca_file(tls_config.certificate_authority_path)
-            .map_err(openssl_stack_error_to_anyhow)?;
+
+        if let Some(path) = tls_config.certificate_authority_path.as_ref() {
+            check_file_field("certificate_authority_path", path)?;
+            builder
+                .set_ca_file(path)
+                .map_err(openssl_stack_error_to_anyhow)?;
+            return Err(anyhow!("Client auth is not yet supported in shotover"));
+        }
+
         builder
             .set_private_key_file(tls_config.private_key_path, SslFiletype::PEM)
             .map_err(openssl_stack_error_to_anyhow)?;